The benefits of conducting mock disaster drills in a small business environment are hard to measure. Some questions you may ask are: Does our small business need to conduct a simulation of a disaster? How complicated can it be for our business to respond to affects of a disaster? Would a catastrophic event severely impair our ability to conduct business as usual? What constitutes a disaster?
Do You Need a Mock Drill?
The general thinking among small business leaders is that, "We don’t need these drills. We regularly respond to events that impact our business more than disasters. Competition and technology are much greater threats." Many think small businesses don’t need to conduct drills like large companies. They neglect to remember that loss is a relative term, and it affects all small or large businesses without respect to the size of the organization. The impact of disaster disruption has the same effect that big businesses face – the impact on investors and customers.
One should ask some simple questions to help determine if disaster drills should be practiced. Can you think of perils that could strike your business without warning? These perils or areas of vulnerability should come to mind without much thought. These are categorized as "disasters" or unplanned events that cause significant negative impact. Consider some major categories such as human-caused threats, natural events, and technical threats. But don’t limit yourself to these categories alone.
What is meant by "human threats"? Have you ever thought about how your company might be affected if you had a disgruntled employee, terrorist activity in or near your building, major road or highway improvements in your vicinity, work stoppage and picket lines affecting you or your critical vendors, extensive sick time for multiple staff simultaneously, or unexpected loss of key personnel? These are just a few examples, but there are many more that may affect your organization.
Natural threats are more easily identified. Most natural threats are well known and are considered when completing any business continuity planning program. This is the area where most mitigation is done. When companies think about utility leaks, bad weather such as earthquakes, land slides, floods, and power failure, they find it relatively easy to calculate the effects natural disasters may have without much thought. This results in mitigation activity to reduce their potential losses. Pandemics, however, are not as easy to understand and for which to be prepared (or plan). This natural threat takes a different thought process to consider what impact it may have on your organization.
Technical threats are very well recognized by information systems personnel as they constantly live with the issues of hackers, viruses, and faulty equipment. How about the loss of their critical vendors while operating in a normal fashion? This is an area that many don’t consider when calculating technical threats.
After Identifing Threats – Now What?
Ask yourself, "If any of the disastrous (unplanned) events should occur, what would the impact be to our organization?"
When thinking about impact, consider impacts of broken or compromised industry relations; reduction or loss of critical physical and human resources; extensive company downtime; a marked denigration of community image; customer dissatisfaction; financial or legal affects on stockholders or business partners; financial impact of replacing staff and working resources; and adequacy of existing insurance coverage.
Then ask, "Are we okay with the impact of these events or could the effects be too great?"
Answers might fall anywhere from "not critical" to "devastating."
If you are comfortable with the risks and will deal with events when they occur, read no farther.
If you feel any of the events could have a lasting negative impact, then you might consider mock drills to help you prepare for these events (should they occur) and minimize your potential losses ahead of time.
How Do We Start to Develop a Mock Drill?
A mock drill can be as simple as an informal group conversation or as complex as a theatrical production. Small companies strive to make it simple but effective.
Using the categories above (human, natural, or technical threats), ask key staff what they think their Top 3 worse fears are for a disaster and document all their thoughts.
Rate the Top 3 events by probability of occurrence and severity of impact if it should happen. You can use a scale of 1-5.
Now, take the event with the highest probability and related impact and develop a fictitious event and script it (i.e. write it out like an essay). This scripted disaster can then be used to help plan your mock disaster drill. There is no right or wrong answer when developing these events since anything that occurs will cause a reaction of some sort. Now it is time to set up the mock drill.
u Determine who will participate (have input during the role playing process) in the fictitious event. Minimally it should be key staff from your company. There might only be a few.
u Determine what your goals are or outcome is for discussing this fictitious event and document them. Consider such things as discovering company vulnerabilities that can be mitigated easily; determining where backup training is needed; developing longer-term mitigation plans; and understanding if the participating staff is the correct ones to be used in a real disaster.
u Determine how the drill will be conducted. There is no right or wrong approach as each will provide you with valuable results. Consider the scenario to be presented and open up discussions with all participants. Also consider assigning areas of responsibility to individuals such as technology, workspace replacement, senior management, department management, facility management, and human resource issues to each participant for role play.
u Determine responsibilities of staff during the mock exercise. Think about who will be the note keeper (everyone or a selected person). The key is to document the results as they are occurring and then act on them afterward. Consider a qualified person to be assigned as the committee leader who would be responsible for handing out the scenarios and keeping the session in perspective and on time.
u Plan how you will handle the notes taken during the drill. If more than one person was responsible, you may want to combine all documentation taken during the mock drill and formulate a report for the group.
Conduct the Drill
Keep it simple. Gather in a conference room and instruct all of their responsibilities. The session should be approximately 60 to 90 minutes.
While the results are fresh in everybody’s minds, conduct a meeting of the participants, usually within 48 hours. Discuss the documentation and results and determine what actions need to be taken on new vulnerable areas within the organization. During this meeting you could assign tasks/projects for further research or documentation of decisions and set a due date. Be sure to set follow-up meetings based on the project due dates.
After all of the fallout and results are analyzed, management can consider measures to mitigate the impact of a potential disaster. The results of the mock drill will undoubtedly shed some light on people’s abilities to react to a potential threatening situation. Also, the organization will benefit from a mock drill as it can help develop team concepts and communications. Other side benefits can result from the interaction process.
Mock drills can be short and take only a few hours of your time but can provide powerful insight to any organization to help them prepare for business interruptions. Disasters are events that are not planned, but you can plan on them occurring and be ready when they do.
Sara Williams, CBCP, is certified with DRII International and is a member of the Disaster Recovery Journal Editorial Advisory Board. She is currently a business continuity consultant for Jack Henry & Associates.
"Appeared in DRJ's Fall 2007 Issue"