Testing Business
Continuity Plans
Testing a Business Continuity Plan (Plan) confirms whether the Plan is
actionable and appropriate. It also ensures staff are trained in their
responsibilities and understand what will happen in a disruptive event.
Types of tests
Type 1





Walkthrough selfassessment
Discussion stepping participants through each part of
the Plan during development, review or an update
Allows a step-by-step review and discussion of the content and layout of the Plan
Ensures key area managers awareness and understanding of the Plan
Provides an early opportunity to identify and correct oversights or discrepancies
Is easy to conduct and is not time consuming
Doesn’t assess the effectiveness of response and recovery activities
Type 2
Supervised
walkthrough
Facilitated discussion using a scenario to test the Plan
 Uses a mock scenario to allow staff to discuss actions, responsibilities and decisions that
they would take when activating a Plan
 Checks the contents of the Plan are complete, accurate and effective and identifies
gaps, bottlenecks or weaknesses and where improvements can be made
 Checks resources and timeframes are appropriate for continuity responses
 Checks interdependencies with other Plans and/or organisations
 Easy to prepare and perform
 May lack realism
Requires direct supervision by the Business Continuity Plan Coordinator
Type 3
Process or plan
simulation
Plan activities performed in a simulated ‘real life’
environment
 Uses a scenario (with recovery locations and resources) to ensure the Plan is actionable
 Checks response and recovery results are effective and delivered within timeframes
 Checks communication strategies are useful, timely and accurate
 Checks resource allocations are appropriate
 Provides a ‘real life’ perspective
 May require significant resources and cause disruption to core day-to-day business
Best conducted by a facilitator who develops a relevant and believable scenario conducted
in ‘real time’ with unfolding new information throughout the scenario
Page 1
Uncontrolled copy – Refer to the Department of Education, Training and Employment
Policy and Procedure Register at http://ppr.det.qld.gov.au for the most current version.
Testing Business
Continuity Plans
Type 4
Full end-to-end
simulation
Full scale test under a simulated ‘real life’ environment
OR Activation of a Plan during an actual disruptive event
 Uses a scenario to enable participants to carry out the full response and recovery
activities for business areas or the entire organisation
 Provides the most robust test with thorough analysis of the effectiveness of the Plan
 Checks overall recovery timeframes
 Checks the interactions between groups and interdependencies
 Activation of the Plan during an actual disruptive event is also a Type 4 test when:
o a debrief is performed soon after the return to normal business operations
o any issues are noted for revising and improving the Plan
 most difficult and costly to perform as it involves closing down business activities or
resources
Requires approval of senior management and only recommended for fully mature Plans
Test Report
A Business Continuity Plan Test Report documents the outcomes of the test,
lessons learned and recommendations for improvements.
The Business Continuity Management Working Group reviews the reports to
assist with maturing business continuity management across the department.
Maintaining Business Continuity Plans
Maintaining a Plan ensures that it remains current and ready to address any
disruptive event. This is achieved by reviewing and updating the Plan:
1. quarterly for contact lists
2. at least annually
3. immediately after testing
4. when significant changes have occurred, such as:
 addition of a new process or modification or
removal of an existing process
 changes to key personnel in the Plan
 organisational restructures or Machinery of
Government changes
 introduction of new legislation,
program or policy
 audit recommendations
 lessons learned from a ‘real life’
business interruption.
The date and the type of test completed are entered into the Plan’s Event Log.
Page 2
Uncontrolled copy – Refer to the Department of Education, Training and Employment
Policy and Procedure Register at http://ppr.det.qld.gov.au for the most current version.
Testing Business
Continuity Plans
TEST CHECKLIST
Do the Plan strategies address ‘All Hazards’ in a business
disruption?
1. No access to facilities
2. No access to ICT
Strategy
3. Reduced access to people
Plan and prepare
Are actions required that were missing in the Plan?
Are hard and electronic copies of the Plan stored in
Business Continuity Kits at appropriate, easily accessible
and secure locations?
Are Kit contents complete, up-to-date and adequate?
Are activities and priorities clearly understood?
Are the actions the best responses?
Continuity
response actions
(To activate critical
business activities)
Do actions identify who does what, when and where?
Do ‘manual work arounds’ have a logical flow?
Are actions practical? Are they sufficient?
Do actions have practical timeframes (MAO)?
Were actions successfully completed?
Recovery
response actions
(To resume business
as usual)
Do actions identify who does what, when and where?
Do ‘back to business as usual’ actions have logical flow?
Are recovery actions practical? Are they sufficient?
Were actions successfully completed?
Interdependencies Have all interdependencies been adequately addressed?
Are all staff and key departmental or regional contacts
included?
Are all contact details complete, current and accurate?
Does the Plan address contacting staff to notify them
whether they need to come to work or report to an
Communication
alternate location?
Does the Plan identify key messages and communication
channels to each of the stakeholders in the event of ICT
systems being unavailable?
Does the Plan identify essential suppliers or customer
contact details?
Page 3
Uncontrolled copy – Refer to the Department of Education, Training and Employment
Policy and Procedure Register at http://ppr.det.qld.gov.au for the most current version.
Check box
YES
NO
Testing Business
Continuity Plans
TEST CHECKLIST
Resource
requirements
(People, facilities, ICT,
vital records)
Related plans
Testing and
activation register
YES
NO
YES
NO
Does the Plan anticipate all the resources required to
support Plan activation?
Is it clear who the Plan Coordinator should contact
regarding required continuity resources?
Are all vital records, data or resources required to
implement continuity arrangements current, correct and
included in the Kits?
Are related plans helpful and easily available?
Are all the required related plans identified?
Does the event log list all critical incidents or revisions
that have occurred during the life of the Plan?
Test outcomes
Was the test suitable and appropriate?
Did participants understand the Plan?
Did the Plan capture all roles to support activation?
Are roles and responsibilities appropriate and current?
Have backups been identified for all roles and responsibilities?
Are delegations of tasks appropriate?
Are any revisions or additions to the Plan required?
Has responsibility for these actions been assigned?
Has an appropriate timeframe been designated to complete the actions?
Has a report on the test been completed?
Has the test report been emailed to the Business Continuity Management
Working Group?
Has the Plan been updated with the results of the testing?
Has the date and the type of test been entered into the Plan’s Event Log?
Has the revised Plan been approved by the Plan Owner?
Has the TRIM notes been updated to reflect approval of the revised Plan and
the TRIM title of the Plan been revised to reflect the current year?
Page 4
Check box
Uncontrolled copy – Refer to the Department of Education, Training and Employment
Policy and Procedure Register at http://ppr.det.qld.gov.au for the most current version.