Test, test and increase your Resilience: how to build your testing programme

Cyberrisk Management & Strategy

Posted on

This year has been exceptionally trying for individuals, businesses and governments globally. Living and working in a crisis mode introduced an array of challenges, with some firms dealing with them better and faster than others. What is the common denominator? The answer in most cases is strong crisis reflexes, built over the years with consistent effort.

Testing is an important part of operational resilience and can take many shapes and forms, from disaster recovery testing for ensuring service continuity to end-to-end crisis simulations examining decision-making. It enables to proactively manage risk, embed crisis management framework, and allows to continuously improve capabilities such as business continuity (BC), crisis management (CM), disaster recovery (DR), and cyber resilience (CR). Needless to say, training plays an important role in such a testing programme.

“Better awareness nurtures an organisational culture that embraces operational resilience and, as a result, improves the company’s preparedness to deal with adversity.”

From firm to firm, good testing programmes vary in nature, scale and complexity. Depending on how a firm is structured and what it does, testing is addressed at different organisational levels and locations, with involvement of external parties (i.e. critical suppliers). In reality, given little guidance from the regulators on what ‘good’ looks like, programmes are often fragmented and can cause a real headache.

 

Principles for creating a successful testing programme

While there is no silver bullet to creating a fit-for-purpose testing programme, we recommend following 6 guiding principles to devise one that is successful and tailored to your organisation’s needs. Following these could significantly improve the outcomes of the programme.

1. Think long term

When constructing a testing programme, it is of paramount importance to define what you want to achieve in 3 years. A focus on outcomes provides the required direction yet allows the flexibility to re-shape the testing programme each year in order to respond to changes while focusing on the end goal. Begin with small and less complex tests, such as test walkthroughs, and progress to very involved, realistic crisis simulation exercises.

2. Start with threats

Every test needs to link to threat(s) resulting in one or several plausible major incident scenarios (and impacts). Anticipate and understand new threats through market watch and leverage audit reports and risk assessments when building or reviewing your programme.