This, of course, is a self-serving question – I won’t even try to disguise that fact – but I wonder how effective it is for Business Continuity and Disaster Recovery Managers to design, administer and facilitate their own tests and exercises.
I used to argue this point years ago when I was a programmer. I thought it was very important to separate the testing responsibilities from the programmer writing the code. It just seemed to me, if the person who wrote the program was also responsible for testing it, you wouldn’t be so effective. They would only test to see that the software worked the way they wrote it and not the way a user might use it – does that make any sense? I remember once another programmer asked me to help test their program. I sat down at the input screen and in the fields asking for dollar amounts typed in a bunch of letters – they immediately said – “No, no, no – those are numeric only fields.” “Yeah, well what happens if I put in letters?” The program aborted. Back to adding code checking the fields for numeric values.
In the case of Business Continuity programs I think there are a few conflicts of interest at play here. I think many planners use tests to highlight program weaknesses and increase awareness of policies and procedures, but, they are also responsible for many aspects of the program and, by human nature, will design the test/exercise knowing what they do well and what they do not. Maybe, having an outside entity, someone who is not prejudiced by the knowledge of what a particular program’s strengths and weaknesses are, would result in a more legitimate exercise.
Secondly, even though Business Continuity Planners are mostly responsible for preparing their organizations to respond to and recover from disasters, don’t most, if not all, of you also have some role to play in the implementation or management of the crisis during time of the disaster? If so, how well are you testing your process if you are the one preparing and facilitating the exercise?
One last segment of this commercial – I really do apologize for this, I promised myself I would try to be more subtle in using this blog as a blatant commercial – by using an experienced outside organization to develop and facilitate your exercise, we gain the benefit of the knowledge they have learned in participating in many exercises of other organizations and seeing what they have done well and what they have struggled with. Some of this experience will benefit your organization as they observe your responses and actions throughout the exercise. I know that I always find myself, at one point or another in an exercise, when discussing the challenges an organization faced in the post exercise review offering saying something like, “What I have seen another company do in this situation that seems to work for them is …”
I know this often comes down to a question of costs and budgets – what doesn’t – but, I think some planners just aren’t confident enough to have someone else come in and test their program and/or use the exercise as a means to promote themselves and their role in an organization. For programs that are mature and your real testing objective is to measure just how prepared you and your organization really are, maybe it’s time to bring in an outsider to help administer your exercise. If so … our phones are open.
Now back to your regularly scheduled show.