Imagine being the coach of a great team with high expectations for winning the championship. You are a world class leader and have surrounded yourself with brilliant assistants – each well known in their respective disciplines. You also have a roster of superstar players. Weeks before the big game, you and your assistant coaches pour over film of the opponent, study their strengths and weaknesses, and meticulously design a powerful game plan based on technical and artistic analysis. The plan is great, and everyone agrees that it will set the groundwork for a huge victory. Each player on the team receives a full color, spiral bound version of the game plan.
Between this time and the big game, there is much to do, and with the media days, budget meetings, and sponsor obligations, you never get around to getting the players out to the practice field to run through the new playbook.
On the day of the championship game, everyone seems calm and confident. After all, everyone has a copy of the most magnificent plan they have ever seen. Some of the players have read the chapters that contain the insights to their position, but most assumed that it would be common sense, and since they were experienced athletes they could do what was necessary to win.
As the game starts, you see a few good moves, but not exactly aligned with the plan, and very little communication between players. By the end of the first half, chaos has set in. Frustration among team members is obvious and key strategies have been missed. Since the game plan was not being followed by the team, it has forced the coach to shift formations and player positions on the fly, and to make reactive decisions without having timely information. Ultimately you have trouble matching up to the challenge and end up losing the game.
I realize that a world class coach would not take this approach because he or she knows that the secret to success on game day is proper training. The game plan is part of a successful outcome, but unless everyone on the team understands their role and respective responsibility, there will be confusion. And when the game is on the line, every moment and decision counts. Bad or delayed choices can result in catastrophe.
So it is with business continuity and disaster recovery planning. Many organizations have built elaborate, technical, and process-centric plans to help them mitigate risk and manage through a crisis. Often there are hundreds or thousands of hours invested in these plans. But if the plan has never been tested, or if key individuals aren’t familiar with the details, there is a strong likelihood that the plan won’t work the way it was intended. Often this leads to teams trusting their own intuition and judgment over an approved and purposefully designed plan, commonly referred to in the United States as “winging it”. Taking this route almost always leads to failure.
As a business continuity professional, I have facilitated nearly 150 disaster drills, business continuity exercises, and security incident response tabletops for clients large and small across many industries, and I would separate organizations into two camps based on whether or not they feel it is important to test their business continuity and disaster recovery plans. Those that test their plans regularly and involve many different team members are far readier to manage through a real crisis than those that don’t. It is about practicing well to enhance the organizational readiness.
Drills and exercises also need to reflect scenarios that are possible and realistic and must be designed with an intentional pace so that real world conditions are simulated. here is value in simple tabletop exercises to be sure, but organizations need to move beyond these to progressively more complex scenarios, involving cross-functional teams and interdependent systems and processes. This is the only way that a company can get outside its comfort zone to truly understand if what they have designed will really work. My preference is to involve role-playing, actors, and include participation from vendors, business partners, and local law enforcement when appropriate. This will almost always result in lessons learned and opportunities to improve the plan, which is another great outcome.
Creating a memorable business continuity exercise is about blurring the lines of reality to transform participants into another paradigm. They take the team out of their comfort zone by carefully injecting conflict and exploiting expected or perceived weakness so that role playing is a challenge. They take advantage of personal relationships and organizational culture to maximize results. Great exercises are both fun and full of learning. If you design and facilitate it well, everyone in the company will want to be part of your next one.
As a team leader at one of my clients said, “If you train people to leisurely stroll into a conference room with a doughnut and coffee and talk about a disaster without the stresses of a real life situation, then teams will expect that this is how a real disaster works”. I encourage you to expect more from your teams. Expect a high level of readiness to handle any type of business continuity event.
The bottom line is that if you haven’t tested your business continuity, disaster recovery, and security incident response plans, you aren’t ready to manage through a disaster. You may have been able to check off a box in your compliance audit, but you are not likely to achieve success.