After you have spent the time needed to develop Business Continuity and Disaster Recovery plans, training and testing are your next steps. Training those who will use the plan, especially secondary resources who may not have participated in its development, is critical to the success of your efforts, as is the validation of the functional capability and accuracy of your plans.
Training for business continuity is used to familiarize people with the plan elements and processes, and to reinforce basic knowledge of the plan. Having a team well versed in the initial steps of the BC/DR plan will help to ensure an effective and early response. Regardless of how you implement training and testing, there are specific elements that must be covered:
- Team Leaders
- How and when to activate the plan
- How to notify, assemble, and manage team members
- Understand all individual and team responsibilities
- All Participants
- Be familiar with the plan; review it regularly
- How to use the plan effectively
- Understand individual and team roles and responsibilities
- How to operate as a cross-functional team member
- How to communicate effectively across organizational boundaries in a stressful situation, often without the aid of common communication tools such as phones or email
- How to perform the tasks listed in the plan
Due to time and resource constraints, several types of exercises can be combined with training for business continuity. Remember to take notes during any exercises and training sessions to ensure that action items are documented and identified updates to plans are captured for implementation. We have noted that successful exercises typically find at least one update that is required. If no updates are identified, it often means that the exercise was not complex enough or someone is not fully sharing their information.
There are several different ways to go about training staff in the Business Continuity or Disaster Recovery (BC/DR) plan while simultaneously validating/testing the plan. These include tabletop exercises, walk-through drills, functional drills, and full interruptions. All of these should be part of your exercise/testing strategy and plan. However, each has different uses and unique characteristics.
Types of Exercises
- Tabletop Exercise/Structured Walk-Through Test: A preliminary step in the overall testing process and an effective training tool for individuals and groups, as well as validating overall strategies, communication and integrations. Tabletop exercises are excellent for training around group dynamics, notification, assembly, etc. The primary objective of the tabletop exercise is to ensure that critical personnel from all areas are familiar with the Business Continuity plan and that it accurately reflects the organization’s ability to recover from a disaster. Though not often used for Disaster Recovery planning, tabletop exercises can provide these same benefits, while also allowing for a review of technical steps prior to performing a functional test.
- Walk-Through Drill/Simulation Test: Also considered to be a preliminary step in the testing process, it is more involved than a tabletop exercise/structured walk-through test. This exercise uses a specific event scenario that is applied to the plan. These types of tests are usually used for Business Continuity plans and Emergency Management team plans.
- Functional Drill/Parallel Test: Involves the actual mobilization of personnel to other sites in an attempt to establish communications and perform processing as set forth in the plans.
- For Business Continuity, this typically involves determining if employees can actually deploy the procedures defined in the Business Continuity plan.
- For Disaster Recovery plans, the goal is to determine whether critical systems can be recovered at the alternate processing site.
- Once the individual Business Continuity and Disaster Recovery functional tests are successful, a parallel test for both may be conducted where the business functions relocate to an alternate site and use the recovered systems and applications.
- Full interruptions: The most comprehensive type of testing. In a full-scale test, a real-life situation is simulated as closely as possible. Comprehensive planning is a prerequisite to this type of test to ensure that business operations are not negatively affected. The exercise provides proof of the entire integration of the business continuity plans, relocation plans, and technical recovery plans. This type of exercise should only be attempted once the exercises described above have been successfully completed and the organization is comfortable with the functional capability of the recovery strategies.
Without training and testing, Business Continuity plans and Disaster Recovery plans are just paper and hope – and hope is not a strategy.
By Richard Long, Senior Advisory Consultant