I often blog about disaster recovery planning and business continuity planning, including strategies for exercising your plan to help ensure that it’s (still) viable. While there’s no substitute for an operational exercise, many organizations opt for the tabletop discussion because it’s relatively simple, doesn’t impact production systems and generally takes just a few hours. Although it is the most limited type of exercise, it can add value to your disaster recovery or business continuity program.
The Amazing Business Value of “Exercising” Your Disaster Recovery Plan around a Table
Recently I ran a Disaster Recovery Plan (DRP) “tabletop” exercise for a client where a synergy developed among the participants that took the exercise—and the results—to another level of effectiveness and support for the business. It was a very cool experience.
An Exercise – Not a Test
The hope of fostering that kind of collaboration is why we frame these scenarios specifically as exercises and not “tests.” This is not a pass/fail proposition and it’s not about what the participants already know or can remember. It’s about “exercising” the plan itself to check for weaknesses.
Say it’s Linda’s job to restore System 42. During the exercise, Linda will be asked to talk through the system recovery process. The DRP should either provide the system recovery procedures or a reference (usually via hotlink) to those procedures… there’s no way she should feel the pressure to recite those procedures in an exercise or work from memory in a crisis.
Linda (or whoever is covering for her because she’s on vacation in Fiji when disaster strikes) just needs to be able to access the DRP, and the DRP needs to be correct and complete. If Linda says, “It’s not in the plan, but at this point in the process I know I need to call Dave…”, then the plan should provide Dave’s contact information or the plan has a weakness and must be updated.
Create a Dynamic and Safe Environment
Crafting and running an exercise that involves a realistic scenario from an initial crisis to a successful conclusion is all about creating a dynamic and safe environment where participants are free to voice opinions so these “A-ha!” moments can happen. People need to feel comfortable talking about what’s wrong and what they think needs to be done, especially if it’s not reflected in the plans, procedures and/or policies.
It’s awesome when a coordinated discussion unfolds, and people start noting how they should update “this” or tell “so-and-so” that, link “this procedure” to this plan to help with that, and so on and on. You can just almost see the lightbulbs glowing above everyone’s heads.
Getting that kind of maximum value from an exercise also relates to who is at the table. I’m not saying you need to make your exercise into a Cecil B. DeMille movie, but frequently “more is more” with exercise participation.
Why? Because diverse inputs are what paints “the big picture” that everybody needs but no one person or team has. This is how the magic happens. So, don’t just invite the BC Coordinator and the IT folks. It’s often the people who operate and use the systems that have the most incredible insights to offer.
Effects on Business Continuity Management
In the case of my recent engagement, we had about ten people at the table for just two hours. The Disaster Recovery scenario involved one critical system going down. But when we started discussing the business implications of the loss of that system, people quickly recognized they needed and wanted to plan for the recovery of related functions.
This is “where DR meets BC”—where disaster recovery meets business continuity. A bigger picture kicks in around functional recovery and continuity of business operations. Yes, data backups and redundant/alternate systems are critical. But what’s the point if your systems and data are good-to-go but people can’t actually get work done because there’s no plan to recover their function(s)?
To get expert advice on crafting a recovery exercise to help your team “put the pieces together” and take your DR/BC plans, policies and procedures to the next level of effectiveness, contact Pivot Point Security.