This is the first in a two-part series on the need to regularly test your emergency, continuity, and disaster recovery plans. The second part in the series can be found here.
Introduction
The success of any emergency, continuity, or disaster recovery plan depends upon its routine testing, audits and updates. Plans cannot be expected to work properly unless they have been tested prior to their actual implementation in an emergency. Don’t wait until an emergency unfolds to see if the plans and procedures you’ve implemented are effective in responding to and recovering from a crisis event.
Everyone has a role in a crisis. Some are strategic, some are tactical. How decisions are made in a crisis is critical to the outcome. Because of this, the following holds true:
- Practicing emergency response helps assure that the response can proceed predictably during a crisis or disaster;
- Participation in exercises familiarizes everyone with the vulnerabilities, impacts, plans, mitigation strategies, incident management and crisis communications;
- Testing allows problems or weaknesses to be identified and used to stimulate necessary and appropriate changes; and
- Errors committed and experience gained during testing will provide valuable insights and lessons learned that can be factored into the planning/updating process.
Exercises empower critical decisions in a crisis. Exercises focus participants to determine:
- What changed?
- What do they know?
- Are they concerned? If so, about what?
- What is their plan?
- What will they monitor & how?
Process
Text Exercise Process
Test exercises serve several purposes. Exercises:
- Allow management to use and assess plans and procedures to determine their feasibility and determine whether they will work under actual conditions.
- Assess and measure the degree to which personnel understand their emergency response functions and duties.
- Enhance coordination, communication, and proficiency among response staff.
- Identify areas for improvement.
- Increase the ability of management and staff to respond to emergencies.
Test Exercise Strategies
- Test exercise strategies detail the conditions and frequency for testing applications and business functions, including the supporting information processing. The frequency and complexity of testing is based on the risks to a company or organization.
- Tests can be as simple as testing the call tree in one or more plans. Or, the test exercise can involve an integration of multiple business areas, the IT environment and link to outside vendors and customers. The complexity of the tests should vary to ensure that all components of the plan(s) are adequately exercised.
- Companies should participate in tests with their core service providers and test other critical components of the BCP. The strategy should include test objectives, scripts, and schedules, as well as provide for review and reporting of test results. Best practices in the industry support testing at least annually, or more frequently, depending on the operating environment and criticality of the applications and business functions.
Test Exercise Scope And Objectives
- The scope of the drill or test exercise is determined by what is required to ensure the learning objectives are achieved by the participants. For example, if the objective is to test the ability of senior management to make decisions as specified in the emergency management plan, a tabletop exercise would be appropriate, although the same objective could be tested during a full-scale exercise.
- Companies must clearly define what functions, systems, or processes are going to be tested and what will constitute a successful test. The objective of a testing program is to ensure that the plan(s) being tested can remain accurate, relevant, and operable under adverse conditions.
- Testing should include applications and business functions that were identified during the In/Out/Across Analysis (BIA). The BIA determines the recovery point objectives and recovery time objectives, which then help determine the appropriate recovery strategy.
- The scope of individual tests should be continually expanded to eventually encompass enterprise-wide testing, including vendors and key market participants. Achieving the following objectives will provide progressive levels of assurance and confidence in the plan(s).
At a minimum, the clearly stated testing plan should:
- Not jeopardize normal business operations.
- Gradually increase the complexity, level of participation, functions, and physical locations involved.
- Demonstrate a variety of management and response proficiencies, under simulated crisis conditions, progressively involving more resources and participants.
- Uncover inadequacies, so that configurations and procedures can be corrected.
- Consider deviating from the test script to interject unplanned events, such as the loss of key individuals or services.
- Be sure to inform participants of the objectives and goals of the test exercises.
Test Exercise Expectations
- Setting the proper expectations will minimize frustrations or inadequate participation from key stakeholders. As general guidelines:
- Test exercises scenarios should be realistic.
- Test exercises should consist of a generic scenario, and be indicative of an event that could happen in the area.
- Test exercises should not be too complex for the situation. Test exercises should compress a two or three-day real situation into a few hours, so they will be kept relatively simple with only a few objectives.
- One or two key threats should be the focus of each test exercise.
The test procedures should be checked periodically to make sure they include:
- Emergency response procedures, including escalation and notification processes.
- Alternate processing procedures, including security procedures at an alternate site.
- Full recovery procedures, including returning to normal processing.
Types Of Test Exercises
Testing methods should vary from minimum preparation and resources to the most complex.
Orientation/Walkthrough — Briefing or low stress training to familiarize participants with team roles, responsibilities, and expectations. Provides a good overview of new or revised emergency response plans. This type of exercise helps orient new staff and leadership. Planning cycle: one month; Test time: 60-90 minutes.
Drill — Test of individual emergency response functions that involve actual field responses. Examples include fire drill, tornado test, etc. Planning cycle: one month; Test time: 10-60 minutes.
Tabletop — Limited simulation or scenario of an emergency situation to evaluate plans, procedures, coordination, and assignment of resources. Advanced table tops will introduce messages and test assistants who can answer questions. Planning cycle: two-three months; Test time: 90-120 minutes; Debriefing time: 30 minutes.
Functional — Limited involvement or simulation by field operations to test communication, preparedness, and availability/deployment of operational resources. Planning cycle: three-six months; Test time: 90 minutes – 4 hours.
Full-scale — Evaluates the operational capability of systems in an interactive manner over a substantial period of time. Conducted in an environment created to simulate a real-life situation. Planning cycle: three-six months; Test time: 2 – 8 hours.
Know What You Are Exercising
Companies can establish exercise testing for a variety of reasons. Focus can vary from a single department to incident management, crisis management, and to company-wide and Board involvement.
Examples include:
- Response/Recovery Team Alert List — Contact information for all personnel assigned to the team. As this list can change frequently, team leaders should send a copy of it to each team member to review and update.
- Critical Functions List — Critical functions that each team must accomplish during a recovery effort. Team leaders should review these functions to determine that they are relevant.
- Team Recovery Steps — Strategies for recovery of critical functions; should be reviewed to validate that strategies are meeting current business objectives and reflect the best possible solutions.
- Functional Recovery Steps — Step-by-step procedures to complete the desired operational recovery; should be carefully reviewed and validated to determine accuracy and completeness.
- Vendor and Customer List — Contact information for critical vendors and customers; should be reviewed to determine list accuracy and completeness.
- Work Area Requirements — Critical resources required to support recovery at a designated work area site; should be reviewed to determine list accuracy and completeness.
- Off-Site Storage List — Critical records or resources stored off site; should be reviewed to determine accuracy and completeness.