Sorry for the delay in posting; I had a birthday side trip to Dublin, Ireland and was too busy being a ‘tourist’. Though I did draft out a dozen new posts, so get ready for some interesting ones in the coming weeks.
Exercising (or testing as many will call it) BCM program components can help ensure that corporate restoration and recovery strategies and documented plans will work effectively when a corporation is suddenly thrust into a disaster situation. Exercising these plans will help organizations help to continue operations when things go wrong. Still, many organizations just focus on the basic aspects of making sure technology works or that those involved with restoration and recovery efforts are involved, when in fact, if the scope was increased to include other people and other areas (i.e. departments, partners etc) can increase the success of any exercise and any BCM program.
The following few suggestions can be utilized for exercises that when combined with the technology recovery exercise, can eventually produce a robust BCM program and corporate response to disaster situations.
- Project Team – Instead of developing a project team to participate in the planning and execution of exercise activities, try utilizing the Crisis Management Team or Disaster Team structure. These teams contain the people who would be part of disaster response activities, so why not utilize them for the exercise? Let those who would be doing the actual role in a real situation get practice by performing their role in a controlled exercise environment. It will help develop their current skill set and provide an opportunity to develop new skills. Its exercising components of the Disaster Team structure as well; how they communicate amongst each other, who is responsible for what actions and how issues are managed and communicated.
- Vendor Management – This would include Service Level Agreements (SLA) you have with the ‘Disaster Service Providers.’ Would you not want to know that they could deliver the services you’ve purchased when a disaster occurs? If a storage vendor has a SLA to deliver your media within 90 minutes, then declare a disaster with them to see if they can meet the expectation. There’s nothing worse that trying to find out that the SLA can’t be met during a time of disaster; the time you need it most. You’ll also be able to discover how the overall declaration process works with the vendor(s). In many cases, those who can ask for specific media during normal operations aren’t the same individuals authorized to declare a disaster with the vendor because it initiates different processes. It helps to identify these kinds of gaps prior to a real disaster, so why not incorporate these kinds of activities into an exercise; in a controlled environment.
- Crisis Notification / Communication Protocols – During disasters teams expect to receive communications and notices using specific protocols. Instead of redeveloping the protocols for the exercise, utilize the ones that you’d use in a real disaster. This will help teams become comfortable with the proper communication channels and protocols. You can even utilize your executives in the initial stages of the exercise – a type of kick-off marker. In a real situation it may be one – or a combination of – executives that are authorized to declare a formal disaster so have them start things. Give them the opportunity to utilize the processes they would be responsible for so that they can contribute to the program – not through resources and financial support – but actively participate to see if they have recommendations for refining the disaster declaration process. If you utilize third party applications for communications, then utilize it like you would in a real situation. The more practice with the software the better it will meet the organizations needs.
- Issue Management – Often issues that arise before an exercise or during an exercise are coordinated and managed by the exercise coordinator (also known as the Project manager) but in the real world when something occurs, that may not be the case. Each team is expected to manage their own issues and use the designated communication protocols (noted earlier) to investigate and communicate the issues they’re encountering and responsible for. This gives team managers some experience on how to manage their teams in a disaster and how their team needs to interact with others. For example, if there are network issues then it’s the network team manager (or designate) who owns, investigates and communicates the issue status and resolution, not have the network issue controlled by someone else who may only hinder the investigation and resolution process. Using this example, in a real situation it’s the network team that would deal with network issues so they should have the opportunity to practice the disaster team protocols.
- People Availability – This is probably the hardest thing to do in an exercise, as everyone wants things to go well, even when one of the objectives may be to find gaps in program procedures. Still, nothing will prove better at how mature and effective your BCM awareness and training program component is than by taking away those that have knowledge of the overall processes when you execute exercise activities; a sort of last minute change in participation. The day of the exercise, simply decide that certain members of the project team are no longer required to participate and they can continue on their normal day-to-day operational activities. Those that remain need to figure out what to do, though in all aspects they should already understand what is required because communications and awareness training has been occurring throughout the planning of the exercise and its part of regular BCM program practice.
- Restoration & Recovery Documentation – Don’t allow any outside documentation to be brought into the disaster facility (or the exercise location) so that it simulates the fact that people are at home (or at least are offsite) when a disaster occurs and would be traveling to the designated location. This can be exercised in conjunction with the media storage provider who at the same time may be delivering the documentation to the alternate site. It would certainly show if the processes you have in place are documented and are available off site – and that it’s maintained. If not, then it offers an opportunity to build this component if there are deficiencies.
- Facility Availability/ Fire Drills – This can be done in conjunction with the ‘no documentation’ point noted in #6. If the facility is deemed not available – due to a fire or major power outage and only critical life safety mechanisms are operational – then it would help solidify the fact that everything that’s needed in the main facility can’t be accessed. Again, this would help identify what resources are deemed the most critical (i.e. documentation, restoration disks, applications CD’s etc) and those that are required to be kept off site; either at the DR location or with the media storage provider. After the drill(s) you can also investigate if any clients or partners would be impacted due to the facility being evacuated. Was there something critical being done for a client at that time of the drill and what would your organization implement if that critical activity was suddenly suspended for an hour or two while employees are gathered at the assembly location(s)?
These are just some of the combined efforts that can be exercised and incorporated into BCM exercises. Depending on the nature of your organization, these can change in size and scope. Some add fun new twists but each combination – whatever combination you decide to utilize – can push the boundaries of your program and find surprising results that may not have been considered in exercises prior.
The new book by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3, “Heads in the Sand: What Stops Corporations From Seeing Business Continuity as a Social Responsibility.” Available at www.stone-road.com **