Disaster Recovery Journal - Summer Issue 2001

DISASTER RECOVERY
JOURNAL

Return to the Spring 2001
Index

P. O. Box 510110
St. Louis, MO 63151
(314) 894-0276
Fax: (314) 894-7474
Internet www.drj.com
E-mail drj@drj.com

PUBLISHER &
EDITOR-IN-CHIEF
Richard L. Arnold, CBCP
richard@drj.com

SENIOR EDITOR
Janette Ballman
janette@drj.com

EDITOR
Michelle Saab
michelle@drj.com

COPY EDITORS
Edward H. Pearce, CBCP
drj@drj.com
Richard Sandhofer
richards@drj.com

INTERNET /
ADVERTISING
Robert Arnold
bob@drj.com

_____________

Corporate

President/CEO
Richard L. Arnold, CBCP
richard@drj.com

Vice President
Robert Arnold
bob@drj.com

CONFERENCE COORDINATOR
Patti Fitzgerald, CBCP
patti@drj.com

CONFERENCE REGISTRAR
Merce Knese
mercedes@drj.com

CIRCULATION
Laura Baugh
laurab@drj.com

INTERNATIONAL
CONTACTS
England: Thom Hetherington
Business Continuity
Phone: 0161-237-1007
thomh@tempus.demon.co.uk

Australia: Anthony J. Harvey
Journal of Business Continuity
Phone: 0011-613-953-0055-8
fax: 0011-613-953-0528
sector@notability.com.au

Japan: Shinji Hosotsubo
Quake Japan Co., Ltd.
Phone: 03-3215-2880
fax: 03-3215-2881

Brazil: Jose Carlos Ferreira
Disaster Recovery Mercosul
Phone: 55 11 3666-9506
conc2000@uol.com.br
ww.drms.com.br

Click Here for a Printable Version

SOME PRACTICAL BUSINESS CONTINUITY EXERCISE TIPS

– by Madeline Bowden, CBCP and Theresa Kirchner, MCP, CCP

Thanks to business continuity professional organizations, there’s a wealth of fine theoretical information about business continuity exercises available to you in industry literature. Here are some “lessons learned” that we’ve derived from coordinating and/or participating in hundreds of exercises:
P Promote exercises as developmental learning experiences, not “pass-fail” tests. Help management and the exercise participants understand that successful exercises bubble up issues and problems for resolution.
P Ensure that you have visible top management commitment. Kick off your exercise cycle with a memo from your upper management that announces the exercise and asks for support and cooperation from participants.
P Thorough planning and effective coordination are the keys to meaningful results-oriented testing. An exercise is the culmination of the theory and the documentation. Evaluate the exercise process to ensure that your efforts and coordination skills contribute to the ongoing success of your business continuity planning program. Adjust the process after each exercise.
P If you are relatively new in your position, become familiar and well-informed about your organization’s past exercise history. Do research before you determine the test scope. Understand the business function, the technology in place, and how that technology supports the organization. After reviewing the mission-critical applications required to support the business, you can then begin to frame test objectives.
P Don’t take on more than you or the recovery team can handle for the first exercise of a business area and/or system plan.
P Make subsequent exercises of a plan increasingly broad and deep. Beware of the tendency to address a potential disaster and recovery effort at a 50,000-foot level.
P The exercise scenario is less important than the process of response and resolution of issues. The scenario merely sets the stage for the exercise. Exercise participants who focus overly on its details and question the fine points can waste valuable exercise time and resources.
P Estimate timeframes for recovery activity and build a recovery timeline. As the exercise progresses, document and compare “actual” times for activities with the estimated times. After each exercise, update the recovery timeline to reflect reality
P Establish an excellent working relationship with your internal auditors. Copy them on all exercise correspondence and share exercise objectives, plans, and documentation with them. Invite them to planning meetings and to the exercise itself. Review previous internal audit findings and discuss them with the auditors.
P Make sure that the exercise includes a process to address problem identification and resolution. A mechanism should be in place that allows exercise participants to report problems and obtain support for resolution. Help exercise participants understand that it’s highly unlikely that all problems can be resolved during the allotted exercise time. Provide and enforce a process to log issues, assign “owners” for resolution, establish target issue resolution dates, track status, and ensure that business continuity plans are updated as appropriate.
P Develop exercise script templates that are straightforward and easy-to-use (e.g. with fill-in blanks or check boxes.) When the exercise is complete, request that the completed exercise script templates be returned to you for use as a basis for development of the exercise report.
P After the exercise scope is determined, draft an exercise logistics document which includes the following, and distribute to all key participants: 1) Date, time and duration of exercise; 2) Scope of exercise (business functions and support groups participating and affected); 3) Exercise participant contact information, by function (e.g. business function, technology function support - application system, voice / network, UNIX, PC, etc.); 4) Clear explanations of the roles of exercise participants; 5) Assembly point(s); 6) Mode(s) of transportation to the alternate site, with arrival and departure times; 7) Alternate site information (e.g. check-in / sign-in policy), if applicable; 8) Technology / application systems to be exercised; and 9) Problem / issue tracking process details and instructions
P As part of the business continuity plan for each business function, provide maps to the alternate site, floor plans of the alternate site which include seating arrangements, network diagrams, and any other visual aids that add value.
P For an optimal exercise, prepare in advance with unit testing. For example, recommend to your technology group that they ‘pre-test’ exercise components before a full-scale business function client exercise.
P As exercise coordinator, your role is to facilitate activities and discussion, ensure that the exercise stays on track, suggest that issues get tabled when appropriate, ensure that issues are captured, provide answers to scenario questions, and raise thought-provoking questions and ideas for consideration. The role of all other participants (except Audit and observers) is to recover the business function and/or system being exercised.
P Encourage exercise participants to contribute their knowledge and expertise, ask questions, raise issues, and give potential solutions!
P Provide your exercise participants with high-quality meals and snacks throughout the exercise (around the clock, if necessary), and their energy levels and commitment will soar.

Madeline Bowden, CBCP is a Manager of Business Continuity for the Global Corporate Investment Bank of Salomon Smith Barney (Citigroup), New York.
Theresa Kirchner, MCP, CCP is an IT Consultant for Metro Information Services, Inc.
Both are members of the Editorial Advisory Board.