BCP Testing Outside the Conference Room: Hello, Real World
When most people envision Business Continuity Planning (BCP) and table top testing, they conjure up images of conference rooms, hardcopy documents, projectors and key personnel. But the real world is a different reality.
In recent memory, there have been many situations that have disrupted businesses - be it by natural disaster or as a result of human interference. In either event, people need to be able to reestablish essential business functions, communicate, and make decisions as quickly and easily as possible.
Although many organizations do an annual BCP review, the big question is whether they truly test the process, ease of accessibility, and the time it takes an organization/leadership group to go from unsure about the situation to confidently executing a thoughtful game plan.
What can make a considerable difference in terms of functionality and familiarity with the plans and recovery procedure is practice - not only verbally in the conference room setting, but also by taking time to troubleshoot and brainstorm to determine what works and what may need a second look. There is a lot that can be learned from being unplugged and “kicked” out of the conference room and asked to assume a role outside of the comfort zone. This can be done simply by taking away some of the accepted norms during a test.
The following scenario illustrates issues that arise when the accepted norms are chipped away.
A Simple Scenario: An Unexpected Evacuation?
Building evacuations happen at least once a year for fire drill purposes; however, there are other reasons that can require a building to unexpectedly evacuate. Some examples include fire, carbon monoxide release, utility failure, threat (bomb/active shooter/terrorist), structural failure, major storm, earthquake, and so on. Most often, people evacuate a building without knowing the situation that caused the evacuation.
The alarm sounds and people begin poking their head out of offices or above the cube walls with the “What’s going on? Is this for real?” look that so often is a response to flashing lights and loud noises in the business environment.
Eventually you will be outside of your building. What did you make sure you had before you headed down those stairs - wallet, purse, cell phone, maybe an employee checklist, an emergency grab bag? After you are outside, you realize that this isn’t a normal fire drill. It’s something more and you’re not going to be allowed back into the building. Now what? Do you have what you need to activate, run, and continue normal business functions?
Given the complexity of emergencies and recent business disruptions, it’s always a good idea to look for areas where improvements can be made. Below we will review some key elements of an effective mobile recovery response strategy.
Back to our scenario.
Using whatever you brought out of the building, you attempt to communicate. If you are ahead of the game, you may have a call tree or automated messaging system in place, but communication issues can still arrise. For example:
Can you activate your automated messaging system to communicate with employees, partners, and vendors via your mobile device?
If you utilize a social media account or outside vendor for BCP communications, do you have access to the systems and know the passwords?
Is there an internal BCP message approval process that must be followed before sent or posted? If so, can you reach the key BCP members to for approval?
Events like the Boston Back Bay Backout of 2012, Hurricane Sandy in 2012, and the Boston Marathon Bombing in 2013 have shown us that connectivity to our mobile device isn’t guaranteed and can be spotty at best. Finding locations with hard-wired Internet connections can be an alternative or, if possible, having another office or person in an unaffected area “drive” the initial communications until your Business Continuity Team/Recovery Team is set up.
Key Personnel/Decision Making
Key considerations here include:
Do you have a Business Continuity Team/Recovery Team?
Are they familiar with their roles and responsibilities when activated for Disaster Recovery (DR) situations?
Is there a policy or understanding of who has responsibility for making final decisions on issues if the team cannot be assembled or a decision is needed immediately?
How often are the backup personnel tested and involved in testing and BCP discussions?
If the disaster event is affecting only one building, alternate locations may not be an issue; but, if an entire block or area of the city is experiencing an issue and workers are evacuating, then you will have to expect some issues traveling - whether home or to an alternate site. An additional factor that can impact transportation is if the local authorities decide to shut down public transportation for safety purposes. You may have to consider how or even if your employees will be able to get home or perhaps look for alternative lodging solutions.
These are the questions that should be addressed within your BCP and DR strategies. In a time when everything is available and preferred in electronic format, it’s sometimes difficult to stress the need for updated paper copies to be available. Unless you can guarantee that your BCP, contact list, recovery strategies, etc. will always be available electronically, there will always be a risk of not having the information when you need it most. Consider developing a grab bag that can be carried by the company safety officer or floor warden during an evacuation. The grab bag should contain all your hardcopy documents, additional phone/mobile device chargers, extra external batteries, laptops, emergency cellphones, and anything else you may need should the situation arise.
In summary, no one knows what the future holds. Disruptions are inevitable and you should exercise your BCP and recovery plans as they would be used during an actual event. Incidents don’t happen while all the key players are present in a conference room with everything working. Your exercises should be geared to the unanticipated emergencies that can disrupt and disable your business.
Here are a few other Business Continuity resources you may find valuable: