Testing/Exercising Your Plan
We probably cannot count the number of times we have said that you cannot rely on a plan that hasn't been tested - or asked if you want to use a plan for the first time in the midst of a disaster. This week's articles echo those sentiments and can help you design and implement your own exercises for your various plans.
Just because all the relevant information has been catalogued doesn't mean you can actually recover whatever it is your Plan says you can.
Here's some advice on how to set up convincing business continuity exercise scenarios.
The only way a company can assure that its BCM arrangements are validated is through exercises.
This article addresses some of the technical challenges faced in end-to-end disaster recovery exercises that attempt a full life cycle of transactions across disaster recovery applications and their dependencies and simulate business activities during the exercises.
Business continuity drills are the key to detect, address, and strengthen that weakest link.
Here are some tried-and-true procedures for business continuity exercises.
As always, I look forward to hearing about your concerns with regard to business continuity. If there are any topics that you'd like to see covered, email me at
Bob Mellinger, President
1. Testing Business Continuity Plans - It's not an Option
Why do so many organizations fail to test their Business Continuity Plans? I've been in the industry more than 20 years. I've heard most of the excuses: no time, no resources, it's not in the budget, my boss doesn't care, it's not in my job description, it's a waste of time, it doesn't impact the bottom line, and on, and on, and on. If you can't find the time and resources to test your Business Continuity Plan, why would you bother to spend the time and resources to maintain it (or write it in the first place)?
2. Developing scenarios
Terror blasts, white powder attacks, pandemic flu, cyber crime, the list goes on. At the sharp end of business continuity it really is one thing after another. We seem to spend our lives frightening the life out of crisis management teams by dreaming up the best possible scenarios to test their response and the company's business continuity plan. So what makes for the top scenario - one that really tests the plan and the players?
3. Planning and managing exercises for business continuity management arrangements
It is hard to believe that our armed forces, national guards, policemen and firemen would not exercise to validate that they could perform according to certain standards when required. The same is valid for business continuity management systems (BCMS). One of the oldest axioms for BCMS is that a plan that is not tested or maintained is of little value or in some cases worse than no plan at all. It is absolutely crucial that all the people who are expected to play a part in the business continuity management (BCM) arrangements understand their roles and feel reasonably comfortable with them.
4. How to Conduct an "End-to-End" Disaster Recovery Exercise in Real Time
Many times organizations conduct traditional disaster recovery exercises where testing is done in silos, and the scope is limited and restricted only to host level recovery of individual systems. With growing technology changes and globalization trends, the intricacy and interdependencies of applications have become more complex, and major applications are spread across multiple locations and servers. In this scenario, a traditional recovery exercise focusing on server (host) level recovery is not going to adequately ensure the complete recovery of the application without any inconsistencies among various interdependent subcomponents.
5. Strengthening the Business Continuity Process with Methodical Drills
We are all familiar with the disruptive consequences of a distributed denial of service (DDoS) attack when a website is forced offline because it has been swamped with massive levels of traffic from multiple sources. The cost in terms of lost business to companies while their website is offline can be significant. Cyber criminals are now taking the process a step further by tying ransom demands to their DDoS attacks, threatening to keep company websites permanently offline until they pay up.
6. Conducting business continuity exercises
Most business owners are aware of potential problems, so they usually have a business continuity plan (BCP) already in place. But testing these plans to find loopholes and room for improvements is equally as important as creating one in the first place. That's why every BCP has an 'exercise' phase where the plan is put through a series of trials by the whole company.
Quote of the Week:
"However beautiful the strategy, you should occasionally look at the results."
-- Winston Churchill