Tabletop recovery exercises are great, but they only get you so far.
In today’s blog, we’ll sketch out the full range of disaster recovery exercises that organizations can conduct, explain the limitations of a tabletop-only exercise regimen, and point you toward some tips that can help you raise your recovery-exercise game.
DISASTER RECOVERY EXERCISES IN A NUTSHELL
Disaster recovery (DR) exercises are the activities organizations conduct to see how they would perform if they were faced with a real disaster which threatened to disrupt their operations.
DR exercises are not training activities. They are designed to reveal gaps in your plans and preparedness, so you can rectify them before a real emergency strikes. The practice obtained during an exercise can be considered a fringe benefit rather than their primary purpose.
Typically we divide exercises into business continuity DR exercises, which focus on the recoverability of business processes, and IT/DR exercises, for disasters threatening the IT system.
There are also multiple levels of exercise, from tabletop recovery exercises to full-scale ones. To explain, I’ll start with a parallel situation from a familiar context: home fire-safety preparedness.
Suppose you and your family had put together a home fire-safety plan. And suppose that you also wanted to see how good the plan was and get a sense of how ready everyone was for an actual fire emergency.
Obviously, there is a whole range of ways that you could test your family’s readiness, ranging from short and sweet to highly involved and dramatic.
On the simple end of the spectrum, you could take a few minutes over dinner to ask everyone what they would do if, that night at 3 a.m., they were awakened by the smoke detector’s going off.
On the more involved end of the spectrum, you could set the smoke detector off at 3 a.m. without warning anyone, and see how everyone does in terms of getting dressed, grabbing the children, leashing and bringing the dog, getting everyone out of the house, and gathering at the designated meet-up point, or what have you.
And of course, there are many potential levels of exercise in between.
THE 4 LEVELS OF DISASTER RECOVERY EXERCISES
Just like a family gauging how prepared it is to cope with a fire, organizations can conduct recovery exercises at different levels to gauge their readiness to face a business disruption.
The four levels of such exercises are, in increasing order of intensity and realism:
- Tabletop review: Sit around a table and validate the plan is complete and up to date.
- Walkthrough drill/simulation: Sit around a table, pick a scenario and discuss what should be done to see how the plan stands up to it.
- Functional: Like a walkthrough, except the team “ take action” – making decisions, simulating the deployment of resources, and responding to new developments.
- Full-scale: Interrupt your production, relocate to your alternate workspace and recover your business in real time using your available resources.
Each of these levels builds on the one before it.
THE BAD NEWS ABOUT TABLETOP RECOVERY EXERCISES
The bad news is, in corporate America today, an unfortunate and misguided idea has taken root when it comes to business continuity exercises. This idea is that tabletop recovery exercises alone are sufficient to enable the company to obtain an accurate measure of its readiness to deal with a disaster.
Companies that limit themselves to tabletop exercises usually use the excuse that they don’t have the time to conduct more realistic and involved exercises. They also say they are reluctant to do anything that will require their people to relocate, interrupt production operations, or risk real business.
Now imagine if there was a school that used a similar explanation to justify skipping conducting regular fire drills: “We didn’t want to interrupt the kids’ learning, etc.” Any parent would see through that in a heartbeat.
As such a parent might put it, “Yes, it’s important to protect learning time, but in the overall scheme of things, a fire drill doesn’t take that much time away from classroom activities, and the potential cost of the students’ not knowing how to evacuate the building—and the staff’s not knowing for sure that their plans are sound—is so high that the time spent on the drill is well worth it.”
The same is true of realistic disaster recovery exercises in the corporate world.
However, as a result of thinking such as that described above, recovery exercises remain one of the biggest gaps in most companies’ business continuity programs.
Tabletop recovery exercises are important and valuable; however, they are not sufficient.
A MARATHON EFFORT
Think about it in terms of getting ready to run a marathon: It is certainly valuable for a person who hopes to complete a 26.2-mile race to study the course, visualize completing the race and talk to others about what it will be like.
But the only way the person will really know if they are sufficiently prepared to run a marathon is to physically get outside, train to run that distance, and then do it in conditions that closely simulate the real-life event.
Absent that kind of preparation they are taking a real gamble with their marathon dream, and maybe even setting themselves up for failure.
HOW TO GET REAL
So how can a company that only runs tabletop exercises start moving toward a deeper and more realistic exercise program?
There are plenty of good tips in these recent posts by myself and Richard Long, a senior advisory consultant here at MHA. Check them out:
- Kill the Zombies, or How to Get More From Your DR Exercises
- Mock Exercises – How to Test True Capability
- The 5 Most Important Risk Mitigation Controls
- Beginner’s Guide to Recovery Exercises
- Exercise Smarter: Include 3rd Party Experts In Your Cyber Exercises
- 8 Dos and 1 Don’t for Conducting Disaster Recovery Tests
- Disaster Recovery vs. Business Recovery – Business Continuity 101