There’s more to Business Continuity (BC) disaster recovery drills than tabletop exercises, but you wouldn’t know it from the practices of most organizations. Most companies limit themselves to tabletop drills, the most basic type of recovery exercise.
In today’s post, I’ll introduce you to the full range of BC drills, and explain why it’s important for your organization to push itself and tackle the more demanding and realistic types of exercise.
TAKING A GAMBLE
As I’ve said before, too few organizations conduct any kind of recovery exercises at all. Of those that do, too many limit themselves to conducting only tabletop tests, which are the least realistic and demanding type of BC drills.
These organizations are not truly testing and validating their ability to recover from a disaster. Because of this, they are gambling with the welfare of their companies. They are also missing out on the opportunity to identify and bridge gaps in their recovery planning.
PLAYING GOLF WITH ONE CLUB
Companies that only do tabletop testing remind me of those beginning golfers who carry a full bag of clubs but hit every shot with a 7-iron, because that’s the only club they know how to hit.
Obviously, if you want to get good at golf you have to push yourself and master all the clubs. If you want to make sure your organization can recover from a business disaster, you have to learn about and push yourself toward the more complex type of recovery exercise.
THE 4 TYPES OF BC TESTING
Some business continuity professionals think that “tabletop testing” and “business continuity testing” mean exactly the same thing. In fact, tabletop testing is only one kind of BC testing; there are many others.
How many others? Well, the Federal Financial Institutions Examination Council (FFIEC) breaks Business Continuity Plan (BCP) testing down into four types.
Their description of these is excellent, so I’m going to give it to you in full (for the original, click here):
Business Continuity Planning (BCP) Testing Methods
Tabletop Exercise/Structured Walk-Through Test
A tabletop exercise/structured walk-through test is considered a preliminary step in the overall testing process and may be used as an effective training tool; however, it is not a preferred testing method. Its primary objective is to ensure that critical personnel from all areas are familiar with the BCP and that the plan accurately reflects the financial institution’s ability to recover from a disaster. It is characterized by:
- Attendance of business unit management representatives and employees who play a critical role in the BCP process
- Discussion about each person’s responsibilities as defined by the BCP
- Individual and team training, which includes a walk-through of the step-by-step procedures outlined in the BCP
- Clarification and highlighting of critical plan elements, as well as problems noted during testing
Walk-Through Drill/Simulation Test
A walk-through drill/simulation test is somewhat more involved than a tabletop exercise/structured walk-through test because the participants choose a specific event scenario and apply the BCP to it. However, this test also represents a preliminary step in the overall testing process that may be used for training employees, but it is not a preferred testing methodology. It includes:
- Attendance by all operational and support personnel who are responsible for implementing the BCP procedures
- Practice and validation of specific functional response capabilities
- Focus on the demonstration of knowledge and skills, as well as team interaction and decision-making capabilities
- Role-playing with a simulated response at alternate locations/facilities to act out critical steps, recognize difficulties and resolve problems in a non-threatening environment
- Mobilization of all or some of the crisis management/response team to practice proper coordination without performing actual recovery processing
- Varying degrees of actual, as opposed to simulated, notification and resource mobilization to reinforce the content and logic of the plan
Functional Drill/Parallel Test
Functional drill/parallel testing is the first type of test that involves the actual mobilization of personnel to other sites in an attempt to establish communications and perform actual recovery processing as set forth in the BCP. The goal is to determine whether critical systems can be recovered at the alternate processing site and if employees can actually deploy the procedures defined in the BCP. It includes:
- A full test of the BCP, which involves all employees
- Demonstration of emergency management capabilities of several groups practicing a series of interactive functions, such as direction, control, assessment, operations, and planning
- Testing medical response and warning procedures
- Actual or simulated response to alternate locations or facilities using actual communications capabilities
- Mobilization of personnel and resources at varied geographical sites, including evacuation drills in which employees test the evacuation route and procedures for personnel accountability
- Varying degrees of actual, as opposed to simulated, notification and resource mobilization in which parallel processing is performed and transactions are compared to production results.
Full-interruption/full-scale test is the most comprehensive type of test. In a full-scale test, a real-life emergency is simulated as closely as possible. Therefore, comprehensive planning should be a prerequisite to this type of test to ensure that business operations are not negatively affected. The institution implements all or portions of its BCP by processing data and transactions using backup media at the recovery site. It involves:
- Enterprise-wide participation and interaction of internal and external management response teams with full involvement of external organizations
- Validation of crisis response functions
- Demonstration of knowledge and skills as well as management response and decision-making capability
- On-the-scene execution of coordination and decision-making roles
- Actual, as opposed to simulated, notifications, mobilization of resources, and communication of decisions
- Activities conducted at actual response locations or facilities
- The actual processing of data using backup media
- Exercises generally extending over a longer period of time to allow issues to fully evolve as they would in a crisis and to allow realistic role-playing of all the involved groups
WALK BEFORE YOU RUN
You have to walk before you can run, and you shouldn’t try to do a full-scale interruption test as your first recovery exercise. A full-scale exercise is something you build toward. But you definitely should build toward it!
As your BC program matures, and your team gains in expertise and confidence, you should gradually work your way toward the more realistic, comprehensive exercises. These are the best way of finding out how prepared you are to get through a major business disruption.
DON’T GET COCKY, KID
Are you one of these super-confident BC professionals who thinks his or her program is hot stuff? Well, great. Now put it to the test. Conduct a full-scale exercise to find out if you’re really as good as you think you are. It’s easy to ace a tabletop exercise. Dominating a full-interruption exercise is a different story. And if you do sail through, then good for you and your team. Your company is lucky to have you. If not, learn from the results, close your gaps, and try your BC drills again.
The fact is, recovery exercises are a lot like physical exercises. It’s not a one-and-done proposition. It’s a lifestyle of pushing yourself and your boundaries, and gradually developing new capabilities. It’s not easy, but it is satisfying. BC drills are also the best way of ensuring that your organization, and everyone who depends on it, will be protected if and when disaster strikes.
For more on BC drills and other hot topics in business continuity management, check out these recent posts from BCMMETRICS and MHA Consulting:
- Kill the Zombies, or How to Get More From Your DR Exercises
- Beginner’s Guide to Recovery Exercises
- 8 Dos and 1 Don’t for Conducting Disaster Recovery Tests
- Exercise Smarter: Include 3rd Party Experts In Your Cyber Exercises
- Let’s Get Real: The Limitations of Tabletop Recovery Exercises