Everyone has heard the popular saying “Practice Makes Perfect”. But, is this true?
I am of the belief this statement is close to the truth.
“Perfect Practice Makes Perfect” Many have heard these words from Vince Lombardi, but I always heard them, multiple times mind you, from my father. As a typical teenager, I didn’t really comprehend the message, or realize that it applies to more than just sports. The message my father and Vince were trying to convey is simple, “What you put in, you will get out.”
Most businesses spend a substantial amount of resources to develop, implement, and maintain a business continuity program and business continuity management system (BCMS). They tend to allocate most of their resources on the business impact analysis (BIA) and documenting business continuity plans, to ensure continuous delivery of products/services. Despite all the time and effort organizations commit to building a successful business continuity management system, I find that exercises are often marginalized. During the past two years, I have noticed three major pitfalls that business succumb to when planning for and conducting exercises. Let’s take a closer look at each.
1. Active Participation
There are two types of participation – passive and active. Passive participation is when someone is physically available, but does not contribute anything to the overall outcome. The best illustration of this is a conversation in which one person is doing all the talking and the other may be listening, but not saying anything. The second person is not adding value to the conversation. In stark contrast, active participation occurs when someone is adding value and input. Using the same conversation example, the person is not only listening, but also engaging in the conversation, providing input, and driving the outcome.
When conducting business continuity activities, all stakeholders should be active participants. Active participation is often evident during the BIA process, the strategy determination process, and planning, but tends to wane during exercises. Often times we see Plan owners attend the exercise, but then not use their plans or contribute in a definitive manner to the exercise discussion. Plan owners who don’t capitalize on their exercise investment lose three main benefits:
- Their response and recovery procedures are not actually being tested and validated;
- They lose the ability to identify unforeseen issues with their own or others’ response and recovery procedures; and
- They lose the experience and familiarity of using their business continuity plan.
2. Selecting Appropriate Objectives
The most common pitfall businesses experience is selecting appropriate exercise objectives. Setting non-strategic or easily obtained objectives provide little to no benefit to plan owners and the business continuity plans collectively. These types of objectives are often set to test only portions of business continuity plans or deliver results that are easily achievable. In addition to minimizing benefits, completing a “weak” exercise can give the plan owner and business a false sense of security, which can impede or prevent actual recovery during a disruptive incident.
To prevent this pitfall, this series of questions should be considered (at a minimum):
- Do the exercise objectives cover all portions of response and recovery, which includes initial assessment and return to normal operations?
- Do the exercise objectives include internal communication methods and cross-coordination between plan owners? What happens if we don’t have access to our primary method(s) of communication?
- Will the exercise test only minimum workload amounts, or will it stress-test peak workloads?
- Will management be required make tough decisions about prioritizing recovery resources?
3. Realistic Scenarios
When creating exercises, it is important to maintain a realistic atmosphere, which enables plan owners to be active participants and avoid making inaccurate assumptions. Typically, there are three categories of scenarios, which organizations should avoid when developing exercises.
- Apocalyptic Scenarios: These scenarios would produce such a disastrous outcome to both the organization (and perhaps globally) that management would highly consider closing the company/organization, and/or fail to trigger almost all planned response and recovery efforts. Examples of this type would be nuclear war, ice age, and meteor strike.
- Highly Improbable/Impossible Scenarios: These scenarios are very unlikely to happen over the course of the business’ lifetime and would require the business to consider a whole new set of business continuity requirements. An example of this type of scenario is non-collocated primary and alternate data centers becoming non-functional at the same time.
- Vague or Open Scenarios: These are scenarios that provide minimal direction and/or lead participants to making incorrect assumptions. An example of this type of scenario is providing participants knowledge of a ransom, but not depicting if it is technology or personnel related.
Defining unrealistic scenarios often invalidates the exercise, generating the following problems:
- Incomplete testing and validation of response and recovery procedures;
- Inability to generate discussion resulting in business continuity plan improvement opportunities;
- Inability to properly gauge potential impacts from a disruptive incident; and
- Lose awareness of required recovery resources.
With the right investment in exercises, organizations can help ensure that their response and recovery strategies and plans will address any disruptive incident. Avoid the generic, unrealistic, or ill-conceived exercise scenarios or an exercise process that fails to enable the organization to stress-test the response and recovery process. The goal should be to achieve proper validation and identify continual improvement opportunities. For more information on exercises, check out: Why Testing and Exercising is Essential for an Effective Business Continuity Program.
Business continuity and IT disaster recovery planning is all that we do. If you’re looking for help with building or improving your business continuity program, we can help.
Please contact us today to get started. We look forward to hearing from you!