For all our supposed ‘maturity’, the Business Continuity industry can’t agree on some of the simplest things – like terminology. When it comes to proving the worth of BC and ITDR plans, getting the terminology right should be easy. Do you test – or do you exercise? There’s a simple way to look at the two terms:
Testing assumes a ‘grade’ will be given (even though it may be Pass/Fail).
An Exercise, on the other hand, assumes working toward a goal – and learning from that experience.
That’s not to say that participants won’t learn from a test. But in a test, the focus is on the grade, not the learning experience. No one wants to have to explain a poor grade to their boss. There are certainly circumstances in which conducting a Test is appropriate (for example, when attempting to verify the recovery time of an IT component), but unless a specific – and measurable – goal is the test objective, then an Exercise is more appropriate than a Test.
On the Technology side of BCM, tests are common. We need to verify our capability to restore a database, or an application or network access. We can do this in parallel with current operations, but you can’t prove those capabilities in tabletop exercises. You must test those capabilities – in real time, under as ‘real’ conditions as possible.
But the opposite is almost always true for Business Continuity Plans. Unless a BCP test includes sending the responders to their alternate site, or home, to prove they can accomplish their recovery goals, you can’t really test their Plan, you can only exercise it – to assure everyone knows what to do (without actually doing it).
Tests pose a morale problem. Nobody likes to fail (especially if the boss will find out about it). If you want to retain the cooperation of Plan Owners and other BCP participants, don’t set them up for potential failure. Tests have their place – but ‘testing’ BC plans can be a cause of disillusionment. Some plan owners will intentionally make their plan as simple as allowable to assure they’ll pass the next test – rather than think through what they’d really need to do following a disruption or disaster.
So create BC Plan exercises with one clear objective in mind: to improve the viability of each Plan.
Don’t make the exercise scenario (or the parameters of the exercise) so easy that everyone finishes thinking they’ve got a bullet-proof Plan. Exercises should be difficult, or at least challenging enough to expose holes in Plans. Position the discovery of previously unknown flaws as a positive result. Finding holes enables the Plan Owners to fill them. Filling the holes makes them more prepared when a real disruption occurs.
Make the exercise worth their time and effort. Successfully conducting a Plan Exercise (without grading the result) will enable Plan Owners and Recovery Teams to improve their Plans, their Business Processes, their Department and the organization. Your BCM program will benefit from the results of those exercises. But nobody benefits from a failed ‘test’.