Business continuity and disaster recovery planning is the process of preparing for something we all hope, and expect, won’t happen. So, how do we know if our plans will work when we need them? We don’t … really. But the best way to ensure that they are as useful as possible is to conduct tests, drills, or exercises (or whatever your organization chooses to call them).
Exercises (that’s the term I’m picking, and sticking with, for this article) may be the closest we ever get to using our plans. They can go a long way towards giving us and others a sense of confidence, the feeling that the organization is prepared. But what makes one exercise more valuable than another? I think the value relates to the awareness and training that occurs as well as the issues or pitfalls that arise during the exercise.
I believe that too many people determine the value of an exercise based on whether it was deemed successful, and they define “success” as all the objectives being met and no problems occurring. However, in an exercise scenario, it is infinitely more valuable if success is measured by the lessons learned and corrective actions taken.
What’s Your Type?
There are many types of exercises that you can conduct, and all of them provide some level of value to your organization. Here is a brief list, sequenced as to how they can be done:
- Review: Reveals whether all the pieces are in place and the plan is complete
- Staff Training: Determines if people know what is in the plan and how to use it
- Table Top Exercise: A scenario-based walkthrough, based on a hypothetical situation
- Infrastructure Exercise: Lets you know if the backup site is ready to go
- IT Systems or Business Unit Involvement: Determines if the plan can be used to run the business and whether the business is involved
- Simulation: More to come on this one
- Mock Disaster: Puts a group or groups through the paces, with no warning.
The main differentiator of a simulation is the way in which people participate in the exercise. Simulations generally involve three distinct groups of staff members.
First, there are the people who are the “participants” in the exercise. These are the folks who are being “tested” and will use the plan to conduct the exercise and respond to the scenario or incident. Next, there are the “facilitators or controllers” who are overseeing and running the exercise. They aren’t being tested, but they are monitoring how the exercise is going and tracking the event so that lessons learned can be factored back into plans. Lastly, there are the “simulators,” those staff members who pretend to be other people and, by phone, fax, e-mail, text, or other methods, add realism and spontaneity to the process. Simulators may represent the media, concerned citizens, regulators, management, emergency services, or any other group that would be involved in a real event.
Simulations take exercises to a new level by introducing the unknown and unanticipated into the exercise, causing the participants to react and respond as if the exercise were a real event.
Step by Step
There are a few basic steps that will make sure your simulation is effective and runs smoothly. They include:
- Choosing a time when real interruptions are least likely to occur.
- Involving the people who are most likely to be on the “front line” in an event.
- Choosing knowledgeable simulators. For example, people from PR might be good media simulators, because they are most familiar with the type of questions reporters might ask.
- Selecting a scenario that is believable and probable, so people can relate to what’s happening.
- Developing and documenting a clear outline of the event, objectives, assumptions, and the key areas to test.
- Developing the script, with spot-on timing, crisp injects, and clarity as to who “injects” the message and to for whom messages are intended.
- Making the simulation long enough to test a number of aspects, but not so long that it drags or allows people to lose interest (ideally, two to three hours, plus time for recap and review).
- Conducting a real-time review after the simulation, with time to discuss what went well, what didn’t go well, and what lessons were learned.
- Taking action on the lessons and improving the plan as required.
Timing is Everything
Now that you understand what a simulation exercise is, you are probably wondering where it belongs in your exercise strategy and when to use it. Simulations are best done when you believe the plan is complete and up to date, the participants are reasonably familiar with the plan, and facilities, equipment, and documents have been taken care of. Simulations need to “test” how people will react to live situations, and their value is diminished if plan components are not complete and previously exercised. Do a simulation once you have a fairly mature plan and testing program to gain the most value.
In conclusion, simulation exercises can provide a valuable addition to an overall exercise program for reviewing, testing, and improving your plans. Consider if this type of exercise fits your needs and if it does, build a simulation that is both beneficial and fun for all involved. CI
John Jackson is a co-founder of Fusion Risk Management and a member of the Continuity Insights Editorial Advisory Board. He is an expert in the fields of business continuity, disaster recovery, and high availability. His 30 years of experience includes running all aspects of IBM, HP, and Comdisco’s disaster recovery businesses and participating in over 500 actual recoveries for client companies. He can be contacted via e-mail at at JJ@FusionRM.com.