The BCP Drill
In times where you need to run through your BCP drill, it is important to know and understand the reasons why you need to exercise your Business Continuity Plan drill, and where it fits in with the rest of your Disaster Recovery Plan (DRP or DR Plan). Your BCP Drill is, in the most basic summary, a paper exercise to ensure that you evaluate all stages of Business Continuity, and sometimes, Disaster Recovery Plans.
The difference between Business Continuity and Disaster Recovery
The BCP drill will focus on Business Continuity, but may also cover Disaster Recovery. There are distinct differences between them, but they are often used in concert with each other. Business Continuity is the ability to continue to operate as a business during a disaster. This often means using non-technology systems, manual processes, or new locations to complete basic business operations.
Business Continuity is often forgotten during IT or technology outages, and many businesses end up failing during extended IT problems.
Business Continuity may include using paper operations, using outside services or systems, moving operations to a disaster centre. However, Disaster Recovery is the process to recover data, systems, and operations to a working state – which in many cases can be to recover operations to a pre-determined DR site or system. The difference boils down to planning to continue working through the problems, and planning to recover to normal operations.
The need for a BCP run-through
Once your BCP or DRP has been developed, you should run a desk exercise to run through what would be done during a disaster. Whilst a DRP is focussed on recovery, a BCP has its roots in getting the business operating. You need to consider both the treatments and the risks of enacting your BCP plan. The BCP can include steps such as;
- Paper or manual processes for taking orders or transactions – what needs to be recorded and what do you do with the paper? How will you ensure transactions are acted on and not lost?
- Using personal phones and/or email for communicating with customers – but how will your suppliers know to trust emails from new addresses? Will your customers answer communications from new numbers?
- Using old equipment or tools to execute business operations – but do people know how to use the tools, and will it meet your customer’s requirements?
- Announcements on social media (Twitter, Facebook, LinkedIn etc.)
- New physical location for staff – is this work from home, or a new location? How will you connect and equip the temporary or new location? How long can your business operate in this state?
It is important to get together all the managers and leaders into a room, and dedicate their time to run through the Business Continuity Plan. This should be the same people involved in a real BCP event, and should not be ignored by managers and leaders. It is only by running through this process that gaps and problems can be identified and that all departments and teams are aware of what will happen, and their responsibilities.
What the BCP drill will be like
Your table-top paper exercise should start with a scenario – such as an office fire, cybersecurity ransomware, natural disaster, key system failure etc. – and then the managers and leaders in the room will go through their plans verbally or with presentations of what they would do. Others in the room will either challenge the activity for gaps and inadequacies, or accept that the stage/step is complete and move on to the next team/manager/department’s actions.
It will be best to have a mediator or facilitator who can prevent the group getting stuck on minor details, and to ensure that the context of the hypothetical scenario is followed. Another benefit of a good facilitator is that they can challenge that all steps have been followed – such as asking if there is a documented step for communication to the next team, and where the contact list is held, and if the contact list has personal details in it.
All people around the table can ask “what if” questions, or spend time to consider how the action can be improved. The result will be an enhanced plan, and probably an increase in actions to store tools or information. In my view, it is a positive from the BCP drill that it has failed – this means you can improve it and learn from your failures.
A DRP is not a BCP
A key component to understand is that a Disaster Recovery Plan is not a Business Continuity Plan. The steps to ensure the business continues to operate will be different to the plan to recover to normal operations.
A Disaster Recovery Plan is not the responsibility of IT – neither is a Business Continuity Plan.
It is a misinterpretation to believe that the IT department are responsible for ensuring the business returns to normal after an incident. Whilst it may be that the business highly depends upon IT services (and so IT should get more budget…), the ability for a business to operate is not purely tied to the recovery of IT systems. And a BCP drill should allow this to become apparent.
Recovery after the recovery
One step that is often ignored in DRPs and BCPs is that once a plan has been enacted during a disaster – this puts the business into a temporary state of alternate operations. There needs to be a second recovery performed – to move from the temporary state back to a fully operational state. Consider transcribing paper records and transactions back into operational systems, and getting personal records (and emails) back into business systems. How do you inform customers and suppliers that everything is back to normal, but that they need to re-supply information?