Relevant Contents
Need Tailored Business Continuity Insights?
Contact Us Now for Personalized Guidance!
Has your organization ever been attacked by zombies? We don’t know any companies that have been, although we do know some that have used this as a scenario in their disaster recovery exercises.
In today’s post, we will discuss the pros and cons of using zombie attacks and similarly imaginative scenarios in your mock disaster exercises and also share some general tips on how to make the most of such exercises.
To begin, we will provide you with a quick refresher on the different types of DR exercises that businesses commonly conduct to assess and improve their capability to respond to emergencies.
Types of DR Exercises
Here’s a quick taxonomy for business continuity and disaster recovery exercises.
Information technology and disaster recovery (IT/DR) exercises are technology-based. They focus on recovering processing functions, applications, systems, and data centers. These exercises look to see whether the organization can restore its technology and get it running again. They are very important but are not the be all end all.
Business continuity (BC) exercises focus on the actions taken in recovering your business processes, such as manufacturing, research, finance, and accounts payable (other than IT recovery). This can involve the ability to relocate people or processes to a new facility, if necessary.
The above exercises are conducted using the following methods (see the FFIEC Business Continuity Planning Booklet for additional information):
Tabletop exercises and structured walk-through tests are considered to be a preliminary step in the overall testing process and may be used as an effective training tool. The primary objective of this type of exercise is to ensure that critical personnel from all areas are familiar with the various plans (Business Continuity, Crisis Communication and Management, IT Recovery, Emergency Management, etc.) and that the plans accurately reflect the institution’s ability to recover from a disaster.
Walk-through drill and simulation tests (sometimes simply referred to as a “mock disaster exercise”) are meetings where the participants walk through how the organization would respond to an emergency scenario if it were to happen in reality. These DR exercises look at how management would assess the impacts of events, communicate among the parties, and determine whether to implement recovery procedures such as relocating to an alternate site.
Functional exercises, functional drills, and parallel tests are the first type of test that involves the actual mobilization of personnel to other sites in an attempt to establish communications and perform actual recovery processing as set forth in the BCP and IT Recovery Plan.
Full-interruption and full-scale tests are the most comprehensive type of test. In a full-scale test, a real-life emergency is simulated as closely as possible, and the participants carry out a plan in the real world in real time, performing an actual failover from production locations or processing.
Kill the Zombies
We recently encountered an interesting article in Business Insider about Google’s use of IT/DR exercises. According to the article, Google’s DiRT (Disaster Recovery Testing) team makes frequent use of creative scenarios such as zombie attacks and Martian invasions, which is something other organizations we are familiar with have also done (as mentioned in the beginning).
At MHA, we favor more realistic types of disaster scenarios. We suggest that you “kill the zombies,” meaning that you do not use zombie attacks or similar movie or game types of scenarios. In our view, the key to the success of a scenario is making sure the actions people take to simulate a real action. A good source for realistic disaster scenarios is your organization’s risk assessment. If your exercise gets into “Where are we keeping the AK-47s?” you’re missing the point of the activity.
Whether using a tabletop or full-interruption exercises, we want the activity to elicit the appropriate stresses and reactions. It shouldn’t feel like a party with lots of joking and laughing because real emergencies are not like that. If participants have the idea they can simply hit the reset button if things don’t go well, the exercise will not achieve the intended result.
Out of the Blue
Should you tell people ahead of time that there will be a disaster recovery exercise or spring it on them out of the blue? In our view, you should definitely surprise them. Unannounced exercises are much better. The less planning people do, the better. This is the only way to see truly where things stand in terms of the organization’s preparedness. At the same time, the exercise should be carried out with the understanding that it will probably surface many issues that need to be addressed. The point of the exercise is not to get a perfect score. It’s to identify the organization’s actual functional capability.
In our experience, when people are told about an exercise ahead of time, they take the steps needed to do well on that specific exercise. This is not the same as truly increasing their readiness and resilience. The best way to do this is through unexpected DR exercises and rigorous post-test analysis, followed by targeted efforts to close the identified gaps.
Are there exceptions? See below to find out.
Build Your Stamina
Getting better at disaster recovery is like getting better at distance running. You have to build up your stamina. An organization must go into training just like an athlete would. Recognize that developing organizational skill at responding to emergencies is a process. It’s advisable to start with easy exercises and make them progressively harder as your people develop their disaster-recovery chops. In the beginning, you might let people know about the exercise ahead of time and even share the scenario, gradually providing less information as the organization’s program becomes more mature. As everyone gets more capable, make your exercises more realistic, including by not giving advance warning.
When Trouble Strikes
With luck, the only place any of us will ever have to face a zombie invasion is at the multiplex or on a video game screen. However, the chances that your organization will face some other type of disaster in real life are pretty high. You can increase your company’s ability to respond effectively by following the tips set forth above.
Richard Long
Richard Long is one of MHA’s practice team leaders for Technology and Disaster Recovery related engagements. He has been responsible for the successful execution of MHA business continuity and disaster recovery engagements in industries such as Energy & Utilities, Government Services, Healthcare, Insurance, Risk Management, Travel & Entertainment, Consumer Products, and Education. Prior to joining MHA, Richard held Senior IT Director positions at PetSmart (NASDAQ: PETM) and Avnet, Inc. (NYSE: AVT) and has been a senior leader across all disciplines of IT. He has successfully led international and domestic disaster recovery, technology assessment, crisis management and risk mitigation engagements.