Test Last? Maybe Not
- Published on Friday, 26 October 2007 21:51
Much has been written over the past 10 years or so by many knowledgeable authors about how to develop a plan, and their thesis has generally been to gather the appropriate people together; garner their support; conduct a full business impact analysis including risk analysis, insurance review, mitigating influences, evaluation of controls and prevention techniques, etc.; and then test.
Starting a crisis management/ business resumption plan utilizing these development steps can be difficult and sometimes impossible due to lack of necessary support. People have too many 'higher priorities', and crisis planning seems to be an easy project to postpone. If you find yourself confronted by this situation, and especially if you've been assigned responsibility for your company's crisis plan, help may be in the offing in the form of a new tact, i.e. - test first.
Experience has shown that tests (even though small in scale) can provide the catalyst needed to bring out the interest and enthusiasm necessary to make real progress in developing a crisis plan to cope with major incidents.
If this tact sounds of interest to you, initiating the following steps can give your crisis planning program effort the boost it needs to become a reality:
1. Identify an area of particular importance to the company;
2. Develop a reasonable scenario and intentionally limit the scope of the exercise;
3. Ask the appropriate management to give verbal approval to this small scale test;
4. Assemble a small planning/recovery team; and
5. Plan and execute the test.
Now expand these steps to see how they might actually work in your specific situation. In addressing the first step, pick an area that has considerable visibility in the company, probably from a cash flow and/or customer service concern. It needs to be an area where you think its management would be reasonably receptive to a small test specifically tailored to their requirements.
Secondly, utilize a small scale scenario. There's no need to have a regional earthquake or devastating tornado at this stage. A good scenario may be a fire that destroys a floor or two of a large facility or destroys a small (but operationally important) facility. Pick an operational area rather than a computer area; the test itself will most likely highlight the importance of computer information anyhow and set the scene for data center testing at a later date.
Next, bring the selected area's manager into the planning process at the start, although the manager may assign a representative to do the actual planning. Assure the manager that routine business will be accomplished while the test is underway. Experience has shown that this can be accomplished relatively easily. A good point to remember at this stage is that you don't need a 'surprise' test. In fact, a 100% surprise test of an area would probably be counterproductive and leave the employees with a negative attitude toward crisis planning in general.
Fourth, assemble a small test planning/recovery team. You need a person knowledgeable about voice (phone) communications and another about data communications. You also need a person from your facilities management or real estate department. These three people are the key to assigning temporary space and coordinating the replacement of voice and data equipment. (NOTE: Don't get into the assignment of new permanent spaces during these first test.)
The team also should have two or three key employees from the area to be tested. During this planning stage the voice person should prepare a diagram of the area's phone system while the data person prepares the same for applicable data circuits. A primary reason for these diagrams is to disclose voice or data connectivity links to other areas of the corporation many of which employees may not be aware of.
The facilities person should pre-design a space assignment matrix based on essential personnel, voice and data requirements for 24 and 48 hours and one week. The chart should be about 2 by 3 feet and laminated so that dry erase markers can be used during the test. Don't plan out further than a week for this test.
Lastly, execute the test. The date/time should be pre-approved by the manager involved and the test team. Normally the best arrangement is to start the test about 8:30 a.m. with a test commencement meeting, have an update meeting at 1:00 p.m., and have a debriefing (one hour maximum) around 10:00 a.m. the next day. Arrange a convenient place to be designated as your emergency operations center (EOC) from which to run the recovery effort.
You don't need a fancy, pre-equipped EOC at this early stage of plan development. Also, for training purposes, you can use a room in the building that's supposed to be damaged, if it's more convenient.
How do you actually start the test? A good way to get the appropriate employees to the test commencement meeting is a phonemail message to the test area's manager/ supervisors from the senior manager.
It is essential that the senior manager of the tested area personally kick off this test commencement meeting and designate a Recovery Team Chairman. Even if it's only a couple of minutes of introductory remarks, that show of leadership will go a long way toward ensuring active participation by all area employees.
The senior manager's kickoff remarks should be followed by a detailed test brief by you. The briefing should include test goals, the scenario, contributing factors (e.g.-each department should simulate one casualty requiring first aid), test rules (e.g.-no access to burned out floors for at least one week); and debriefing and report writing requirements.
What should you expect to get out of the test? Call trees will be produced. Space/ voice/data planning for the short term will have been accomplished with the chart available for use in a real emergency. Employees will have looked at their life support plans (e.g. - first aid supplies and training, and assisting handicapped or injured persons). Employees will have looked at whether there's satisfactory off-site record duplication. Priority tasks will have been assigned. Plans for responding to the media will have been covered. The personnel department should determine how they'll handle next of kin notifications, pay, insurance claims, etc. Disaster recovery insurance coverage should have been reviewed. And many other important planning items will come to light.
When the test is over, a good report is necessary; however, for this initial test it doesn't have to be long. It's important that the senior manager sign the report, not you.
The report should be addressed to appropriate executive management (with copies as you wish), and should be due within two weeks of the test. The report itself should be written by a responsible person within the test area assigned by the senior manager, not you.
The test report should consist of a cover memo, possibly an executive summary and then a more detailed report including findings, recommendations and a conclusion, along with any appropriate supporting documents.
This article is, of necessity, a brief description of how to run the test; you can adjust the procedures as appropriate. However, experience has shown you'll be pleasantly surprised at the participation and enthusiasm derived from the test.
You'll be in a much better position to pursue the other very important aspects of thorough planning, i.e. - risk and threat analysis, evaluation of controls and prevention techniques, etc.; and you'll be on track to development of a practical, well thought out corporate-wide crisis management/business resumption plan.
Most important, you'll be in a better position to garner top management support for the development of a truly corporate-wide crisis program; and top management support is, of course, the key to a successful program.
Ben Woodworth, CDRP, is manager of corporate security at First Tennessee Bank, Memphis, Tenn.