A successful failure?
A business continuity exercise or test can be a big deal for some organisations, often requiring significant investment in time, resources or money. So, not unreasonably, there’s usually a desire for the exercise and test to be ‘successful’. But what does ‘success’ mean?
For the less enlightened, success may translate as ‘problem-free’. Indeed, some may see it as a failure if an exercise or test doesn’t go perfectly. But this really is rather spectacularly missing the point.
Whilst a problem-free exercise or test may be seen by some as a success, this can give a completely false sense of security. The most successful ones are, in fact, those which identify issues and potential problems, allowing improvements to be made to plans, processes and procedures, thereby increasing the likelihood of success if incident response or recovery ever has to be done for real.
In other words, an exercise or test that doesn’t go 100% smoothly is not necessarily a ‘failure’.
If we fall into the trap of going for a ‘tick in the box’ and make our exercises or tests too easy, or worse, engineer them so as to guarantee ‘success’, we may well be setting ourselves up for a fall.
Surely it’s far better to flush out the gremlins in the safe environment of an exercise or test than have them catch us out when it really matters.