Business Continuity Tip of the Month

Testing the limits

It’s generally accepted that the various types of business continuity exercises and tests typically carried out – whether scenario-based incident management exercises, IT recovery, relocation or call cascade tests – are all good things to do. And that’s almost certainly true.
As often as not, however, an organisation’s exercising and testing programme is designed around the types of exercise or test that are deemed practicable or achievable, with little or no consideration of the extent to which these exercises and tests contribute to proving the business continuity strategy. 
Worse still, some programmes revolve around the things that are easy to do and shy away from the difficult stuff, which at best can give a false sense of security and at worst completely misses the point. For instance :
  • Asking a few people to log on from home occasionally and check that they can access a couple of IT systems doesn’t prove the strategy that says a significant proportion of a department or team will work from home for a significant period;
  • Taking several days to recover a selection of IT systems and image a few desktop PCs, followed by a member of the IT team logging on to check that systems can be accessed, doesn’t prove the strategy that says dozens or hundreds of people will relocate to and conduct business from the recovery site for a prolonged period. 
  • Conducting scenario-based exercises with the same few people time after time doesn’t prove that the alternates know how to put the incident management strategies into operation, or have the capability to do so.  
  • Telling people that a call cascade test will be carried out on a certain date (or during a certain period) doesn’t prove that you’ll be able to contact large numbers of people out of hours with no notice.
All of the above can give you a warm and fuzzy, though possibly spurious, feeling that everything is ok. Until, of course, you try to put your strategies into operation for real, which isn’t the best time to discover that you’ve been deluding yourself. 
The best exercising and testing programmes are designed with the primary objective of proving that the business continuity strategies actually work. 
Yours may be one of these, in which case a pat on the back is in order. But if it’s not, you might like to give it some further consideration.