This week I have been in Oman delivering training and carrying out an exercise for a government organization. They have a good robust plan in place. If they lose their office they will continue to have their IT up and running as it is housed in a third party data site and they also have work area recovery spaces at the same site. As their organisation is about providing policy and finance to the organizations they are responsible for, they are under no illusion that they may experience some downtime. With plans in place they rest assured that it would have little impact on their customers.
The scenario for the exercise was a cyclone which took out their primary data centre and flooded their office. They responded to the scenario by invoking their DR plan and switching to their secondary data centre, sending some staff to their work area recovery (WAR) location and others worked from home. By the end of the exercise, of course there were some issues, but overall they were pretty sorted.
In my report I am going to suggest that instead of repeating the same exercise next year, they look at practicing other parts of the plan so that they holistically have exercised all areas, not just the core of the plan. It is sometimes the auxiliary parts which can trip up a plan. I also like to suggest to my clients that they don’t always have to do a high preparation, high cost, half-day exercise. Short exercises can have as many benefits as a long exercise.
The following are a few exercises that I will suggest to them:
- At Scottish Power when I was the BCM I used to run a call out exercise three times a year called “Bronze Receiver” to test whether I could get hold of the senior managers in the incident team out of hours. It was a good test to show that we could get enough people and roles to man the incident team. It also helped raise the profile of the BCM with the senior managers of the organization! It took 2-3 hours of my time but it gave them assurance people that could be contacted. If you have a notification system then you can use it, with the benefit of testing the system, getting people familiar with it and it is very little work for the BCM.
- Practice the first team meeting after an incident. Instead of going for a full blown exercise get participants to come to the meeting with a scenario, pull one out of hat, and then have the first team meeting as if the scenario had just taken place. The team can practice working to an agenda, think through the issues and identify the actions the team members would have to carry out. As the first incident team meeting should take no more than 40 minutes your exercise would only take an hour including the debrief.
- If part of your recovery strategy is for staff to work from home, then practice this. Have a work from home day and see if it can actually happen. Give lots of notice and perhaps even have extra people on the IT help desk to help people who have difficulty logging on to systems. Once people have worked from home and are aware of some of the difficulties (slow connections, need to take their laptop home, lack of access to files etc) you may have to adjust your strategy or put some more work and training into make it work. Once you have done it a number of times then have a ‘no notice’ one and you can practice your call cascades at the same time telling people not to come to work the next day!
- If you have work area recovery spaces then you should have tested them to make sure your staff can access all the systems they require, can take calls, are familiar with their surroundings and how to get to the WAR location. Further exercises can be done with little or no notice.
- The other areas I will suggest they look at are some of the auxiliary issues to the recovery. If they have a casualty or casualties how are they going to deal with them, including some of the longer term issues such as assigning a liaison manager to the family, funerals and anniversaries? Dealing with the press and PR can be another issues as well as dealing with the HR issues of people working from home or working at a recovery centre.
So once you have a good working recovery plan in place, don’t go through the motions of doing the same exercise every year with the learning points diminishing each time. Get the team thinking about other aspects of the recovery which can often be done without a lot of time or expense but adds value and robustness to your ability to recover after an incident.