Which Exercise is Best for Testing Business Continuity
Improving business continuity testing and exercising
Three surveys published recently seem to show that testing and exercising of business continuity and disaster recovery plans and strategies is generally a weak area:
* A survey of 200 companies with between 250 and 999 employees by Vanson Bourne found that, of the 81 percent of respondents stating that they had a business continuity plan, 50 percent had only partially tested plans and 18 percent had not tested any aspect of their plans. (1)
* A PricewaterhouseCoopers survey found that almost half of disaster recovery plans have not been tested in the last year. (2)
* According to the Chartered Management Institute's 2008 business continuity survey, 33 percent of organizations with a business continuity plan still do not undertake any form of exercise to test their plan. (3)
Continuity Central asked various business continuity experts why it seems that many organizations neglect the area of testing and exercising and what individual organizations can do to improve. Each expert was asked the same three questions were asked and the various comments received in response are summarised below:
QUESTION ONE: WHY IS BUSINESS CONTINUITY TESTING AND EXERCISING A WEAK AREA?
People find it difficult to understand the concept of exercising and how to develop and use appropriate scenarios. As a result, the use of consultants to do this is, in the main, expensive and, in my opinion, the scenario is often light on content and impact. Coupled with this are the cost implications to the company and the view that the time taken is not productive.
Karen Atkinson, MBCI, senior risk manager, Risk & Compliance, London Scottish Bank plc
I guess there are several reasons:
- Project fatigue can set in and management just want to close the project;
- The ostrich syndrome - if it's not been tested, it can't be proved wrong;
- Getting a bunch of senior people together in the same place at the same time can be difficult and business priorities and dynamics can lead to postponement or cancellation;
- Insensitive timing of tests by business continuity people (it's not a good idea to schedule tests during the budget cycle, the end of the financial year or in conflict with a project or product activity);
- Over-ambitious testing plans: tests can be scheduled to take too long and can be too disruptive of the business (surprise tests can wreck meetings that may have taken months to schedule).
Andrew Hiles, FBCI MBCS, managing director, Kingswell International
- Expense: It takes time to develop a reasonable scenario; running an exercise costs money in lost productivity.
- Personnel: Everyone has other priorities – it's very hard to gather all personnel at any one time (which points out the need for primary and alternate responders).
- Lack of top management enthusiasm which translates to mid-management as 'no one really cares.'
- Weak regulations: there is a requirement to HAVE a plan, but rarely is there a requirement to EXERCISE the plan at any level. If it looks good on paper, that's good enough.
John Glenn, MBCI
Testing DR plans can be a hard sell to the bean counters who have the ear of upper management, and there will always be organizations that only pay lip-service to DR planning and provisioning - doing just the bare minimum to keep the auditors placated in the interest of improving the bottom line. There is also the "it can't happen here" mentality that regards disasters as a low probability and therefore not worth the allocation of adequate funding and resources.
Phil Stott, MBCI
I believe there are two reasons. One is the availability of customer resource to actually come out of day to day activities and conduct a business continuity test. This is not only IT resource but as workarea is increasingly a component part of any viable BC plan, the availability of user resource. Secondly, I do believe some organizations with a BC plan have one because of external pressures and not necessarily as something that is wholly embraced within the culture/strategy of the business. In such circumstances the management pressure to test is often simply not there, unless the external influencers demand more than just the 'tick in the box' and insist on evidence of testing.
Mike Osborne, managing director ICM Continuity Services
Generally speaking exercises are dull and boring because the authors do not spend enough time on detailed preparation and concentrate too much on the 'drama' of the scenario. The face-validity and predictive-validity of an exercise has to be perfect to capture the imagination of the participants and this takes time to author and develop.
Chris Needham-Bennett, managing director, Needhams 1834 Ltd
There are several reasons why testing and exercising is a weak area:
- Cost and time in staging the exercise;
- Customers, insurers, auditors just ask if BCPs exist, they don't ask if they have been exercised. Most auditors do not even ask for evidence that the BCP exists let alone asking for evidence that the plan has been tested and what actions are being taken as a result.
- Lack of understanding about exercising - 'it will work because I know how we operate'.
John Sharp, HON FBCI, senior industry advisor, ICM.
I think that there are three key reasons why the exercising of business continuity plans is a weak area:
- The BCP Objective. Often an organization has an objective of developing a business continuity plan. This objective is then met – plans are developed – but the original rationale for the development of the plan, securing the organization should some unexpected event occur, is lost. The classic signs of the 'BCP Objective' taking precedence over the reasons for implementing BCP are a BCP implementation project which stops after the development of the plans, with little or no exercising, no thought as to ongoing exercising and the review and improvement of the business continuity plans, and a large cumbersome business continuity plan sitting on a shelf somewhere gathering dust.
- It's all too difficult. There is a perception that exercising business continuity plans is difficult, time consuming and costly. Whilst a full, all-embracing exercise of the plans is undoubtedly the best way to identify weaknesses and improvement, a significant amount can be achieved using table top exercises. Furthermore, in terms of raised awareness and training benefits, there is a lot of benefit in doing 'little, often' rather than just one major exercise once a year. By breaking the plans down to their constituent elements then exercising the various elements within a programme of exercising and review, business continuity plans can be exercised in a cost-effective manner.
- Not involving the right people. Whilst it is widely recognised that business continuity planning needs to involve the whole organization, and in particular not just the IT department, it is still often the case that BCP implementation is IT-led. As an external consultant, this is usually explained to me as "the IT department understands the rest of the business, so there is no need to involve anyone else." Whilst not wishing to comment on the veracity of that argument in any particular organization, I would strongly argue for involving the rest of the business in exercising the plans so that any assumptions are validated. However, what I have seen happen in practice is that the rest of the business has not been involved in the BCP process and so has not 'bought in' to the project. Therefore, when it comes to exercising the plans, there is a reluctance for representatives from outside IT to get involved, and the plans do not get exercised in a meaningful way, if at all.
Neil O'Connor, principal consultant, Activity.
In a lot of cases, I think this is down to a lack of understanding of what business continuity is and what it provides. There are still a number of businesses out there where revenue generating or customer facing departments assume that it's all somebody else's problem. They tend to believe that IT, facilities or the other support services will simply provide them with a carbon copy environment in which to work, so they think of testing as being simply IT testing.
Also, at senior management level, you have people who are employed because they are good at making decisions, so it's hard for them to see a need to practice. It's not until you work through a scenario, highlighting the conflicting and inadequate information, the limited and changeable personnel, the shortage of communications tools and infrastructure etc., that they see why exercises are necessary.
John Matthews, MBCI, senior consultant, Siemens Enterprise Communications Limited
Simulations and testing tend to be the first best practice, maintenance element to disappear if teams are short of time or energy. This is ironic, as a well-structured, efficient simulation can be one of the best ways to re-highlight the need to focus on risk management and the opportunities that a well-honed team and process can create.
Boardroom teams might imagine a test or simulation will take lots of time and is not a necessity - in fact, a very extensive test can be run in less than half a day and can be highly productive, as long as you build in a feedback and discussion session at the end. You might also consider drip-feeding the scenario ahead of the test, to cross-check routine early warning systems, overtly or covertly. Again, this doesn't need to be a time-consuming or onerous approach.
Of course, there is also a more cynical view; senior managers may fear being exposed or spotlighted in an way that is unhelpful to their influence or career. But, more fool the risk manager who sets up such an exposure - they will undermine the force and credibility of their risk management and business continuity programme for a very long time.
Chris Woodcock, managing director, Razor
Testing and exercising of business continuity plans are weak areas because the primary assumption is that it is costly, complex and that they cannot be carried out without disruption to the business. Business managers are also still very much relying on the fact that such plans may never need to be invoked and therefore - why waste good resources on testing them? We have encountered a similar attitude towards testing and maintaining power continuity plans.
The problem is that, in the unfortunate event that plans have to be invoked, they may fall down and thus render themselves useless and a complete waste. My view is that if you are not going to make testing and exercising of plans a core function of your business there is no point in having them at all. Employing network emulation for testing plans (either BC or power continuity) means that it need not be disruptive to the business. As with most things, when testing becomes a regular function, it often also becomes simpler, easier and quicker to do. It is actually the first step that is often the greatest hurdle.
Robin Koffler, general manager, Riello UPS
In our experience, the reasons why many organizations seem loath to rehearse their business continuity plans seems to be a mix of inter-related attitudes. On the one hand there are concerns regarding cost and fear of 'failure' and on the other, perhaps a lack of understanding of the real benefits of exercising.
Firstly, I think many organizations find it difficult to create a convincing business case for testing and exercising that will compete effectively against other priorities with more tangible benefits. This has been well documented and the solution to overcoming this hurdle in perception relates to fully understanding the benefits of exercising.
Secondly, exercises are so often perceived as tests which can be failed rather than as an opportunity to validate plans and rehearse responses in a safe environment where issues can be ironed out before a crisis actually happens. People are nervous about their performance reviews and would often rather not take part. This tends to be a particular issue at senior management level.
I think some organizations simply don't know what they don't know and sit in a false comfort zone as a result. They believe that having a plan is enough to safeguard them in the event of their business being interrupted. Anyone who has been through a crisis or conducted an exercise knows only too well that the devil is always in the detail. It is only by exercising plans that seemingly trivial issues can be flushed out and prevented from being potential show-stoppers in a real situation.
My final and probably most heart-felt point, is conveying the importance of people in determining the outcome of any crisis. Plans are important but they are enacted by people. It is their decision-making and information management that drives the response and brings together all the incident response plans in a co-ordinated way to prioritise activities to minimise the impact and speed recovery from that particular crisis, be it physical or non-physical. These people therefore deserve to be prepared. This cannot be achieved by planning but only by training and exercising – and all exercising is training. If an organization is really serious about their reputation, assets, productivity then they should exercise as no amount of planning alone can prepare the people who will make the difference. They need to complete the circle of preparation.
Dominic Cockram, managing director, Steelhenge
Testing and exercising can be weak because firms adopt an approach that may set the plan and individuals up for failure. They attempt to test or exercise scenarios that exceed the capabilities of the plans.
Alternatively they test parts of the recovery plan but not all of it. This may be sufficient to demonstrate activity for audit purposes but exposes the organization to risk.
A view pervades that the DR contract is all that is required. This is not the case.
End to end business process recovery testing involves many components, each can and should be independently tested. Bringing proven components together ensures that large scale scenarios can be successfully tested.
Nilima Patwardhan, IBM UK External Relations
Various reasons are:
"Don't have the high level support" – This is the most fundamental and frequently encountered problem in our profession. No matter what the implied legal regulations and requirements regarding having a viable business continuity/disaster recovery plan may be, if you don't have the support from the top, you will have a very frustrating task in front of you. Not getting the support for plan testing and exercises will be the least of your problems!
"Don't have the budget for it" - I believe that BC/DR testing and exercising is perceived by many businesses as an activity and expense to be deferred during financial and/or resource shortages. Despite 9/11, terrorist attacks in the UK and elsewhere, I've found that too many managers are still taking positions such as "We just don't have the resources to support an exercise, it (a disaster) can't happen here anyway" attitude, "We're going through budget cuts, unless we can push this off till 4th quarter we'll lose people", etc. I've encountered this problem even with BC/DR initiatives that were supposedly supported up to and above VP level. There are also those managers that, though they provide lip service in supporting a corporate BC/DR initiative, rest assured that as soon as a budget crisis hits, BC exercises/testing will hit the chopping block first, along with employee training.
"Don't test, don't tell" - Another issue is what I call the "Don't test, don't tell" (or "let sleeping dogs lie") syndrome. Example: a manager responds to a request for exercise support with the following - "We put this plan together only 18 months ago, tested it, and it went well. Nothing has really changed, so why are we wasting the time and money to test this again?" Obviously, because of dynamic business conditions and requirements, the argument that "nothing has really changed" is invalid, and plans need to be reviewed and exercised regularly to remain effective. In many cases, the real problem is that many managers suspect that their tested plans from even a year ago may not result in a successful exercise today. They certainly don't want this situation exposed by the results of an exercise, so, "Don't test, don't tell".
Employee turnover - While the number of dedicated BC/DR coordinators and managers are increasing, there are still far too many businesses that do not take the need for these positions seriously. A common practice in US businesses is to "dump" the responsibility on an employee that is perceived to need additional work to keep them busy, or, even worse, give the responsibility to an IT support or server administrator that is hopelessly overloaded (you can see this practice frequently in job ads on Monster.com). In either case, the likelihood that actual meaningful tests and/or exercises will be executed is poor.
Kevan Morrison, MBCI, senior consultant, Vigilant Services Group
QUESTION TWO: CAN YOU GIVE EXAMPLES OF WHERE TESTING AND EXERCISING HAS PROVED TO BE USEFUL?
I ran a basic exercise once based on a fire scenario and, in line with our procedures, arranged for managers to disperse their teams for an hour pending emergency services investigation, arranging for them to re-convene at the assembly point one hour later. They all promptly said that they would go for a coffee or a drink but no one actually used this hour fruitfully. I used this exercise to cover aspects such as keeping the teams together, using the hour to brainstorm what issues each team would have if the fire was real (e.g. lost work in progress, issues for getting recovery staff to the recovery site and non-recovery staff to get home (potentially without transport, money or keys), and even whether they had enough money for the coffee in the first place!). It certainly made sense to all attending the exercise to do this in future. As a result, I now have a prompt sheet in our evacuation box so that, in the event that this situation arises, they can take this with them and discuss over coffee so that they are prepared when they return to immediately highlight the actual issues facing the team.
Karen Atkinson MBCI, senior risk manager, Risk & Compliance, London Scottish Bank plc
I think the following are successes - they did reveal weaknesses but did all result in improvements to the BCP and BC organization. One test we ran for an insurance company showed that the BCP worked well from a business recovery perspective, but failed to consider staff welfare issues: as a result, the BCP was completely rewritten to put people first and the business second - a case of wrong assumptions about priorities. Another test we ran for a financial institution overlooked the contact centres completely - it actually took us some time arguing with the relevant director that they were a mission critical activity! A third test we were involved with showed that the CIO had no chance whatsoever of recovering within the RTO. Far from helping, the ICT DRP was totally inadequate and the CIO was obstructing the business in its recovery efforts: he had to be replaced. In a couple of cases members of the EMT were shown to be 'peacetime soldiers' who did not have the qualities necessary to lead in a crisis situation. On more than one occasion the test has breathed new determination and vigour into the BCM activities; has consolidated and enhanced support for BCM; and proved a superb training exercise.
Andrew Hiles, FBCI MBCS, managing director, Kingswell International
Testing achieves three principle advantages to recovery centre subscribers:
• It gives confidence that the solution and processes will work;
• It identifies areas of risk and improvement;
• It provides an opportunity for the provider to understand the requirement/capabilities and approach of the client.
ICM's evidence shows that where a client has an incident within a few months of a test, they readily invoke given the confidence engendered by their recent test. Specific examples of this are available and there is no denying that clients get a far greater return on their BC investment if they have tested.
Mike Osborne, managing director, ICM Continuity Services
Examples of tests that have proved useful are legion, and any organization that has undertaken a test will learn something. My best example is an insurance company that tested the recovery of its main systems to its recovery site only to find that it took two weeks to fully recover the systems so that users could access them, rather than the two days expected. Major changes were made to the recovery plans and procedures, and the time was eventually brought down to three days. Another organization found, through a test, that it could recover its finance system at a recovery site within two days, but that the communications links didn't work as expected. They had to install new communications with the recovery site.
Exercises also produce benefits in that lessons are learned before plans are used for real. Only an idiot would use a plan for the first time in response to a real incident (there's a lot of idiots out there!) Typically, such things as communications are more difficult and complex than people have planned for. Plans usually assume that everything runs smoothly, it doesn't.
Exercising a plan shows people the need to build in delays and confusion.
Mel Gosling, Merrycon Ltd
On three occasions the scenario which we authored for the client's exercise has subsequently happened. An operations director of an airline very honestly admitted that had they not gone through the scenario some four months before the incident they would not have worked as effectively. In the event no lives were lost and the airline did not suffer adverse publicity.
Chris Needham-Bennett, managing director, Needhams 1834 Ltd
Testing and exercising is not only always useful it's essential. I have two rules which I always pass on to companies I work with - "If it isn't guaranteed, it doesn't exist"; and, "if it isn't tested it doesn't work". No organization would introduce a new commercial or operational process without running numerous and exhaustive tests - why is the business continuity process considered an exception to this?
Advantages to testing and exercising are numerous; it raises the profile of business continuity, it highlights gaps in the processes or contingency provisions, it helps fine tune the plans and make sure they are fit for purpose and, in the event of a real incident, it introduces an essential element of "we've done this before - I know what to do here."
John Matthews, MBCI, senior consultant, Siemens Enterprise Communications Limited
I have yet to see an exercise which hasn't been useful! They not only serve to flush out issues to validate plans but are also an essential mechanism to rehearse crisis and continuity teams in their roles, raise awareness of the plans, run through the actions thereby raising confidence levels and identify more specific people-based training needs.
Additionally, they establish valuable relationships and familiarity between team members – this is not only relevant in large organizations but also multi-agency settings where people may never have gathered as a team in this context.
In terms of detail, one organization discovered during a business continuity exercise that the credit card in its 'grab-pack' was out of date. This would have brought their official purchasing power to a halt and potentially left many staff stranded.
Exercises have also identified people requiring crisis leadership training to ensure their style under the pressure of a crisis situation meets the need. We have seen exercises that have led to the nominated lead or chair deciding they are not the best person to lead the response. Other people who are not so strong in their 'day job' can really emerge as excellent at managing under pressure / in a crisis situation.
Staff comment almost without exception that they feel more confident in their understanding of the plan and their role following an exercise. It is very difficult to achieve any benefit from reading a plan in cold blood; only workshops and exercises can bring it to life.
Information management is obviously key to managing any disruption. It is, however, often overlooked by planners only to find itself thrown into the spotlight during an exercise. Putting into practise a flow diagram that looked good in theory can be a very telling exercise. This skill is also something that can add value to day to day business, disasters aside.
A common learning point from many BC exercises is also the issue of appropriate accommodation. Quite often the assumptions detailed in plans don't match up with reality and there are many examples of teams finding the nominated crisis centre is either not big enough, not properly equipped or laid out inappropriately.
Dominic Cockram, managing director, Steelhenge.
QUESTION THREE: DO YOU HAVE ANY IDEAS FOR HOW BUSINESS CONTINUITY MANAGERS CAN ENCOURAGE ORGANIZATIONS TO PUT TIME AND RESOURCES INTO TESTING AND EXERCISING?
Initially link to an evacuation exercise and/or vary the evacuation (e.g. close off an exit route and see how personnel react). Since companies have to undertake evacuation exercises every six months, the importance of exercising is visual and instant and this can be built upon for other types of exercising.
Karen Atkinson MBCI, senior risk manager, Risk & Compliance, London Scottish Bank plc
How do we encourage testing? Far more emphasis needs to be given to it throughout the BCM lifecycle. An annual budget should be set specifically for exercising and training (not just training courses; training under exercise conditions). The BCI should champion the importance of testing. Persuade the board that an annual BC test should be part of KPIs, business, departmental and team objectives; personal objectives reflected in appraisal and pay. Get BC testing included in audit's control questionnaire's. More publicity - like your article!
Andrew Hiles, FBCI MBCS, managing director, Kingswell International
Planners need to realize, and convey to management, that NO plan is 100 percent correct the first time it is exercised; that exercises have two primary objectives: (1) identify any plan deficiencies and (2) to enhance responder confidence. If a planner can, the exercise should include *active participation* by top management, even if only in a 'go-fer' role - if top management 'plays' the game, others will want to play along. (Top management should have a role in the response plan anyway - if not, find a way to include it.)
John Glenn, MBCI
Make it tangible. Imagine paying for car insurance, crashing your car and not claiming on insurance because you aren't sure that the policy is correct and you will get the result you expected. One would be tempted to ask why bother with the insurance in the first place! Business continuity contracts aren't insurance policies. They actually allow you to fully test the basis of the policy and if the cover isn't sufficient – give you an opportunity to review/change.
There may soon be a more compelling reason to test than just common sense. BS 25999 will increasingly drive the supply chain to invest in business continuity. Supply contracts, insurance, corporate funding are all likely to see a BS 25999 accreditation as a pre-requisite. BS 25999 contains a requirement to test and report on the findings of the test.
In a nutshell, the BC market has evolved. Where the question was once – 'Do you have a BC plan?' It is now: 'Do you have a BC plan, have you tested it and what was the outcome – and by the way – show me the accreditation/process that will convince me that your plan works…'
Mike Osborne, managing director ICM Continuity Services.
I have two thoughts here.
Firstly, make testing and exercising a regular part of the annual calendar of events (like year-end). Set the tests and exercises up at regular intervals each year, publicise the dates, and get the executive to agree to the idea (this is the most difficult part).
Secondly, combine exercises and tests with any 'away days' or similar events. Many organizations send managers away for team building events - why not combine these with an exercise?
Mel Gosling, Merrycon Ltd.
Start with the strategic group and get them involved first; long before the exercise. And get them to suggest some issues and scenarios.
Chris Needham-Bennett, managing director, Needhams 1834 Ltd
Exercising business continuity plans is a cost-effective way to ensure that plans will work in reality – after all you don't want to be doing the first test of your plans in a real crisis! BS 25999 recognises the importance of an ongoing process of exercising, reviewing and updating plans. The publication of BS 25999 has provided a definitive framework for best practice business continuity management. My advice would be to use this as a guide as to how to implement business continuity management within an organization. Following BS 25999 will ensure that exercising is considered as part of the overall implementation and ongoing management of business continuity.
Neil O'Connor, principal consultant, Activity.
Mostly, this is about awareness and understanding. We are doing a lot at the moment in this area, working with people on the 'embedding BC in your organization' strand of BS 25999. We have been helping organizations to design comprehensive awareness programmes - identifying audiences, messages and delivery methods to reach everybody from senior management to the whole workforce. Having the right structure in place for your BC programme and appropriate sponsorship is key. Using real incidents can be good - if something has happened recently, analyse the response and point out where following the incident management process would have helped. Find out what your competitors are doing - this can often be a useful driver.
My personal tip is to try to get your target audience together over a free lunch and fire some scary statistics and case studies at them. Then present them with some scenarios and ask them "what happens next?" - I find it concentrates the mind wonderfully!
John Matthews, MBCI, senior consultant, Siemens Enterprise Communications Limited
Show them how they have 'skin in the game' (job preservation) - as a BCP consultant, I would periodically support clients where I was to work with their teams to build and test plans. Unfortunately, their employees had not been adequately briefed (from their upper management) on what our assignment was and the criticality of the work, so they were less than enthusiastic about participating in our processes. These teams were frequently overloaded with work, and they openly expressed that they didn't see the benefit of putting their time and effort into a perceived waste of time. As a result, I developed a technique that I called 'skin in the game": basically, I explained the purpose of building and testing BC/DR plans and processes, with an additional twist – about 60 percent of businesses that experienced a disaster and did not have a viable plan in place were out of business in about a year. That implied unemployment, with a possible interruption in income well before the actual failure of the business. My bottom line: help me help your company protect its corporate assets, including the most valuable ones: your jobs. I found this technique pretty effective in increasing the level of interest and cooperation!
Build it in early – what is easier: building a house, and then building it's basement afterwards, or building the basement first? Using the same thought process, what if we could encourage organizational management to include business continuity in all of its planning and execution processes? By using basic BCP processes (with the assistance and support of the BC manager) from the start, it's possible to save time and resources by building good BC/DR practices into new business processes, applications, etc.
Embrace and support the change control process – one of the main reasons that previously tested supposedly viable plans fail is that something has changed…. and no one made note of it and changed the recovery plan. A faithfully supported and adhered-to change process can greatly reduce the 'surprises' that can cause an exercise to fail, and the more smoothly and successfully an exercise executes, the more likely you'll be supported for future exercises.
How about organizational/departmental testing? Under tight budget restrictions, sometimes a large scale multi-organizational exercise just isn't viable. For example, for cost and resource purposes, it may be reasonable to scale an exercise down to a department or two, and test a portion of the plan processes to determine their viability. The most important point to remember is that whatever and however you test, it must be perceived as meaningful and beneficial, or you'll have support and cooperation concerns for future exercises.
Recognize those who support the process! So you managed to persuade, bribe, or whatever the appropriate managers to support your exercise, and you've made it through the post-exercise review. Whatever you do, make very sure that not only do you recognize the exercise teams that supported the test; you also must personally recognize the managers for providing the resources and for their cooperation (even if you have to bite your tongue a bit!). Managers are no different than any other employee in that they love recognition: send them formal thank you letters, certificates, etc, and make sure that their recognition is quite visible up the corporate ladder. You'll not likely find a better level of cooperation from these managers in the future; it may well persuade managers in other organizations to work with you, too!
Kevan Morrison, MBCI, Senior Consultant, Vigilant Services Group
1. Use low-risk desktop individual simulations to acclimatise all staff;
2. Treat tests as improvement opportunities;
3. Implement highly visible risk management for all operational tests;
4. Make tests memorable blame-free affairs that are associated with success.
John Robinson, FBCI, INONI Ltd
OTHER COMMENTS / STATEMENTS RECEIVED FROM PARTICIPANTS
We usually undertake an audit / review of BCPs either as a separate assignment or towards the end of a project and this usually reveals inconsistencies, omissions and false assumptions. We do this before a test - otherwise the test can be a waste of time. Yes, we have had several clients for whom we helped develop BCPs and who failed to test: since over 85 percent of BCPs that are audited and / or tested show major weaknesses, an unaudited and untested plan will almost certainly fail when invoked. It seems the height of folly to go through the expense of developing a BCP without testing: it's risking the ship sinking for a ha'p'orth of tar. Not only that, but without testing you cannot properly train BC personnel - so the ship has untrained seamen, to boot.
Andrew Hiles, FBCI MBCS, managing director, Kingswell International
Here are some genuine objections I have come across:
"We are not role players, we deal in reality."
"We've never had a problem, why should we conduct a drill?"
"We can't get the 'right' people to participate, so you will have to postpone the drill."
"We tried that many times and management never gave us what we demonstrated we needed. Why should we go through that fruitless effort, again?"
Howard Pierpont, CORM CBM CBCP CRP
It is a basic tenet of the DR planning business that if your plan is not tested, then you don't have a plan.
It is a best practice to test annually at a minimum. If nothing ever changed in IT environments or in business functions and applications, then testing would not be a requirement. However it is said that nothing is more constant than change, and in IT that is especially true.
When preparing for annual tests it has been my experience that many potential problems and issues come to light. These usually require changes to recovery procedures, and sometimes to recovery hardware and networks. If these upgrades were not performed on an annual basis, imagine if there was a real disaster and the plan had not been changed for a few years - recoverability, fugeddaboutit!
IMO it is in the best interests of an organization if the DR planners become well-versed in speaking the language of the executive and in selling the benefits of testing DR plans.
Luckily in current regulations, corporate officers can be held legally liable if a reasonably forseeable event were to cripple their business, and they were negligent in ensuring that adequate contingencies were in place. This can be leveraged to gain executive sponsorship.
Phil Stott MBCI
At a conference in 2007 a leading British bank's head of business continuity, accompanied by another internal business continuity manager well known across the industry stated "the first consideration when planning every test is that I don't get sacked". This about sums it up:, let's test what is safe; let's test what we know works and let's not get caught out. Hey, we know it's never going to happen anyway!
When we completed the FSA review of the entire UK financial sector primary level one of our key findings was on the weakness of testing in this sector. Key findings were:
- Testing in comfort zones - only testing what was known to be in place and running same tests each year.
- Testing in silos - testing individual areas and never running a complex multiple business units/IT/crisis management test.
- Testing in isolation - companies never testing with their neighbours, even if in a multi-tenanted building, never testing with suppliers, customers, or emergency services.
-Testing at team level only - tests were run for those who wrote the plans or were involved with them but never for the staff or the workforce, its seems it was assumed they would just know what to do.
Testing is, in my opinion, the most fun you can have in BCM and in most cases the only thing business managers remember or care about. No one cares about a BIA or half the other stuff we do, except the business continuity person, but testing brings this subject alive, gives those involved an understanding and a reason to be involved and does all the embedding you can ever dream of.
Tim Armit, Clifton Risk Management.
The first thing to say is that I don't believe the accuracy of the Vanson Bourne results in terms of the percentage of respondents stating that they had a BCP. A figure of 81 percent for companies with between 250 and 999 employees seems far too high in my experience.
This may well explain the low percentage that have tested their BCPs. In my experience, a higher percentage of companies of this size that actually have BCPs have tested them. I suspect that Vanson Bourne counted a significant number of companies as having BCPs that hadn't really got BCPs, and as such haven't tested what they don't have.
Having said this, I agree that testing and exercising of business continuity & disaster recovery plans and strategies is a weak area of BCM programmes in general, as demonstrated in the PwC and CMI results. Why?
I think that you'll find that of all six stages of the BCM life-cycle, the BCM response is the most widely implemented. This is because of the need to have a BCP to satisfy regulators etc, which can often be just a box ticking exercise. So, from any sample of organizations with BCPs you'll find a significant percentage of box tickers who won't undertake any of the other stages, including testing and exercising.
Testing and exercising will only be undertaken by those organizations that have either been told to undertake tests and exercises, or that really want to make sure that their plans work. However, despite best intentions, testing and exercising is one of those things that can easily be put off without any immediate impact on the organization if people have other priorities. This, in my experience, is invariably what happens. It is very difficult to get a group of key people together for an exercise, and it is quite common for a planned exercise to be cancelled because something more important crops up. The same thing happens with tests, with the added issue of the fact that tests cost money. The end result is that only a small percentage of organizations that decide to undertake tests and exercises actually end up doing them.
Mel Gosling, Merrycon Ltd
It's ironic that the one activity in business continuity which is absolutely critical for a successful incident response is the one activity most programs fail to perform - exercising. Organizations that have a BCM function often feel they are 'protected' simply by having a documented plan. Somehow management convinces themselves they don't need to invest in the added time and expense needed for an exercise. In reality, having a plan means really nothing if the teams responsible for launching it are unfamiliar with its operation. That's where exercising pays the biggest dividends. Exercising does not have to be costly. A one-hour table-top exercise - the most widely used form - probably requires about a half day of preparation, assuming an exercise template or guide is available. By contrast, rigorous exercises involving the movement of people from one location to another and activating emergency recovery systems often take weeks of preparation. But a simple plan walk-through, with the appropriate persons present, can uncover flaws in the plan's logic, sequence of actions, roles of team members, and overall execution process.
For example, a major teaching hospital in New York City survived numerous potential disasters because the technology teams regularly exercised their recovery plans. The hospital even built a diversely routed telecoms network into the campus that provided resilience if the primary network failed. Regular exercising of the switchover process helped the hospital survive a major telecoms carrier outage with virtually no disruption of service. Not only did the backup network perform correctly, the technology team knew how to transition the service quickly, eliminating any service interruptions. Nobody in the hospital ever knew the outage had occurred.
More attention is being focused on exercising today. Exercise-related activities are regularly conducted at industry conferences and association meetings. It's one of the six certification standards defined by the Business Continuity Institute. Growth of public/private sector cooperation is helping to encourage more exercising by the private sector. The public sector understands the value of regular emergency plan exercising, and smart BCM professionals can benefit by partnering with their public sector counterparts. Exercising is a key part of how business continuity can become part of a company's culture. It's a way to bring people together to work for the benefit of the company, before a disaster occurs.
Completing a plan is not the end of the business continuity process - it's only the beginning. Exercising is what makes a plan - and the entire BCM program - real.
Paul Kirvan, FBCI, CBCP, CISSP
REFERENCES:
(1) http://www.continuitycentral.com/news03892.htm
(2) http://www.continuitycentral.com/news03841.htm
(3) http://www.continuitycentral.com/news03812.htm
Make a comment
•Date: 18th July 2008• Region: World •Type: Article •Topic: Testing and exercising
Rate this article or make a comment - click here
Source: https://continuitycentral.com/feature0596.html
0 Response to "Which Exercise is Best for Testing Business Continuity"
Post a Comment