Exercising Business Continuity or Disaster Recovery Plans is necessary and should be completed on a regularly scheduled basis and whenever a BC or DR plan has had significant changes made to it. This is essential for ensuring that your plan is current, fully functional and addresses your current operational processes and procedures.
An exercise and testing program is necessary to ensure that all staff have a good understanding of their responsibilities as defined in the Business Continuity or Disaaster Recovery Plan.
Exercise and Test plans consist of:
- Training for Managers, Supervisors Team members and the general public
- Roles and Responsibilities of all personnel during an interruption event
- Corporate and local Communications Plan Exercising, and
- Testing all procedure and processes included in existing plans.
- Testing new processes and procedures
Exercises also allow training of recovery teams and evaluates their capability to effectively implement the plan. Exercises will be conducted and documented in accordance with the Business Continuity Exercise and Reporting Templates.
Why exercise in the first place? The primary objective is to ensure that the plan works when it’s needed. But it’s not enough to exercise parts of a plan. Ideally all elements of business continuity plans should be exercised on regularly scheduled basis (at least annually). Each exercise may have different objectives, beside the primary one.
Main exercise objectives include identifying weaknesses and shortcomings, verifying recovery objectives and procedures, validating global efficiency of plans, verifying the adequacy of emergency operations centers (EOCs) and alternate sites, and achieving specific recovery time objectives (RTOs) and recovery point objectives (RPO).
How much should you exercise?
Exercises can be simple or complex. A table-top exercise can establish a plan performance baseline. A specialized exercise, such as one which focuses on crisis management procedures at an EOC, provides valuable information about specific activities. At a higher level, an integrated exercise can address multiple business continuity plans or plan components. Finally, an entire plan, with all components, can be exercised. It is far better to err on the side of exercising too much, rather than not enough.
Initial Exercise – Once the Business Continuity Plan is completed, the initial exercise (usually a table top) will be used to validate usability. The results will be documented and maintained as a baseline for ongoing exercises.
Ongoing exercises should be planned and scheduled as needed to ensure freshness of plans and training for personnel. At least 1 exercise should be held annually, but more is better!
The exercise and testing program must also be planned in accordance with the overall organizational Emergency Management and Business Continuity program and in association with local authorities.
Managing human resources
Exercises present human resource issues. Should employees participate in business continuity exercises? Clearly exercises are important for validating team member expertise and identifying training opportunities.
During business continuity exercises, it is good practice to treat team members well, especially when they are away from home or working difficult hours. Be sure to budget for appropriate hotel accommodations and food, while managing costs.
Effective exercise strategies
The exercise options described will help improve business continuity plans and train your staff. But no matter how often you exercise plans, when reality strikes, your response capability could be much different than in the exercises.
Key strategies for exercising include starting simple; raising the bar in terms of difficulty; involving vendors and stakeholders in exercises; making objectives increasingly difficult to achieve; and launching surprise exercises. When launching an exercise program, start with plan reviews and table-tops. This will help staff get comfortable with the exercise process. As they improve, increase the level of exercise complexity. Remember, an exercise CANNOT “fails”, it can only succeed in providing information on where your organizational plan needs improvement, so no matter what happens it is a success. We exercise because; it is far better to identify systems and procedures that may fail, and rectify them, before a real incident occurs. Finally, a true test is to launch a surprise incident. This will truly test how well prepared the organization is to address a real incident.
What is a successful exercise?
The primary reason to exercise is to identify limitations of emergency plans, business continuity plans and disaster recovery plans. Recognizing that most organizations change frequently, even mature business continuity plans may be inappropriate in a given situation or at a given time. Exercises that appear to be ‘successful’ and uncover no problem should be suspect. Maybe the objectives were too easy or the situation was unrealistic. Exercises present opportunities to fix problems before a disaster happens.
Ideally, a successful exercise uncovers and documents problems. Once the problems have been fixed, consider running a follow-up exercise to ensure the repairs work. Measuring the success of business continuity exercises means having relevant objectives that will help uncover problems. Exercise is your chance to ‘push’ your business continuity plans increasingly closer to the reality of a disaster.
Keeping these things in mind the UIS exercise and testing program strives to ensure all exercises are practical and prudent. We hope to be successful but maintain the montra that an exercises primary goal is to tell us what areas we need to improve not to tell us how good we are.
With these ideas in mind we move forward to improve our environments and service to our customers by understanding where we are and how we can make our customers experience better.
To see a list of some of the Exercise Types and their description go to the BC/DR Exercise Description page.
If you would like an overview of previous exercises please go to the UIS BC / DR exercises page and review the documents there. Be advised that to view most of the documents you will have to log in using your NetID and password.
If you would like to plan an exercise of your organizations recovery functionality and would like our assistance in doing so, please contact us using the links in the right column, or call the saftey office at 202-687-8291 or UIS at 202-687-2678, briefly describe what you want, and we will be glad to assist you. We will contact you and start from there.