The BCP Drill
I recommend that all businesses perform a paper exercise of running a BCP drill, as a way to tease out the conceptual and procedural issues related with planning for business continuity. It can be a desktop process of running through the BCP plan, and it helps to have a critical view in the room – if this can be an external person, this makes the process even better.
BCP vs DRP
If you have read my other articles about BCP vs DRP, you will know that there is a clear separation between Business Continuity and Disaster Recovery planning. A BCP Drill will allow you to evaluate the ability to continue to run your business, which you need to do during the process of Disaster Recovery. The BCP/DR balance is often pushed on to the IT department, with the assumption that a backup is sufficient to provide business recovery – but this is a major mistake.
What business are you in?
Unless your core business is in providing active and live IT services to customers, your BCP should have little reference to what the IT department are doing. A Business Continuity Plan should outline the steps that you will need to execute in order to continue to operate in the event of a problem – this could be; the failure of power to your building, the failure of a key supplier or provider of services, the loss of a site or building, burglary, political issues (like trade regulations changing, a port being closed etc.), or even the resignation of a key staff member.
So, a BCP drill or BCP run-through can be a useful tool to plan for “what if” scenarios that will affect your business. The BCP drill could also include a scenario such as a hacker/virus or failure of IT systems too – but that is not the only thing that could happen.
A well prepared BCP should be based on a BIA (Business Impact Analysis) that identifies which parts of your business depend upon each other, and what the relative importance of activities are. Using this BIA, you can plan for scenarios that you can challenge your BCP drill attendees with.
BCP drill best practice
A desk exercise should be done annually, but it depends upon your business (and the issues identified in the BIA) – some fast moving or high risk businesses may need to trial some scenarios more frequently. The first few BCP drills may require giving people prior warning of the event, however, as the business matures and the DR/BCP understanding is broadly known, these can be arranged “as a surprise”. When a real disaster strikes, it won’t be pre-booked in people’s calendars!
The attendees should not be solely senior management, or even middle management. Invite some regular staff to the exercise, as they may be the ones enacting the Continuity Plans. The BCP Drill is a test to ensure that people know what to do, who to contact, what is important, etc. so it is better to have the group be not just made up of executive staff. The regular staff may also surface some knowledge that is not held by management, which is one of the main reasons for doing the BCP drill.
A prepared scenario can be outlined, ideally by a third party mediator. This mediator, by being external, will be able to explain the external factors of the scenario without being influenced by close knowledge of how the business is structured and how it operates. The mediator should explain the theoretical threat at a high level, without explaining too much.
The BCP Drill attendees should explain their response, and if applicable, {attempt to} access information such as documentation. The mediator should be able to challenge the responses – such as “what if you don’t have her phone number, where can you get it?” and “that system is unavailable, so how do you get that document?”. Depending on the personality of the mediator, you can get very deeply negative – and a failure of the desk exercise is not only expected, it is also desirable – because you learn more from the mistakes.
Process and practice
One of the most useful outcomes of all BCP Drills is that it surfaces gaps in knowledge, breakdowns in process (including steps in the process which either won’t work, or assume something else has happened), and undocumented or inconsistent practice.
Try it one day, and you will surface some amazing issues – mostly that the business thinks that IT will come to the rescue!
