By Lyndon Bird FBCI
No one disagrees that you need to validate your plans, and that testing and exercising are key parts of that process. However, in my experience, too many people just look to ensure the plans they have written down will actually do what they say. In actual fact the real question is ‘do the plans do what is needed to protect the organization’s primary goals?’ Traditionally this has been partially countered by the argument that you write plans for a generic threat (loss of IT, loss of premises, loss of people etc.) whereas you exercise them against a random scenario to see if the theoretical plan will work in reality. Well yes, this is OK as far as it goes but another business continuity cliché is that you cannot predict all situations that might happen so scenario planning is of not much value. But if this cliché is in fact really a truism, you obviously can’t exercise all scenarios, so what version of reality are you checking. All in all we are in a quandary – we claim we cannot know what will happen and, therefore, cannot write specific plans. However we do just that for things which are predictable or inevitable (like Y2K, pandemics or the Olympic Games). In these situations – which is hardly conceptually business continuity at all in my book – we can of course match our scenario to what is predicted to happen by experts: and we should be easily able to feel confident that our plans are appropriate. After all, the events are hardly a surprise to anyone so we usually have time on our side and resources available.
However most of life is not like that; things happen which are often obvious in hindsight but are not sufficiently main-stream to get our everyday attention. ‘Black-Swans’ and ‘Unknown, Unknowns’ have been much used (and often misused) by business continuity people to illustrate this point over the past few years. However, the crisis management community have challenged this by saying that business continuity management as defined in, say, the ISO22301 standard can only be used for predictable, routine disruptions. For things that go wrong which are unpredictable, strategic in nature and threaten the entire survival of an organization, we need a new model – whether that be crisis management or organizational resilience.
Actually I don’t buy any of that when it comes to exercising. Testing is different, it is a pass/fail situation for a process: not a value judgment on anyone or anything. Can you physically restore a server in the defined time-scale? Can you physically switch operational activities to another location in order to meet your RTOs? There are lots of basic questions that need asking and tests to be undertaken to find out if you can do what you say. Yes you can speed them up with repeated exercising and improve your confidence in the capability of your people to deal with the situation but first of all you have to validate those things which you are fundamentally assuming can actually work in the way you have defined them.
Exercising is, to me, about enhancing capabilities, your people and the resources they need to have to respond effectively and confidently in situations they have never fully experienced before. They need to know that the ‘testing’ has proven that what they are being asked to do will technically work but they have to make sure that it does whatever the prevailing context: however frightening and dramatic that might be. As such we cannot test the components of a non-physical business incident (beloved of crisis management) in the same way as we can test the loss of a building or IT service but we can still constantly exercise people’s capability to deal with the unknown. I think we spend too much time worrying about creating a realistic scenario and not enough time in building individual’s confidence and empowering them to take control of situations in a measured and reasonable manner.
Finally the ultimate measurement of the success of responding to a crisis is ‘did it do what the organization needed?’ It is no use having a brilliantly executed surgical operation if the patient dies of bad after-care. Business continuity exercising should always focus on what we as an organization are there to achieve; will the way we deal with an incident fit the ethos and values of the company? Will the external perception be positive? Will we protect our brand and reputation? Asking yourself these questions during an exercise when you are not being monitored by social media and your competitors and customers might seem an unnecessary overhead: but do it because if it happens for real you will be very glad you did…
Lyndon Bird FBCI is an independent commentator, educator and consultant in all matters of business continuity and organizational resilience. Contact him at Lyndon.email@example.com