Welcome to the first posting of 2011; we trust everyone had a great, safe and happy holiday season and we wish you all the best throughout the New Year.
At the time of writing this article, I’m actually auditing and observing a “DR” exercise at a client’s DR site (a subscribed vendor site actually). It’s been going quite well and koodo’s to all the team members involved for the effort. Oh, and it’s their first one of this size and scope – so pretty impressive.
Yet, as things were moving forward and people were executing the activities they needed to do – based on the estimated timelines – I couldn’t help think of the excuses I’ve heard over the years as to why some people/departments/units don’t want to, or don’t think they need to be involved with tests and exercises. The team I’m involved with right now are gung-ho about finding gaps in plans and processes and making thing work; a really good team effort. But it’s the opposite side of things that sparked my interest in writing this.
I thought I’d write out a list of some of the reason I’ve heard when I’m told to start planning/coordinating a test or exercise.
- Other Priorities – I think everyone can relate to this one. We’re all busy doing multiple things at once and then there’s always one more thing piled on us; with the caveat that ‘this won’t be much work.’ Yeah, right. For some who work on the daily operational side of things or support for operations (business or IT), you’re continuously busy and you have to balance the priorities of your boss (or where your direction comes from) against the sudden requests to participate in an exercise / test. It’s tough to do and unless people know and understand the benefits of holding an exercise, they’re going to lean towards their known deliverables rather than a scheduled exercise that (sometimes) hits them out of the blue.
- Cost – Well, it is. You have to pay for resources, hotels, food, test time, payroll, mileage and more. Of course, not for every exercise or test you work on but the big ones for sure. Then there is the cost of a department or process losing a key resource because they have to be at the DR site to work on things. There’s additional cost here because you have to either bring someone else in to cover the shift or make arrangements to have the resource be able to address their production issues back at the ‘home’ site. It goes without saying that test periods at DR vendors costs money; often it’s in the contract. However, if you’re scheduling additional tests because of a compliance or audit demands, it’ll cost a pretty penny when you add it all up.
- Resource Constraints – Single Point of Knowledge (SPOK) are always wanted for tests and exercises because who knows better what needs to get done but the person(s) who have all the skills and knowledge? But, as a SPOK they are needed for other things and can’t always be available to the exercise coordinator. A major project with a drop-dead deliverable date isn’t going to want to hand over some of their SPOK’s time because it’s so vital to delivery. On the other hand, they are on vacation or ill. If that’s the case, you won’ get them. I know waaaayyy to many husbands or wives that get more than a little miffed when family plans are altered because of work (and then there’s those that jump at the chance not to have to visit the in-laws). Many today don’t like giving up time with family or time away from the office (though many will
- It’s an IT Thing – For some reason, many believe that all exercises – regardless of the their flavour – are IT exercises and thus, aren’t needed to be a part of it; it’s all a technology thing. We all know (I hope) that there are many aspects that need to be validated with the BCM program and no one is immune to not exercising and validating their role, responsibility or contingency. Manually tracking telephone calls isn’t an IT thing, it’s a the customer rep’s responsibility (unless you reassign IT people to answer phones). Sure, there are exercises that are totally IT focused and in these cases, business units may not be required but if it’s a larger simulation exercise, darn right business rep’s will be needed.
- We Know Already – More often than not, this isn’t the case. Many people will say they know what to do but when an incident occurs, they are lost and asking people for advice on what they should do. Sure, each situation is different but if you have a basic understanding of what needs to get done, you can work through the incident much clearer than if you’re completely clueless with no understanding at all. Since each disaster is different, how can anyone really know what actions to be taken? They can’t. There are some basic responses an organization can put in place, regardless of the situation, but exercises and tests will challenge those actions (assumptions) so that people have stronger and wider understanding of what they need to do. The more you know, the better prepared you are so no one can ever say that they ‘know what to do.’
- We’re Not Needed – And just how do you know this? Many will say they don’t need to participate because they believe it’s an IT thing so the response comes without even knowing what’s in scope. If the scope is distributed/made know to all, then the decision can be made by asking questions of clarity and if a department isn’t needed, well, it isn’t needed. I’ve seen department heads say they aren’t needed only to ‘blow a stack’ when they realize 2 weeks before the exercise they needed to be a part of the exercise. Of course, it’s not their fault they said they aren’t needed. LOL But this is the chance to ask questions and seek clarity, not dismiss it outright. “We’re no needed” should only be communicated when a thorough examination of the scope and objectives is achieved (the exercise facilitator/coordinator should make sure this happens) or you end up with some very angry managers.
- We Did it Last Year – So? So, what? Last year was last year and you’ve implemented new process, technologies and new people (probably) have been hired. Each year, you should be building upon what you did the previous year and validating that the issues you encountered are resolved and don’t reoccur. Many corporations are legally bound in some cases to ensure an exercise or test of some sort is executed, so
- BCM/DR Isn’t My Job – BCM is everyone’s job, in my opinion. No one person can suddenly take over another’s role because there’s a disaster. You’re still responsible to get some things completed and initiated no matter where you are in the company. Every person, regardless of level or experience, has a part to play. It could be to coordinate Finance team contingency strategies or it could simply be to monitor the ‘employee phone line’ for directions on what/what not to do. Everyone has a role to play and it is everyone’s job because if it’s not part of your job, you may not have one to get back to.
- Do I Get Paid? – Some people need incentive to be a part of exercises. There are those that won’t do extra work because they don’t get overtime/compensation pay to do exercises. If an exercise is over the weekend, sometimes people haven’t been paid for it; they just get an extra day off at some point down the road. So, asking if they get paid is a valid question. No one likes to do things for nothing, at least not when it comes to large exercises and tests where people are traveling to recovery sites or alternate locations, taking them from their friends and families. If you’re in a position to know, make sure you find out what the compensation is for those participating, as it may be different for various departments.
- A Disaster Won’t Happen – This is simply denial. A disaster can and will happen at any time and no one and nothing is immune from a disasters. No one wants a disaster to occur but the odds are that something will impact your corporation at some point; be it a labour strike, snowstorm or break in the supply chain because a vendor experienced an issue. It will happen – you just don’t know when. Denying this and not facing this fact won’t make it go away.
- IT Can Do It – Again, this is people believing that every exercise and test is for IT and IT only or that IT resources can step into the shoes of business representatives. If IT could do it all there wouldn’t be any business representatives, so believing they can do it all is false. A user is a user and they don’t do the same thing that IT people do; different roles, different accesses and differing dependencies. IT only does so much before things are handed off to the users and users – in many cases – are the ones who would be dealing with clients and customers. So users need to be a part of exercises so they know how to get their processes up and running again so it ‘feels’ like normal again; IT can’t automatically make that experience happen.
There are many more reasons why people don’t want to be part of an exercise or test. Some may be valid but in other cases they are but excuses not to become proficient at responding to a disaster. For some reason, many believe they will be fine with a situation occurs and work their way though it – this is so rarely the case.
Exercising and testing helps a corporation get better at what it does by identifying gaps in processes and recovery strategies. Often, new ideas are sparked through exercises and new technologies or methodologies are implemented down the road to improve not just the recovery strategies, but the current operational capabilities.
Everyone has a part to play. Don’t accept excuses from people or departments when you bring up the topic of exercising and testing. It’s all being done for their benefit after all…
Books by A.Alex Fullick;
“Heads in the Sand: What Stops Corporations From Seeing Business Continuity as a Social Responsibility” and
“Made Again – Volume 1: Practical Advice for Business Continuity Management Programs”