Testing Strategies that Demonstrate Recoverability

Avalution Team Avalution Team | Feb 14, 2007

Excellent Rating Small2You can obtain assurance that your business continuity strategies will work in one of two ways – a test (a.k.a. an exercise) or a real-world event. Without either, no one can state that a business continuity strategy will work as designed. Since no one really wants to test their plan for the first time with a real-world event, let’s look at some testing strategies that work and demonstrate recoverability.

There are various types of test exercise strategies that can be utilized.

  • Orientation/Walk-through
  • Tabletop/Desktop
  • Functional exercise
  • Full-scale exercise

The orientation/walk-through method is typically used as a “first pass” method to ease team members into the testing process. These are performed for the purpose of training and conditioning team members to get them familiar with the process and validating their business continuity plan.

Probably the most popular is the tabletop exercise or desktop exercise. This method uses a scenario where participants sit around a table and review and discuss actions they feel they would make in that situation without actually executing them. The team members usually participate under the guidance of a facilitator who will keep the process moving forward and point out any areas of concern.

Next is the functional exercise where participants take a scenario and perform some of the actions they would take if the plan was activated. It can replicate a business unit performing in “disaster mode” by actually working in simulated conditions which may or may not be facilitated off-site. A great example of this would be an IT hot-site test. The exercise can be focused on recovery of a particular function or the entire business unit.

A full-scale exercise simulates an event where the organization or some of its critical services are suspended until the exercise is completed. These exercises typically require departments to operate in “off-line” mode through a designated time period and in some cases at an off-site location. An example would be shutting down the IT dependencies and having all business units activate their backup plans for a period of time or pretending to have an entire facility destroyed and key personnel relocated to an alternate facility.

No matter what type of test you conduct, we have found a few key elements of testing are important to truly demonstrate recoverability.

  1. Tests are the best form of training for response and recovery personnel, so you want to make the training experience as realistic as possible. Using realistic settings, conducting tests offsite, using secondary team members, etc. all can assist towards training your staff in the proper plan workings of what should be done during an event. Testing your plans will also keep processes and procedures fresh in the minds of critical team players.
  2. Test your plans at least annually. A timeframe longer than twelve months usually results in information becoming stale and sometimes changes in the organization aren’t recognized and incorporated into plans as it would have been had testing been conducted. This could result in a less effective plan if it were needed in a crisis situation. There are also cases where the plan should be tested more frequently when there are a number of changes within the organization or in IT environments where technology changes require additional testing.
  3. Your testing objectives should be clear and include validation of documented strategies, business continuity enhancement (based on lessons learned) and response and recovery personnel skill level improvements. Having clear objectives will keep personnel in focus of their goals for the test while confirming the viability of their plans. Any discrepancies found while should be noted and updates to the plan should be included in the next scheduled maintenance of the plan.
  4. Create scenarios that test all elements of the business continuity process, which may include emergency response, crisis management, business recovery and IT disaster recovery. Scenarios can add a degree of realism that can take the testing process to another level. By adding realistic elements such as employee illness, tripped alarms, water damage, inaccessible roadways, etc., to your scenarios you can effectively test each component of your plans. Scenarios can also drive home the seriousness of an already identified exposure and in turn help gain management support to rectify the situation.
  5. Finally, as you finish an exercise, thorough documentation is critical to demonstrating recoverability. Your documentation should include test objectives, background information, and timeline of events. In addition, you should also document key actions that should have been performed, and point out sources of information that could have been helpful as the team navigates the response or recovery process. Since testing should be seen as a learning tool, identifying missed actions and referencing valuable resources will expose personnel to possible inconsistencies or critical oversights in their plans that may not have been uncovered without testing. Also, information sources can be seen as valuable tools to assist recovery personnel in training their staff in the business continuity process.

Businesses that test their plans through these methods will be better prepared to act in time of crisis. As recent disasters have taught us, tested plans are those most successful in preserving their organization’s value when real world events strike. Keep in mind the following when considering testing your plans:

  • Tests can assist with training recovery personnel.
  • Testing at least annually helps keep the process fresh for personnel.
  • Clear objectives help you meet your goals.
  • All encompassing scenarios work best for realism of an actual event.
  • Tests can reveal key actions that should be reviewed and identify information sources for reference.

These recommendations can greatly benefit your business continuity program by creating a method to demonstrate recoverability to key stakeholders.