Core 4.0

C-RM 2-3: Business Continuity Plan Testing

Submited by: Tom Goddard

The Basics

Your organization must test its business continuity plan ("BCP") no less frequently than every two years. Notably, the BCP test can be a tabletop exercise, which URAC defines as:
test of a Business Continuity Plan (BCP) that includes documentation of the following aspects of the test:

  • A tabletop exercise simulates an incident in an informal, stress-free environment.
  • The participants who are usually the responsible managers and the response teams gather around a table to discuss general problems and procedures in the context of an incident scenario.
  • A scenario is developed in advance, but there are no attempts to arrange elaborate facilities or communications. One or two evaluators may be selected to observe proceedings and progress toward the objectives.
  • The focus is on training and familiarization with roles, procedures, and responsibilities. There is review of the step-by-step procedures for each of the critical plan elements outlined in the BCP.
  • The success of a tabletop exercise is determined by feedback from participants and the impact this feedback has on the evaluation and revision of policies, plans, and procedures.
The only exception to this is that URAC suggests in a Leading Indicator element that you also conduct a real-life test of your back-up telecommunications situation. 
Your organization must use the results of its BCP test to address discovered issues and update processes as needed.

Management Tips

In a change from previous years, URAC will accept an actual disruption of business processes as a test of your BCP plan.
Make sure the testing requirement is written into your BCP, and that you have clear documentation of the most recent testing.

Accreditation Tips

Desktop Review
Submit the testing plan, and documentation of the tabletop test that includes participants, the scenario tested, and findings. Additionally, submit any other documentation, including policies and procedures, committee minutes, etc.
Validation Review
Interviews
The URAC reviewer will interview leadership and staff involved in the BCP testing.
Document review
The reviewer will examine documentation of the most recent test of the BCP.

  • Core 4.0 / 12.31.2018

    C-RM 3-1: Information Systems Risk Assessment and Reduction

    URAC assumes that your organization has a comprehensive risk management program, and in this standard, requires that your information systems are a component of that system. Specifically, the IT component must address explicitly data storage, gathering, and transfer.Your organization must conduct risk assessment in these three areas, and that assessment must periodically include "an entity with th...

    READ FULL POST
  • Core 4.0 / 12.26.2018

    C-RM 2-3: Business Continuity Plan Testing

    Your organization must test its business continuity plan ("BCP") no less frequently than every two years. Notably, the BCP test can be a tabletop exercise, which URAC defines as:test of a Business Continuity Plan (BCP) that includes documentation of the following aspects of the test:A tabletop exercise simulates an incident in an informal, stress-free environment.The participants who are usually t...

    READ FULL POST
  • Core 4.0 / 12.26.2018

    C-RM 2-2: Pharmacy Emergency Management Plan

    Applicable only to organizations seeking accreditation in one of URAC's pharmacy modules, this standard requires that your business continuity plan describe an emergency management system that addresses how the organization will distribute medications in the event of an emergency. The description must address the organization's facilities, its services, and its products in some detail. As was the...

    READ FULL POST
Top