Yeah, I know, I know … we don’t have “tests” we have “exercises”, because tests imply pass/fail and exercises imply getting stronger. Yeah, I used to sing that same silly song, too.
I now understand that there are times when you need to test; times when you need to drill; and, times when you need to exercise. You do need to test your solutions to make sure that they do, in fact, work. You do want to know if you can “pass the test”. You may refer to these as validation tests.
I’ll take it a step farther and would even like to see us test the people. I think it would be great to gather our key business continuity players, managers and employees into a room and give them a regular, school-like, no. 2 leaded pencil, don’t start until I tell you to, and put down your pencils when instructed, actual tests. Why not?
I would like to ask key players and managers questions that they should know about our Emergency Preparedness, Business Continuity and Disaster Recovery Programs. These questions might include:
- If the fire alarm went off right now:
- What would you do?
- Where would you find evacuation routes posted?
- Where would you congregate once outside of the building?
- Who are your floor wardens?
- If you received a bomb threat on the phone, what would you do?
- If you got a call at 2:00 am that the building had burnt down…
- What would you do?
- Who would you call?
- Where would you go to work?
- Where would you find your Business Continuity Plan?
- If the Data Center experienced a disaster…
- What applications that you use would be recovered?
- In what timeframe?
- What would be the status of the data?
- What applications would not be recovered?
- What business processes would you be expected to continue?
- What business processes would be temporarily suspended?
- If you do not know the answers to any of the questions on this test, where would you go to find them?
- If we experienced a disaster and you weren’t available to participate in the recovery, who has been trained to play your role? Have you trained them to be successful in this effort?
I could go on, but I want to try to make this an interactive blog and challenge you to post the types of questions you would want to include on this pencil to paper test. You can do so by posting a comment to this blog.
You can exercise your solutions all you want. You can physically recover hardware, applications, data, networks, etc., time after time – but there are some things that people need to know when the alarms go off or your ability to execute your plans will be severely hampered.
How do you think your organization would do if given this kind of test? My bet is most companies would not fare too well. There are historical cases where adequate recovery capabilities were in place but the people were not educated well enough to implement these capabilities at time of event. How better to determine our level of preparedness than to give them a test?
You can exercise and get as strong as you want, but if you can’t pass the test … you will fail.