How To Build A Mock Disaster & Test The Recovery Plan
When was the last time your organization conducted a mock disaster exercise? If you can’t think of a single instance (or if you’re taking too long to consider your answer), then your well-laid disaster recovery plans aren’t likely to be recovering anything anytime soon.
If you start performing those exercises now, however, there’s still time to turn things around.
What is a mock disaster exercise? It is a simulation of an unplanned disruption that requires participants to identify the actions and steps they would take to successfully respond, assess the impacts, activate resources, and recover in a timely matter.
Why is it so important? Because this type of “mock” testing validates your recovery plans and strategies (both of which are based on a formal business impact analysis that has been analyzed and shared with management). Having a set of written directions is only the first step in a two-part process of disaster response planning; the second step is testing those directions to see if people can actually put them to use. Could your team really respond, activate, and recover? You’ll never know unless you put them to the test.
Testing Your Recovery Plans
Let’s walk through some of the important considerations involved in conducting mock disaster exercises, starting with the types of exercises you can use.
Types Of Mock Disaster Exercises
Staging a mock disaster doesn’t always mean a full-blown, company-wide, daylong drill. There are four types of mock disaster exercises:
- Desktop exercises. Here, people gather around a table and talk through what they would do when presented with a disaster scenario. It’s best used in situations where employees are unfamiliar with business recovery planning and need guidance on how recovery processes work.
- Walk-through exercises. During a walk through, participants gather in a common room and identify the activities necessary to respond to a disaster scenario. It’s simple and low stress, similar to desktop exercises, but it requires a greater level of mastery.
- Functional drill. In this case, participants perform the recovery tasks, including actually going to the backup site. However, the exercise does not impinge on the actual functioning of the business.
- Full-scale drill. The entire company gets involved in this exercise, which shuts down the business for the sole purpose of starting it up again at the backup site. Companies that perform full-scale drills have a mature business continuity program and are well-trained in recovery strategies.
Building A Mock Disaster Scenario
The business continuity team is responsible for planning the mock disaster scenario. As your team works through building the scenario, you’ll create a planning document that includes:
- The scenario
- Names of participants
- Scope and exercise boundaries
- Assumptions about the facts surrounding the exercise (i.e. the disaster won’t affect more than one location, etc.)
- Goals and objectives of the exercise
- Logistics detailing people, process, technology or supply requirements
It’s important that the scenario tells a believable story: What brought on the situation? What happened as it progressed? How did the situation come to an end?
Whatever scenario you choose must fit the company realistically, or people won’t be on board with playing along.
In coming up with the scenario keep the following in mind:
- Look for subject matter experts who can help plan a realistic exercise. If it will be a technology-related incident, include someone from IT; for a facility-related incident, get someone from facilities. Because they are now part of the planning, those people will not participate in the exercise, but they may observe or evaluate.
- Choose a scenario that can be responded to successfully. A nuclear catastrophe or a pandemic pose difficult situations that may not be feasibly recovered from within a specific time frame.
- Build an exercise that works within your time constraints. Businesses vary in the amount of time they’re willing to allow for an exercise; it usually ranges from two to four hours.
- Plan around your areas of weakness. The more you know about the areas you’re trying to fix—stronger leadership, better informed participants, etc.—the more successful the exercise is likely to be.
- Plan for and gather the necessary resources. Think through everything you’ll need for the exercise—people, processes, technology, etc.—and ensure that it’s all in place.
- Match the exercise to the maturity of the team. If your team is in the learning stages, start with a tabletop exercise. But if your program is mature, test it rigorously with a full-scale drill and a challenging scenario.
Planning tip: Don’t share the exercise or scenario with anyone outside the planning team! If people know ahead of time what’s going to happen, they’ll come prepared, and the results will be compromised.
Mock Testing Methodology
Ideally, testing should be done at least twice a year. If that’s not possible for your company, strive for one major test along with a few smaller ones (30 minutes each) throughout the year. Either way you can still achieve your goal—getting people to make good decisions and work together.
Our methodology for carrying out mock disaster testing exercises is as follows:
- Make sure you have the “right” participants. In addition to the crisis management team leader, the other participants should be those who have already been named as responsible for making decisions, activating plans, and implementing the necessary steps for recovery.
- Make sure the right planning has been done. The plan should be at the right level of complexity for your group. Don’t throw too much at them if they’re not ready.
- Increase the complexity level over time. As your team improves, increase the complexity and difficulty of the exercises you perform. Doing the same exercises every time won’t push anyone to improve.
- Ensure that participants have been trained in the recovery strategies. One thing I’ve learned from my brother in the fire service is that people perform best when they have two forms of reference—their training combined with the experience of real (or simulated) situations.
And don’t just train the A-team; bring in some employees designated as backups so everyone learns to work together.
- Make sure the exercises match the maturity level of the team. Use more complex exercises where appropriate.
- Document the results. Ease people’s fears that an evaluation will get them in trouble, and instead focus on how the team could perform better. Analyze how the test went and what you learned. What key problems came up with the disaster recovery plan or the execution of the plan? What can you do to fix those issues and be better prepared next time?
- Update and improve the mock disaster process.
Testing tip: The right facilitator can have a huge impact on the success of a test. The person you choose to be at the helm of the operation must be able to help people learn from the experience. Not only should the facilitator ensure that people are following the process and getting to where they need to be, he or she should also know when to stop people, when to help them, and how to keep them going.
Mock disaster tests are an important part of disaster response planning. Is your business conducting them regularly? The next time someone asks, make sure your answer is yes.
Michael Herrera is the CEO of the business continuity consulting firm MHA Consulting and the founder of BCMMetrics, a cloud-based tool designed to assess business continuity compliance and residual risk.
Download our Business Continuity Exercise Checklist!