In business continuity, testing of all types can lay claim to a rare distinction: it is simultaneously one of the most important parts of any program, and one of the most neglected. In today’s post, we list, link to, and sum up MHA’s best blogs on recovery testing, IT/disaster tests, and mock disaster exercises.
Related on MHA Consulting: All About BIAs: A Guide to MHA Consulting’s Best BIA Resources
The Importance of Testing and Exercises
In case you missed it, MHA CEO Michael Herrera wrote an excellent blog last week called, “The Top 8 Risk Mitigation Controls, in Order.” In it he identified recovery exercises as the second most important tool available to organizations to minimize their risks.
Unfortunately, it’s a tool that most companies neglect. “This is an area where I see a lot of organizations short-changing themselves,” Michael wrote. “Most companies if they test their systems at all, limit themselves to walkthrough, tabletop-type exercises. Very few companies, maybe 10 to 15 percent, actually use their recovery strategies and make sure they can truly achieve recovery of the business units, processes, and associated information technology. This is about not just stress testing, but practice as well, and most organizations don’t do nearly enough of it.”
It’s never too late for any organization to start strengthening its testing program, including recovery testing, IT/DR testing, and mock disaster exercises.
To provide inspiration and guidance to any company ready to raise its testing game, here is rundown of links and summaries of some of the best articles Michael and I have written over the past few years on the subject of testing and exercises:
“Table Service: 8 Ways Tabletop Exercises Can Benefit Your Company.” Tabletop exercises can provide significant benefits for organizations at a modest cost. While they cannot replace full-blown exercises, they offer unique value and benefits that other exercises cannot. Tabletop exercises help identify gaps in plans, processes,
technologies, equipment, and dependencies, facilitate unannounced tests, simulate collaboration, and allow the training of secondary staff.
“Overdoing It: People Who Overplan Their Mock Disaster Exercises.” The growing trend of overplanning mock disaster results from fear of looking bad in front of senior management; however, it can ultimately harm the organization and the planner. Proper planning for a mock disaster exercise involves designing a relevant scenario, consulting with experts, and focusing on developing the team’s critical survival skills by pushing them out of their comfort zone and allowing them to grapple with challenges and make mistakes.
“Little Things Mean a Lot: The Value of Micro Mock Disaster Exercises.” Micro mock disaster exercises are brief disaster exercises that can be included as meeting agenda items. They are primarily thought exercises and last about ten minutes, with participants discussing what they would do in a scenario sketched out by the facilitator. They can benefit organizations by helping keep the recovery team personnel sharp and making business continuity part of the organization’s culture.
“Spread Your Wings: There’s More to BC Drills Than Tabletop Exercises.” Many companies limit their disaster recovery drills to tabletop exercises, which are the least realistic and least demanding type of BC drills. The Federal Financial Institutions Examination Council (FFIEC) breaks Business Continuity Plan testing down into four types: tabletop exercise/structured walk-through tests, walk-through drills/simulation tests, functional drills/parallel tests, and full-interruption/full-scale tests. Organizations need to conduct full-interruption/full-scale tests to ensure business operations are not negatively affected by a disruption.
“Let’s Get Real: The Limitations of Tabletop Recovery Exercises.” Tabletop recovery exercises are an essential part of disaster recovery, but they have limitations. They are not sufficient to test the preparedness of an organization to deal with a disaster. There are four levels of disaster recovery exercises, from tabletop reviews to full-scale exercises, each building on the one before it. To truly gauge the readiness of an organization to face a business disruption, realistic and involved exercises are necessary.
“Kill the Zombies, or How to Get More From Your DR Exercises.” Some companies use creative scenarios such as zombie attacks or Martian invasions in their disaster recovery exercises. However, more realistic disaster scenarios are better suited to eliciting the appropriate stresses and reactions from participants. Unexpected disaster recovery exercises are better for testing an organization’s readiness and resilience, and rigorous post-test analysis helps to close any gaps in preparation. Organizations should start with easy exercises and gradually make them more difficult as their disaster recovery skills develop.
“Beginner’s Guide to Recovery Exercises.” The benefits of performing recovery exercises include validating recovery strategies, identifying gaps in processes and strategies, and training employees. The three main types of exercises are IT/DR exercises, BC exercises, and structured walk-through tests. Organizations should start small with a limited scope, and progress over time with more comprehensive exercises.
“Exercise Smarter: Include 3rd Party Experts In Your Cyber Exercises.” Organizations should invite third-party experts, such as law enforcement officers, data security consultants, insurers, and public relations professionals to observe and provide feedback during cyber exercises. These experts can provide valuable insights that will strengthen an organization’s cybersecurity plan and better prepare them for a real-life emergency.
“Blood, Sweat, and Tiers: The Benefits of Tiered BC Testing.” Tiered business continuity testing involves dividing business processes into categories based on how critical they are, and testing them at varying degrees of intensity that correspond with their importance to the organization. The four types of BC testing are tabletop, partially functional, fully functional, and chaos testing. The highest tier should go through all four types of testing over a period of time, while the lower tiers only require some of them. Matching the rigor of the testing to the criticality of the process or department helps to protect the organization’s most critically time-sensitive processes.
“You Still Need to Drill: IT/DR Testing Is as Important as Ever.” IT/DR testing is crucial for enabling organizations to verify that they can recover systems in the event of a disruption. The COVID-19 pandemic led many organizations to suspend their IT/disaster recovery (DR) testing programs, but it is important to keep up with such testing. The eight steps to an effective IT/DR exercise include defining the reason and type of exercise, defining the scope, identifying participants, and simulating the production environment.
“How to Be a Mock Jock: Advice on Facilitating a Disaster Exercise.” The key qualities that make for a successful mock disaster exercise facilitator include command presence, charisma, deep knowledge of the scenario, knowledge of the participants, and a willingness to follow the agenda while being able to adjust on the fly. Two common mistakes to avoid as a facilitator are being too wedded to the scenario and trying to be “the man,” or the one with all the answers.
“How to Plan a Mock Disaster Exercise.” The 12 steps for planning a mock disaster exercise include identifying the exercise’s key objectives, building a timeline and list of events, and choosing a facilitator. The scenario should be plausible and realistic. Practicing ahead of time is crucial for a company’s success in managing a crisis.
“8 Dos and 1 Don’t for Conducting Disaster Recovery Tests.” Regular disaster recovery tests of information technology systems are crucial for evaluating an organization’s ability to recover systems in the event of a disruption. Tips to help in conducting IT/DR tests include: define the reason for the test, define the type of exercise, define the scope of the exercise, identify the participants, make sure the test environment is prepared, and simulate the production environment as it would be in a real event.
The Benefits of a Solid Testing Program
Recovery testing, IT/DR testing, and mock disaster exercises are one of the most important aspects of business continuity. Unfortunately, they are also one of the most neglected.
Organizations interested in raising their testing game are invited to consult the blog posts mentioned above for insight and inspiration. Devising and implementing a solid testing program is one of the best things any company do to protect its stakeholders and improve its resilience.
For more information on BC exercises and other hot topics in BCM and IT/disaster recovery, check out these recent posts from MHA Consulting: