Disaster Exercises Designed to Improve Operational Resilience
Put planning and preparation to the test with recovery exercises that validate your organization's business continuity plan and recovery strategies.
Articles published November 19, 2018 by Vicky McKim, AFBCI, MBCP, CRMP
At the Iowa Bankers Association’s Technology Conference, I had the privilege of presenting to IT professionals who were there to learn the latest banking technology trends and solutions, including risk management and business continuity. Managing risk exposures effectively is critical to mitigating potential business threats. It’s especially true for the banking and finance industry, where cybersecurity breaches, credit, market, liquidity, and reputational risks can have devastating consequences to their operations.
My presentation focused on designing effective tabletop exercises to prepare for potential threats that can’t be eliminated completely. I recommend that all businesses simulate an emergency operation center to practice business recovery. Through exercises, such as tabletop, walkthrough, simulation, test, or full recovery, business personnel can be trained to respond effectively to a crisis, minimizing downtime and improving operational resilience.
Types of Disaster Recovery Exercises
The primary purpose of the tabletop exercise is to familiarize employees with the recovery process by reviewing the business continuity plan and strategies for their department’s functions. When conducting a tabletop exercise, it is important to create a scenario that is realistic, using a high-probability, high-impact threat. This should be taken from the most recent operational risk assessment. Once the scenario story is developed, schedule individual team meetings to discuss the disruption scenario and outline appropriate responses. Each team should ensure their plan and checklists fully address all options for an effective and expedient response.
Walkthroughs are designed to verify that process recovery dependencies are adequately addressed in plans by inviting multiple teams that have interdependent functions to participate. When conducting a walkthrough exercise, validate dependency requirements and determine if they are accounted for in the recovery plan. Doing so will help uncover gaps between the plans of the individual teams. As you note those gaps, resolve the issues, and then update the plan documents accordingly.
Simulations provide a step-by-step enactment of a serious company-wide scenario to test the company’s recovery readiness. This is important to ensure the overall effectiveness of the business continuity plans and recovery strategies. Company-wide participation in the simulation should be required. This type of exercise includes role playing, where teams conduct briefings and practice issue resolution. One primary objective of a simulation exercise is to improve communications, both internally and to external stakeholders, while managing the chaos.
The test exercise validates the effectiveness of the IT business continuity and disaster recovery plan related to a business process. The primary purpose of the test exercise is to recover a subset of processes with the supporting technology offsite. In certain emergency scenarios, you may not be able to go back to your office. This type of exercise confirms the plan works at an alternative location and also reveals any gaps or faults in the recovery strategies or capabilities for a specific business function, such as payroll processing.
Full Recovery Exercise
A full recovery exercise validates the time needed to recover from a high-impact threat if everything is down at one time. This is usually conducted by heavily regulated or critical infrastructure service providers to test the duration of recovery for a simulated catastrophic destruction of business assets. This exercise should include all critical staff assigned the roles and responsibilities for both business process and IT recovery. Speed is important with this exercise and while few companies practice full recovery, it is key in finding the capacity gaps of staffing and discovering the true recovery time capability of the company.
5 Tips for Effective Disaster Recovery Exercises
1) Practice business recovery techniques regularly.
Business continuity and disaster recovery exercises are an effective method to eliminate gaps between interdependent team plans. It is the best way to familiarize a team with the process of response and recovery. Without a well-practiced business continuity plan, your organization could be unprepared for a crisis.
2) Start with a simple tabletop exercise.
A tabletop exercise is an easy, yet highly effective, way to begin solidifying your business continuity plan. It is recommended to start with tabletop exercises first and then progress to more complex recovery practices.
3) Use probable threat scenarios.
Simulating the most probable, high-impact threats will keep your business and employees better prepared and ready to respond when faced with a crisis.
4) Use injects.
Injects add more information to the exercise, exploiting gaps or vulnerabilities the company has yet to resolve. Often, these are messages typed on a slip of paper, delivered through an electronic notification tool, or verbal messages to the exercise team that highlight communication problems or gaps in the plan. The team member receiving the inject may want to share the message with their team since it could affect decisions during the exercise. This also tests their ability to recognize the need to effectively communicate discovered impacts to the rest of the exercise team.
5) Use exercise findings to improve your business’s risk management plan.
After completing a recovery exercise, your business should have a workable list of issues and gaps to address in the continuity plan. You may have even discovered new risks needing mitigation. Use findings to improve the disaster recovery strategies and practice the exercise again to ensure the updated plan’s validity. Once teams no longer discover issues, it is time to move to the next level of exercise.
What is your organization doing to prepare for potential crises?