In today's bulletin Charlie looks at different exercises your organisation can carry out to verify your end-to-end business continuity solution.
I am all Brexited out this week and even though I have been running a business continuity exercise in Riyadh, Saudi Arabia, I have been following the twists and turns avidly. Yesterday was almost like watching a real incident (which it is) or an exercise in play, as the changes were happening by the hour. Do we have a deal, seems like yes, then we have the DUP not backing it, and the incident continues tomorrow with the crunch vote on whether Brexit is happening or perhaps not!
This coming week I am going to be teaching the CBCI Certification Course in London, so as part of my preparation and to get myself back into the GPG zone, I thought I would write this bulletin about exercise programmes. I have just produced a slide on this and so I thought I would use the slide to help illustrate my points.
I don’t think any practitioner would argue with this point in the Good Practice Guidelines (GPG): ‘An organisation’s continuity capability cannot be considered reliable or effective until it has been exercised’. The section on validation goes on to say, ‘An exercise programme should ensure that desired level of capability by: Rehearsing all plans’. If you look at most mature business continuity organisations, on the whole they will have an exercise programme and it usually consists of each plan being exercised once a year by the team. Some go a bit longer between them, but these are the main exercise activities. Their technical people are likely to do some DR exercises, sometimes they are discussed with the BC person but often they take place separately, and the BC person relies on IT to conduct suitable exercises.
What many practitioners are missing is the next requirement of an exercising programme, which according to the GPG is ‘Verifying all business continuity solutions’. There is a requirement to make sure that the solutions (strategies) proposed do actually work, and that as part of the exercise programme these are verified. We need to check that no changes have been made in the meantime, which make the technical solution we propose unworkable, and we must check that the solution is still valid.
By way of an example to demonstrate an exercise programme, I use an organisation which has a call centre and their solution if they lose the call centre, is to work from another building owned by the organisation. In the recovery location they would use a displacement strategy, so some of the staff in the recovery location would be sent home to make way for call centre staff to use their workstations and telephones.
To verify this solution, I suggest that five separate exercises are needed to make sure that all parts of the solution works.
Exercise 1 - All call centre staff need to be aware of the proposed solution to move to the alternative recovery site. They need to know which of them will go to the site initially and which of them will be sent home. If part of the solution was to rotate staff working in the recovery centre, they would need to know this. Staff would also need to know the sequence of events from leaving their existing building after an incident, to arriving at the recovery centre. Will they go straight from the existing building to the recovery centre, or should they wait until the next morning once the recovery facilities have prepared and the IT switch has taken place? Staff will need to know how they will be contacted and when they should be expected to go to the recovery centre if an incident takes place outside working hours. As part of an exercise programme, this awareness training or information could be discussed at a plan walk-through/discussion exercise and could be conducted for all staff at least once a year.
Exercise 2 - The call centre incident management team needs to be exercised. They are responsible for implementing the recovery solution and then managing it. As part of their exercise programme, they should be carrying out a tabletop/scenario exercise or a simulation exercise at least once a year.
Exercise 3 - This involves 2-3 members of the call centre going to the recovery centre and checking that they can log on to the PC of a member of staff they are going to replace. They need to check that they can download their profile within a reasonable time and that all the applications they require are available on the PC they are going to use. This exercise may only take an hour to carry out. Due to possible changes in the organisation’s IT infrastructure and updates to applications, this part of the exercise programme should be carried out every three months.
Exercise 4 - This exercise involves the telephony team within IT checking that they can switch calls coming into the call centre to the recovery centre. This exercise could be conducted at the weekend when the call centre is not operating. Members of the call centre may act as customers and call in, with a number of agents sitting in the recovery centre to practice taking calls. By carrying out this exercise, the call centre is able to verify that calls can be switched to the recovery centre and they can be dealt with appropriately by the call agents. Due to how critical this solution is, this part of the exercise programme should be conducted every six months.
Exercise 5 - Carrying out a full rehearsal of the business continuity solution. If 50 staff are going to work from the recovery centre, all 50 are taken to the recovery centre and the full deployment of staff is practised. This could be done during a weekend or bank holiday, or if the technical solution allows it, all staff working for a day at the recovery centre taking live calls. As this exercise is likely to disrupt business as normal or if there a cost of overtime for staff, then this exercise could only be carried out every three years.
You can see that an exercise programme is not just about how often each business continuity plan is exercised but is also about conducting a number of different exercises to verify the whole end-to-end business continuity solution. Some of the exercises may not be onerous, such as exercise 3, going to the recovery centre and checking you can log on, but for me this exercise is as important to verify your business continuity solution as running an incident team desktop. As part of our long list of things to do, you should review your business continuity recovery solutions/strategies and see if there are other exercises you need to do to ensure that the solution will work.