There is another important reason why you must test your BC/DR Plans, as those of you who have attended my DRJ workshops have learned. As the Chinese philosopher/reformer Confucius (551 BC - 479 BC) once stated so well:
I see and I remember.
I do and I understand.
Think about Confucius’ wisdom when you learned how to ride a bicycle or how to use new software. You can hear about how to ride a bike (or use the software); you can even see someone ride a bike (or use the software). But until you actually do it – get on the bike and ride it yourself (or actually use the software), you will not truly understand how to ride the bike (or use the software). People need hands-on experience, which might occasionally involve falling down (or crashing the computer). But that’s how we humans learn best.
The same philosophy applies to crisis response. Hearing about (or simply reading) the BC/DR Plan in a classroom is worthwhile; observing drills and exercises is valuable. However, when your responders are in the throes of a crisis, you want them to understand what they are doing and why they need to do it. In the middle of an emergency – that’s not the time for your responders to be learning or questioning what to do; they should instinctively know. Yes, they should use procedures; but responders need to understand why the policies, plans, and procedures are the way they are, and what is expected of them.
Years ago I was conducting a spokesperson training session for a company’s senior executives. I always start that training with a review of the corporate policy regarding releasing information to the media and public. Their policy was something like “We will release emergency information to the media and to the public clearly and accurately as soon as possible.” The CEO and senior vice president administration agreed that was the policy. The SVP operations bluntly stated he would not follow that policy; the SVP engineering wondered why the policy was necessary; and the SVP finance and a few others did not know the policy existed. There was a heated discussion; finally I stopped the discussion and explained the policy and why it was needed. I duly outlined the need for clear, accurate, and timely communications during a crisis; I also cited the ramifications and negative experiences of those organizations that did not adhere to such a policy. One could almost see the light bulbs go on over the executives’ heads. The executives finally understood the policy; now they would implement it properly. With everyone on board, the class proceeded successfully.
There are of course more tangible reasons why drills and exercises are important.
For your responders, a properly designed and conducted exercise provides training and understanding of the BC/DR program. Responders will see the effects of their actions and decisions; they can essentially stop and ask questions about their response. They will develop competence in their response and confidence in your program. An exercise should also clarify each responder’s role/responsibilities, and as well pinpoint inappropriate responder tasks/assignments.
For your BC/DR Program, an exercise can validate your BC/DR plan and program: yes, it will work! An exercise should identify weaknesses, gaps, and areas for improvement before a crisis hits. You may discover deficiencies in resources. You will also be able to demonstrate the value (or not) of new BC/DR software, supplies, and equipment in real time.
For your organization, a good exercise will build teamwork within the company and with external agencies participating. Further, it will give responders an appreciation of what the other departments normally do, and what can resources and assistance each department can bring to the table during a crisis.
For you, if done well, a successful exercise can earn you excellent recognition, visibility, trust, and respect.
So many examples to cite, so little time! Consider this one: in order to complete staffing of emergency positions in her BC plan, one BCP director assigned available employees to whatever positions needed help. These emergency assignments remained in the BC plan until the first exercise, when responders discovered that a key engineering manager was unavailable because he was assigned to run the copier!
For you IT aficionados, this is also a true story:
One of my clients hired me to develop and conduct an IT disaster recovery plan drill, to be run parallel with the annual BCP exercise. The IT department had a recovery time objective (RTO) of returning all critical applications in 24 hours; at every DRP drill, they claimed they met the RTO. However, I designed the combined BCP/DRP exercise such that actual users (representatives from all departments) were to go to the backup data center, log in to their applications, and demonstrate that each department could perform its critical functions. On the exercise day, we simulated the destruction of the data center on a Wednesday afternoon. The IT DRP responders said that they would work all night and recover all applications by 8:00 a.m. Thursday. And that they did. When the actual department users logged in on Thursday morning, all their applications were indeed ready and available for use. Most excellent!
However – and this turned out to be a rather large however – the users could not access their data! When the users asked IT about how to retrieve their applications’ data, IT said (and I am not making this up) “You want the data drive? No one told us that users would want the data drive. We were told to recover applications and we did. What’s the problem?” After a rather interesting user-IT “exchange of opinions,” the IT responders determined that it would take one to two weeks to recover the users’ data! So much for the 24-hour RTO.
In this example, the IT DRP responders clearly did not understand the purpose of the DRP. It took a realistic test of the DR plan to demonstrate this. I am pleased to report that within a month of this exercise (and by following Confucius’ advice, “Be not ashamed of mistakes and thus make them crimes”), the IT staff revised their DRP to recover all data within the 24 hour RTO. They then conducted a drill with application users to prove they could do it, and they did. Bravo!
This leads to another point: there is no sense in conducting an exercise and compiling a large “to do” list if nothing is improved. Imagine if your responders identify the same improvement items year after year. Not only will they lose confidence in you and your BC/DR program, but they will also be unprepared when a real crisis hits. When exercise items are identified, it is your fiduciary responsibility to address them. Management may make the decision not to implement an exercise recommendation; but that decision needs to be made and then communicated to your responders. Confucius would advise you that “Someone who has committed a mistake and doesn't correct it, is committing another mistake.”
In other words, make progress! Develop an exercise findings action plan, assign and track responsibilities, and improve, improve, improve. Confucius once wrote, “It does not matter how slowly you go so long as you do not stop.” While I do not agree that you have all the time in the world to complete the action plan, you must show your responders and your management that you are making progress in improving your BC/DR plans.
Drills and exercises are one of the few activities where falling down is actually a good thing. We learn from our errors and improve; we become better prepared for a real event. As Confucius said:
Dr. Steve’s next topic will explore “Training, Drills, and Exercises.”
Dr. Steven B. Goldman is an internationally recognized expert and consultant in business continuity, crisis management, disaster recovery, and crisis communications. He has more than 25 years experience in the various aspects of these disciplines, including program management, plan development, training, exercises, and response strategies. His background is unique in that he has been a professional engineer, corporate spokesperson, business continuity planner, situation responder, consultant, and a Fortune 500 Company’s Global Business Continuity Program Manager. Dr. Goldman has developed, conducted, and evaluated drills and exercises ranging from two-hour table-tops to massive three-day full-scale exercises involving hundreds of responders, multiple organizations, and all levels of government.
Dr. Goldman earned his doctorate in education from the University of Massachusetts. His doctoral dissertation undertook research on leadership and the status of crisis planning in several Massachusetts school systems. He obtained his master's degree in engineering from the Massachusetts Institute of Technology.