How to Get the Most Out of Your BCP Tabletop Test
I have a friend who recently purchased a shiny new car. The day after, she called me up, excited and raving about its features and handling abilities: “…it’s perfect…the most amazing car…the best I’ve ever owned…” Congratulations. Then a week or so later, just after a major rain storm, I asked her how she was enjoying her daily commute in her fabulous new machine. With a pause and a sigh, she lamented that she doesn’t like it so much, after all.
Apparently, her ‘test drive’ at the near-by dealership consisted of few blocks’ jaunt through congested in-town streets – on a sunny day. She didn’t venture onramps to push the car’s ‘get up and go’ – or lack thereof; she failed to cruise at highway speeds to realize the unpredictability and uncomfortable ride of the low-profile tires; she didn’t snake it along curvy backroads to sample the apparent sloppy steering; and driving in the sunshine didn’t prepare her for its fish-tailing in the rain. She learned – the expensive way – that an insufficient test drive isn’t really a test at all. This is a notion that business continuity program owners should take to heart – and action.
Tabletop testing is crucial to discovering weaknesses and inconsistencies in your business continuity plans (BCPs) – while there’s still time for rectification and refinement. But if your organization is conducting subpar tests that don’t truly challenge your processes and responders, you, too, may be left with an expensive lesson.
So, how can your enterprise milk the most out of tabletop testing? Well, we have some ideas:
Making the Most of Your Tabletop Testing
Bring in Some Fresh Faces
Instead of conducting the tests with all tried-and-true BC literate personnel, invite a few new employees or those who haven’t yet been part of previous tests. In a perfectly choreographed incident response, all pre-designated responders would be onsite and ready for action. But good ol’ Murphy’s Law tells us that thingsdon’t always go according to plan. What if the flu borrows a good portion of your incident response team…on the same day and incident hits and forces your entry-level accounting employee to reboot the server? This angle elicits some real-life stress and problem-solving tasks that will be beneficial when an actual crisis hits.
Remove Key Elements
Rarely does only one process fail during an incident. When all processes and protocols are working, the response is easy. So, eliminate vital elements that are part of your response plan: shutdown the internet, bar access to the email server, knock out the share drive, etc. When you deny critical systems that are part of your plan, you understand the vulnerabilities, and force employees to think outside the response box. Should these elements be lost in a real crisis, everyone will be better prepared.
Deny a Creature Comfort
Incident response can be easier when the office isn’t 95 degrees. During your testing, drum up some unfavorable conditions, such as shutting off the AC; or move the team to the tiny coffee house, with less-than consistent WiFi, to conduct emergency communications; permit only portable solar battery packs for electrical hook-up; start the test as employees are arriving, before anyone has gotten settled and caffeinated…
Anything you can do to simulate real-life anomalies and unpredictability will benefit your origination’s ability to appropriately and calmly respond to a wider-range of crises, and ultimately, mitigate your downtime, loss, and damage.
Get resilience insights delivered to your inbox.