All Plans, Critical Systems, Recovery Strategies, Cyber and Call Trees / Mass Notification Call Lists must be tested and reviewed on a schedule that aligns to your policies and requirements.
Testing must validate your plans and systems and improve the resilience of your organization. In sports, smart athletes ‘practice with a purpose’ to improve their weaknesses. We must test with a purpose. Each of the testing types listed below is described in much more detail throughout Ultimate Business Continuity.
I recommend you develop a comprehensive test schedule and publish it during the October or November time-frame of the year prior to the scheduled tests. That will provide you with ample time to communicate the schedule to stakeholders and to make adjustments where the business has valid date/time concerns.
Although you must maintain and assess the results of the tests, you do not necessarily have to personally host and conduct all of them. From my experience, if you and your team try to do it all by yourselves, your program will suffer. It will not scale as well and it will not be as resilient as taking a more decentralized approach.
If you have established business continuity liaisons at the local sites they could be responsible for the actual conducting of some types of tests that do not require your direct involvement. Perhaps they could conduct mass notification call list tests. An Interchangeable Work Area Recovery Exercise (IWARE) would be beyond their expertise and would require your team to be heavily involved, as it is a relatively complex exercise.
Mass notification is an excellent example of resilience through decentralization. At one point in my career a partner and I were doing all of the tests for a Fortune 50 company. It was a lot of work but if it made the organization more resilient I would not have minded conducting the tests. In fact, it worked against us.
The business continuity liaisons were not getting enough practice in doing notifications so when it came time for them to do one during a crisis situation they did not have the level of confidence they required.
When we modified the process so that the business continuity liaisons started doing the mass notification tests, they quickly gained a level of comfort that vastly improved their ability to create and launch notifications during real crisis events, such as tornadoes and hurricanes. Everyone benefited from their direct involvement.
High Level Test Tips (additional detailed information is included in the individual test type posts throughout the Ultimate Business Continuity site):
Tip – A comprehensive annual test schedule must be created and adhered to.
Tip – The test schedule must be communicated to management late in the year prior to the upcoming year that the tests are required. For example begin communicating the 2020 schedule late in 2019.
Tip – Upper management must be made aware of results and risks in dashboard reports and as part of your Steering Committee Meetings.
Tip – All tests must have documented goals and measurable success factors. It is important to understand what you want to achieve from each test you conduct. After each test, measure the results to the desired success factors. Then determine the areas you must improve on – and test again.
Tip -Test results must be analyzed and retained. I favor maintaining the results in a business continuity management (BCM) system, rather than silo’ed spreadsheets or word processing documents. The results will be centralized, enabling you to perform interesting gap and trend analysis.
Tip – If you schedule a work area recovery exercise for March and March happens to be one of the busiest month for the accounting department to prepare taxes, you will definitely get push-back from management. You will most likely have to adjust the test dates to get maximum buy-in from the business. Even then, some people will agree to a date and try to beg-off at the last minute. Upper management must have-your-back on the importance of testing. They should publicly declare that all critical processes must participate in all required tests. No exceptions!
Tip – Your responsibility is to design and conduct robust tests without negatively impacting business production. Clearly communicate to process owners that tests will not impact production. Doing so will work in your favor. For example, when doing a work area recovery exercise, set a threshold that each process must send a minimum of 10% or 20% of recovery staff to validate their recovery strategies. You will accomplish the goal of validating the ability to recover the process without raising risk that recovery staff cannot do production work if you find gaps at the recovery site. Another way to say it is, ‘Don’t put all your eggs in one basket’.
Always encourage the process owners to send a higher percentage of recovery staff if they so desire. The more the merrier! I have done Interchangeable Work Area Recovery Exercises (IWARE) with 150 employees in attendance. It is a really valuable experience for all involved.
Tip – You may find people will push back going to the recovery location but once they arrive and realize how effectively they can recover their department and continue to work during a disruptive event, they will thank you! In fact, I have had many people tell me that they would prefer to work from the recovery location than their production site! The kicker is, some of these people were the ones that balked the most about participating in an exercise. Sometimes the recovery site bandwidth and system response time is better than the usual production site and sometimes the recovery location can be a better commute for them compared to their regular production site journey.
Tip – After the tests are conducted thank attendees and management for their participation in making the tests successful.
Tip – Testing brings people together and strengthens relationships. People talk and sometimes magic happens. These relationships can be critical at time of crisis.
Tests in scope for your program should include but are not limited to:
Site evacuation drills. These may be the responsibility of the Safety Department. In fact, I believe it should be. Clearly document who has responsibility. I suggest creating a RACI chart and getting sign-off so there is no miscommunication down the road.
Manual call tree or automated call list exercises. Call trees with branches typically indicate manually calling versus call list exercises (no branching) using a mass notification system. Automated mass notification systems scale much better than manual call trees. In my experience using manual call trees for mid to large organizations often do not work. They can easily break down when you need them the most. I strongly encourage you to utilize a mass notification system, if possible. I discuss this throughout Ultimate Business Continuity.
- Tip – Do both location and process based call-list exercises. Your tool should be able to slice and dice contact info to satisfy all conditions
- Tip – I generally schedule exercises on a semi-annual basis or as often as the business requires them to get to a satisfactory level of successfully reaching employees. If you are requiring two a year, make sure you spread the dates so there are not two exercises one day apart, such as June 30 and July 1
- Tip – Do not overdo the quantity of notification tests such as on a weekly basis, as employees will become desensitized to the messages and will not pick up the phone. You want them to be conditioned so that when a call, email or text is received from the branded emergency phone number or name you are using they realize it is important, and they must listen to it or read it
Plan walk-throughs, workshops or orientation seminars. These are designed to familiarize team members with emergency response, business continuity and crisis communications plans and to validate their roles and responsibilities as defined in the plans. Walkthoughs allow for validation of plans in a low stress setting. They are good starter exercises after plans are created to uncover obvious gaps and opportunities for improvement.
Tabletop exercises. These are scenario based exercises. I do these for an entire site, a process or multiple processes. You can walk through one or multiple scenarios in a conference or training room. Include crisis management, emergency response and continuity of operations in your tabletop exercises. Tabletops are very effective if done right.
Interchangeable Work Area Recovery Exercise (IWARE) – fully announced. The process owners and employees know the date of the exercise. Recovery staff physically recovers in accordance with the recovery strategies documented in their business continuity plan. The goal is to validate they can work from a recovery location(s) and to uncover/mitigate all gaps.
Interchangeable Work Area Recovery Exercise (IWARE) – partially unannounced. I position this between fully announced and fully unannounced in terms of maturity level and participant stress.
Interchangeable Work Area Recovery Exercise (IWARE) – fully unannounced. The is the most aggressive type of exercise. Carefully work up to this type of exercise. Never begin here. It is as close to being in a real crisis as possible. You can recover one site or, if you have the ‘chops’ and maturity level, multiple dependent sites! If you are currently doing completely unannounced exercises for multiple sites simultaneously let me know so I can personally congratulate you!
Critical Systems disaster recovery – All critical systems must be tested on a basis that adheres to your corporate policies. Users must be involved to validate the testing.
- Partner with IT and the business on these
- There should be comprehensive user scripts and sign-off by the business authority
- I recommend that the results be stored in your BCM tool, if possible. You will get the most ‘bang for the buck’ in analyzing the results mapped to business processes and roll-ups to higher regional or line-of-business levels. This will empower you to include insightful information as part of the real-time dashboard metrics that management will have at their fingertips