Information Security Group
|
Business Continuity Management > Business Recovery Exercise

Business Recovery Exercise

A business recovery exercise is conducted by the respective project / function manager. The business recovery exercise enables the project / function manager to examine the capability of the continuity of business plan. The exercise enables the project / function manager to test the Memorandum of Understanding (MOU) for IT Services, Facilities services and other dependencies. This ensures that the Project / Function has the ability to meet the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) to meet Availability targets and requirements. Suppliers responsiveness is an integral component of testing to examine the capability of the supplier to support recovery aligned to SLA and Recovery Time Objectives as well as Recovery Point Objectives set.

The strength of the continuity plan documented can be asertained when tested.

  1. To utilize the documented plan and the vital records as available
  2. Check steps as documented Vs the steps taken respond.
  3. Checks the working of the continuity plan when subjected to a crisis scenario, business disruptive event within the crisis scenario and plausible events which are specific to the project or / and function

The engagement in this exercise includes the below agencies.

  1. All relevant stakeholders, associates in the team.
  2. Customer contacts, supplier/s, partner/s end dependencies as documented in the continuity of business plan.
  3. Services both internal, external, direct and indirect essential for response, recovery of important business activities.

Important Things to Remember in Drills / Tests / Exercises

  1. Participating in drills, tests, exercises is a team building activity. People managers must encourage their team members to participate actively.
  2. A business continuity plan only when tested provides an assurance of its capability to enable the purpose of continuous operations.
  3. There can be no claim of being able to respond and recover if the test results do not prove so or we do not have test results to exhibit.
  4. The project manager steers this effort for the project, the function head for the function. The Plan rep , DR Rep , Function Rep, Location Rep engage to support the Project, Functions and bridge the success.
  5. Global business continuity team supports the entire end to end process through Mechanized Tools, Checkpoints, ENS, POSTMAN distributed notification and alerting systems.
  6. People safety, wellness is paramount and Calltree responses are critical and vital for the organization.
  7. Data restore, system rebuild, fail over are important elements to check in the integrated business recovery exercises.
  8. Risk officers, Compliance Leads, Assurance auditors and leads are observers.
  9. Learning and recording risks , gaps and corrections required in continuity plans and memorandum of understanding for support services is vital and essential.
  10. Suppliers, Customers, Partners who provide direct, indirect internal or external support are engaged in the test to check continuity practices are followed to meet the Recovery Time Objectives.

Phases of the exercise

The exercise is divided into the below parts which ensures the adequacy is maintained for the right continuity posture.

Prepare – for the exercise

The following are the activities which must be executed in order to prepare for the planned exercise.

The plan owner (Project Manager, Function Manager ) must ensure the following activities.

  1. Ensure that the business continuity plan in LIGHTHOUSE is complete and adequate.
  2. Generate a copy of the Project Roll Up plan and read.
  3. Engage the team to browse through the plan as a reading in a team meeting.
  4. Ensure that all the direct and indirect dependencies are listed, contact details are available and Memorandum of Understanding as signed up are available for activation with support teams, customer contacts, partners in the exercise.
  5. Ensure team members are aware of the strategies, models as well as a common principle of listening, responding on time, and participating actively in the complete exercise.
  6. Ensure the team is well informed to be successful in the activity.

During the exercise

There are a set of activities which must be performed during the exercise.

INIT – Phase

In this phase the exercise is initiated like in every other potential or real crisis scenario and facilitates the project manager to get into action.

  1. The mechanized call tree will be triggered through ENS (Emergency Notification System – calltree@techmahindra.com ).
  2. The project manager post response to the call tree engages his core team members and assesses the business impact.
  3. The project manager seeks guidance if required from the project management team member.
  4. The business impact analysis for the day is conducted considering work items in queue and plan for the day.
  5. Associates are notified to initiate the business recovery exercise which is none other than work for the day in a event recovery mode as the mind set.
  6. Customer contact is notified around exercise initiation as per the continuity plan documentation.
  7. Suppliers, partners and internal teams are notified by the project manager for being on standby in case of any dependency needs for the day.
  8. Associates are further notified that recovery strategies documented for the day are activated – this would mean work from home, work across split teams, work from office or any other strategy in place.
  9. As teams are working in HYBRID mode most strategies will be in play as a natural activity – intensive monitoring is the upgraded posture during crisis and exercising over the normal monitoring of any other business day.
  10. Respond to the INIT check point as well as track team members to provide their responses ensuring quick turnaround time.
    REMEMBER: Engage in referring to your plan, check your data in Lighthouse, update your plan in Lighthouse across the exercise.

MID-WAY – Phase

In this phase the exercise is in progress like in every other potential or real crisis scenario however there are a few intensive monitoring actions below over and above the other activities in play.

  1. Monitor service tickets registered to meet the recovery time objectives and agreed SLA during the event / exercise in the MOU and continuity of business plan.
  2. Monitor uptime and service tickets logged with the suppliers, partners, customer contacts for dependencies on their end.
  3. Provide progress updates to all relevant stakeholders.
  4. Monitor teamwork in progress for drops in SLA, Contractual requirements, Delivery schedules.
  5. Monitor team wellness as well as availability and responsiveness to the MID-WAY check points.
  6. Identify learning from the INIT phase until the MID-WAY phase.
  7. Check continuity of plan documentation and mark changes required in terms of RTO, RPO, Head count, Contingency Head Count, Missed Dependencies as Notes.
  8. Encourage team members to contribute to the learning.
  9. REMEMBER: Check your plan, update your plan in Lighthouse across the exercise.

TERMINAL – Phase

In this phase the exercise window comes to an end like in every other potential or real crisis scenario and it is time to document finding, learning, risks, and action plan.

  1. Identify gaps in the continuity of business plan documentation.
  2. Check if the service tickets logged in as a natural process were resolved within the SLA.
  3. Check what work items have not been delivered due to service disruptions.
  4. Check work items which are delayed due to supplier, customer, partner, internal support team turnaround time.
  5. Document learning as a list of items.
  6. Register the risks of availability as risk identified in the project risk register.
  7. Input the risk treatment plan of action with the beginning date - ending date can be discussed.
  8. Set up time with the team for an After-Action Review.
  9. Engage the Compliance lead, audit team and other relevant teams.
  10. Ensure that the Terminal Check Point is responded by all team members.
  11. Update the results in Lighthouse exercise record for the schedule id you engaged for the exercise.
  12. Encourage team members to contribute to the meetings, calls and documentation process of learnings.

After the Exercise

In this phase the after-action report discussion, convergence and action plan conversations are executed.

Multiple stakeholders who play the role of facilitators, action takers, mitigation advisors, analysts engage with the respective exercise owner.

  1. A debrief session is conducted.
  2. Learnings are shared.
  3. A round table for contributions from every stakeholder is an emphasis.
  4. Activity plan is created.
  5. Risks are identified and recorded.
  6. Risk Treatment plans are documented.
  7. Owners are identified.
  8. Tracking meeting schedules are set up.
  9. Actions are tracked and reported to the Executive Management & Board.

Navigation of Tests / Drills Schedules and Entering Drill / Exercise Results

How do I view the test / drills / exercise schedules ?

The navigation is provided below for necessary access and action

TWINGO=>INFORMATION SECURITY=>DASHBOARD and choose the drop down option Drill Schedule => Select Customer Group ID =>Check for Completed status for Drill Status in the Table on screen


Exercise Results Input in LIGHTHOUSE

How do I navigate to input the drill / test / exercise results ?

The navigation is provided below for necessary access and action

TWINGO=>INFORMATION SECURITY=>DASHBOARD and choose the drop down option ENER Drill Result => Select Customer Group ID =>Select the Schedule ID to enter the drill results and complete the action in Lighthouse

Business Recovery Exercise Oversight Observatory


Lighthouse, Testing, Crisis Management First Point Contact :

Name Email Address
Global Business Continuity & Resilience Team Shivani, Javed, Shahid, Jayesh, Harsha GlobalBusinessContinuity@techmahindra.com
Copyright © Tech Mahindra Limited. All Rights Reserved