Resiliency Testing (Part-I)

This informal CPD article ‘Resiliency Testing’, was provided by Daman Dev Sood, an International Resilience Trainer & Consultant.

Businesses today are facing an ever-increasing number of challenges, from technological disruptions to economic uncertainties. In order to survive and thrive in this dynamic environment, companies need to be resilient and reliable (people, processes, technology, systems etc.) that can withstand unexpected events and adapt to changing conditions.

The components of Resiliency can be listed as:

1.     Incident Management

2.     Emergency Management

3.     Employee Health & Safety Management

4.     Crisis Management

5.     IT Disaster Recovery Management

6.     Risk Management

7.     Business Continuity Management

8.     Crisis Communication Management

9.     Physical Security Management

10.  Information Security Management

11.  Cybersecurity Management

These are the bricks, walls, and the roof of the Resiliency and together they make ‘House of Resiliency’.

Resiliency Testing

Having plans and arrangements is good, but these cannot be treated as reliable until tested. The load on organisations has been increasing, and the expectations of the interested parties are very high. Testing becomes a challenge in these circumstances.

An organisation needs to ask the following four questions to itself:

• Is Resiliency a well-defined concept in our company? 
• Is Resiliency Testing a new concept or a challenge in our organisation? 
• Shall we look for maturity in our Resiliency Testing Program? 
• Have the auditors or regulator commented upon required improvements in Resiliency Testing Program for our company?

The importance of Resiliency Testing gets established by the above. In simplest terms, it can be defined as: The process of evaluating an organization’s resiliency capability.

Designing, Developing, and Delivering an Effective Resiliency Test is an art.

A 3D Approach to Resiliency Testing is recommended. 

• Design the test
• Develop the test: Comprehensive plan, scenario, cases, expected results 
• Deliver: Execute as planned, record results, issue report, take actions to closure

Its an art that can be learnt and mastered, hence the need is for the organisations to invest in it.

Need, and Benefits of Resiliency Testing

The need of Resiliency Testing is self-generated or internal, but, there are regulatory requirements also. Programs like Operational Resilience (mandate in many industries and countries like Bank of England has done for the BFSI sector in the UK) are focussing a lot more on scenario planning and testing where it is said that one should cater to ‘rare but plausible’ scenarios.

By investing in developing the 'Resiliency Testing' competencies, companies can empower their employees to take a proactive approach to Resiliency and build stronger, more resilient systems (people-process-technology). This, in turn, can lead to improved operational efficiency, better customer service, and increased competitiveness in the market.

Investment in building Resiliency Testing competencies can yield multiple benefits, including tangible and non-tangible benefits like:

Tangible

• reduction in downtime
• faster recoveries
• increased employee satisfaction
• increased client satisfaction
• increased regulator satisfaction
• repeat business
• positive referrals
• reduced penalties
• reduced recovery costs
• enhanced product/ service rates
• improved NPS

Non-tangible

• increase in identifying vulnerabilities
• improved incident management
• enhanced reputation
• enhanced competitive edge
• enhanced effectiveness of Resiliency Program

In general, investing in employee training and development can lead to improved resiliency and reliability of systems and processes, increased revenue, and a positive impact on the company's revenue.

Good practices for Resiliency Testing

Here are some good practices related to Resiliency Testing:

• Give enough notice and block diaries through meeting invite
• Train, if required
• Follow the plan (developed, reviewed, approved)
• Keep communication clear
• Pre-test briefing, if required
• Start as planned
• Check participants, use alternates if required
• Use scripts, as planned
• Make observations on all participants, environment, and systems
• Offer breaks as planned (take care of participants)
• Manage exceptions, as planned
• Close as planned
• Collect feedback
• Post-test briefing, if required
• Write the test report (written, reviewed, approved)
• Share the test report with all relevant interested parties
• Follow up and ensure closure

One of the most important portions in designing a Resiliency Test is the selection of actors (audience or participants). Some of these actors are:

• Facilitator
• Resiliency Manager
• Coordinators/ Champions
• Logger
• Steering Committee
• Critical Resources
• Other Employees
• Independent Observer
• Other Interested Parties

I close this article with two sample scenarios below.

Sample Scenarios

1. A short and simple sample scenario for a Resiliency Test:

“Husband-wife both are working in your organization. They are aware of rules, regulations, policies (including IT/ cyber/ password policies).

During hybrid working, you have got NDAs refreshed for all employees, extra awareness done on frauds/ cyber security, hardware/ software hardening etc.

The husband gets lured by someone to exchange some official data with someone in lieu of cash. He snoops into wife’s laptop/ account to do this.

Case comes to light (wife brought this out to you). Discuss the case.

What actions will you take with the husband?

Any actions for the wife?”

The above can be presented to your CMT in a Crisis Simulation Exercise. The facilitator can then lead the discussions based on discussions. This can easily go for half a day.

2. A complex narrative for a Resiliency Test:

“Test your skills to test unauthorised transactions; increased call volumes; database corruption; customer database hacks; a scenario that is mix of earthquake, mass resignations, sudden departure of major clients at the same time; media negativity; shareholders, investors, regulator, government, citizens asking questions, and more.

Add fuel to this fire - primary and secondary IT failing simultaneously, new epidemic starting in major cities where you are operating, critical supplier failure, portion of the building falling during work hours – employees hurt and dead, citizens going on rampage against your company – burning your HQ, stone pelting on other buildings, employees also getting hurt!”

Final good practice is to raise the bar slowly, start with simple tests and move towards more complex tests. In Part-II of the article, I will throw light on some other aspects of Resiliency Testing.

We hope this article was helpful. For more information from Daman Dev Sood, please visit their CPD Member Directory page. Alternatively, you can go to the CPD Industry Hubs for more articles, courses and events relevant to your Continuing Professional Development requirements.