All too often, organizations that do have Business Continuity Plans (BCP) in place rarely test them. Those that do, go through a typical tabletop exercise. Organizations that have Disaster Recovery Plans (DRP) generally test them, but why? I ask why because it has been my experience that the “tests” are an exercise in futility. I say futility because they are tests to satisfy an audit that prove very little.
It is kind of like high school in that class you had to take. It was being audited by the state so the administration made certain to put it on display. Funny thing was that everyone knew the answers to the questions because they had taken previous tests over the same topics many times. This is what a great majority of Disaster Recovery (DR) tests mimic.
I wholeheartedly believe in random auditing of BCPs and/or DRPs; however, learning something by exercising is more valuable. As much as that class in high school was easy, we never really learned something from it. The history class measured our learning via the testing mechanism and corresponding score, but it taught us something by challenging our recall of facts. BCP / DRP testing must do the same. We cannot afford to go through the motions every time we perform these tests. We cannot always design them for “success”. We have to throw new scenarios into the mix, fail different portions variably, introduce multiple disasters, and so forth.
One common practice that drives me nuts is the usage of the same experts every time. I have observed and assessed thousands of DR tests. The ones that were most valuable were the ones where I was interactive; asking person A, D, & G to step out to simulate inaccessibility (potential fatality). Please do not misunderstand, I am not advocating that we write BCPs and DRPs so that the receptionist can perform them; however, we must develop new talent and grow our programs by challenging them. Going through the motions does not prepare us for the event that caused the disaster. Thus, the adage still holds true; fail to prepare, prepare to fail.
The failure in testing for success is it undermines the basic premise of the Business Continuity and Disaster Recovery programs, not to mention our integrity. This premise is risk management – accept, assign, or mitigate. If we test the same scenario over and over, it fails to prepare the organization for reality. The reality that most often there are multiple failures within a disaster and the greatest hurdle technology faces in a disaster is the synchronization of the environment as a whole after “restore”. In turn, the idea that we were protecting the revenue stream and business function is out the window in the wind. We have not protected anything outside the exact disaster scenario “tested” for over and over again.