C-RM 2-3: Business Continuity Plan Testing
Your organization must test its business continuity plan ("BCP") no less frequently than every two years. Notably, the BCP test can be a tabletop exercise, which URAC defines as:
test of a Business Continuity Plan (BCP) that includes documentation of the following aspects of the test:
- A tabletop exercise simulates an incident in an informal, stress-free environment.
- The participants who are usually the responsible managers and the response teams gather around a table to discuss general problems and procedures in the context of an incident scenario.
- A scenario is developed in advance, but there are no attempts to arrange elaborate facilities or communications. One or two evaluators may be selected to observe proceedings and progress toward the objectives.
- The focus is on training and familiarization with roles, procedures, and responsibilities. There is review of the step-by-step procedures for each of the critical plan elements outlined in the BCP.
- The success of a tabletop exercise is determined by feedback from participants and the impact this feedback has on the evaluation and revision of policies, plans, and procedures.
Your organization must use the results of its BCP test to address discovered issues and update processes as needed.
In a change from previous years, URAC will accept an actual disruption of business processes as a test of your BCP plan.
Make sure the testing requirement is written into your BCP, and that you have clear documentation of the most recent testing.
Submit the testing plan, and documentation of the tabletop test that includes participants, the scenario tested, and findings. Additionally, submit any other documentation, including policies and procedures, committee minutes, etc.
The URAC reviewer will interview leadership and staff involved in the BCP testing.
The reviewer will examine documentation of the most recent test of the BCP.