Ready.gov has put together a list of the benefits of testing. They also did a fantastic job of discussing the use of the term 'exercising' vs. 'testing':
Testing the Plan
When you hear the word “testing,” you probably think about a pass/fail evaluation. You may find that there are parts of your preparedness program that will not work in practice. Consider a recovery strategy that requires relocating to another facility and configuring equipment at that facility. Can equipment at the alternate facility be configured in time to meet the planned recovery time objective? Can alarm systems be heard and understood throughout the building to warn all employees to take protective action? Can members of emergency response or business continuity teams be alerted to respond in the middle of the night? Testing is necessary to determine whether or not the various parts of the preparedness program will work.
Exercises
When you think about exercises, physical fitness to improve strength, flexibility and overall health comes to mind. Exercising the preparedness program helps to improve the overall strength of the preparedness program and the ability of team members to perform their roles and to carry out their responsibilities. There are several different types of exercises that can help you to evaluate your program and its capability to protect your employees, facilities, business operations, and the environment
I know some people have become adverse to the word 'testing', feeling that if the test isn't 100% successful, it reflects poorly, like a failure. Personally, I use the words interchangeably. I think one key to a successful exercise program is setting the expectation with management that it is designed to find the areas that need improvement, and there will always be areas that need improvement.
In my opinion, if an organization is testing year after year and they're finding no weaknesses in the continuity plan, then they need to look at changing the testing scenario. Recovering the IT environment isn't proof of business continuity, it's one component. Some organizations may over-focus on IT recovery/resilience, at the expense of other plan components such as:
- Command and control procedures
- Communications with employees, shareholders and the media (employees may have been told not to speak to the media if an event occurs, but have you updated that direction to include not posting to any social media or taking unauthorized pictures during a recovery?)
- Alternate facility for employees to work in, both locally and farther away in the case of a large incident
- Staffing, cross-training and the need for alternate staff
- Managing customer communications and expectations
Testing is such an important component to the business continuity program. Once it's become an integrated part of the program, it's important to continuously reevaluate the scope and scenario of your exercises.
No comments:
Post a Comment