The analysis and plan development stages of the recovery effort is only the beginning. Testing and maintenance is an ongoing program of validation and updating the documentation. Testing does not create pass/fail situations. Tests (sometimes called exercises) expose the areas in the plan that need to be revisited.

To help senior management understand the importance of testing, proper communication of the risk involved in not having an adequate testing program is necessary. The best approach is to frame the discussion in terms of risk avoidance. An organization’s failure to act can be a critical point in claims against it. Recovery plan testing demonstrates the safeguarding actions taken prior to an event. Testing proves the recovery plan will work and how it can be improved, thereby raising the overall
probability of a successful recovery or reducing the time to complete recovery.

An interim move back to manual procedures for a testable recovery strategy is seldom a feasible option anymore because of the extent to which automated procedures have replaced manual procedures in the business process. With the recent trends in downsizing, the resources to move back to a manual processing mode for an interim period often do not exist. Therefore, the need to maintain the agency-mandated functions must be articulated as part of the basic vision of the testing efforts.

Testing must concentrate on high priority applications and business functions that were determined during the impact analysis. The identified losses help to justify testing because the cost of doing nothing (i.e., the cost of failure) has been determined. Also, the business impact analysis determines the recovery window, which then helps determine the appropriate strategy. It is the plan and the strategy that is being tested.

Similar to any other product, the business continuity plan must be tested before it is deemed usable or dependable enough to enable the organization to perform the critical function with alternate resources. Each time the system is updated or changed, the plan must be exercised for effectiveness. Maintenance of the business continuity plan, like any system or application, should be included in the budget as a line item in the methodology process.