My wife decided we needed a bench just inside our front door. She went to various shops and found one – for $400. Being a relatively handy guy, I thought I’d build my own. So I downloaded a set of drawings from the Internet, read up on some woodworking techniques and made a list of everything I’d need to complete my project.
So, was I prepared? Not really. I hadn’t tried some of those woodworking techniques; and my bench would be made from mahogany – a very expensive wood. If I had any hope of achieving my goal, I needed some practice. I could use scrap lumber. And I wouldn’t have to build the whole bench – as long as I practiced the techniques with which I was unfamiliar. Otherwise, I’d waste some very expensive wood, cause myself headaches and have to listen to my wife point out my shortcomings.
There’s a direct parallel with a Business Continuity Plan here. Just because all the relevant information has been catalogued doesn’t mean you can actually recover whatever it is your Plan says you can.
Just because a Plan says that doing A, B, C will lead to a successful recovery doesn’t make it so. You could write a plan to put men on Mars – but just writing about it doesn’t mean it will work.
Whether or not you can successfully carry out your Business Continuity Plan is unknown unless one of two things happens: either you test it, or you use it. Do you really want to find out your Plan doesn’t work as the building floods or the backup generator fails? By then it’s too late.
Then why do so many organizations fail to test their Business Continuity Plans (and they do!)? I’ve been in the industry more than 20 years. I’ve heard most of the excuses: no time, no resources, it’s not in the budget, my boss doesn’t care, it’s not in my job description, it’s a waste of time, it doesn’t impact the bottom line½and on, and on, and on.
If you can’t find the time and resources to test your Business Continuity Plan, why would you bother to spend the time and resources to maintain it (or write it in the first place)? Of course we all know that answer: to avoid an audit write-up. So is failure to test the auditor’s fault?
Testing need not be time consuming, nor expensive. Start with a simple Table Top Exercise. Notice I called it an Exercise – not a Test. If no one wants to participate, why dampen their enthusiasm even further (if that’s possible) by announcing you’ll be grading their success or failure! Don’t. The point of every Exercise ought to be to find the gaps, weaknesses and useless fluff in the written plan. The more you find, the greater the success of the Exercise.
When completed, make sure the Plan gets updated to account for those gaps and weaknesses (and gets a thorough de-fluffing). Then do it again (using a different and more difficult scenario) as soon as practical. Exercise the Plan together with the Plans for other related functions. The more you Exercise the more the participants will be prepared to act when something happens.
Testing is the only way to find out how your Business Continuity Plan will perform. It may not result in a perfect Plan – but that Plan will be worth a lot more than the paper it is printed on.
Residual Risk – A Key Business Continuity Concept