Disaster Recovery 101
10 ways to test your plan in a conference room
By Laura Haight
Originally published as the Digital Maven in Upstate Business Journal
It’s fairly common for businesses to think short term, to not worry about what isn’t right in front of them. That’s one reason it’s a struggle to focus on disaster recovery or business resumption planning, or to build up stronger security practices to firewall against cybercrime.
Take hurricanes. Over a 165-year period from 1851 to 2016, a total of 24 hurricanes hit South Carolina. In the last two years, we’ve had three, going from roughly one every seven years to one every eight months.
There’s no getting around it: Bad things will happen. When they do, it is the 3Ps you’ll have to rely on to get through: Policies, procedures, and planning.
Many businesses don’t have a formal disaster recovery plan. Those that do often don’t take the time to fully test the plan to find the vulnerabilities or the critical function that was overlooked.
Regardless of which of those buckets your business is in, a dry run of how you would handle a disaster will give you visibility into your strengths, weaknesses, and risks.
Here are 10 steps for setting up a “tabletop test”.
Identify the key players and note that they may not always be department heads. Depending upon the type of incident you’re dealing with, the payroll clerk or shipping manager may be a critical player.
There are different schools of thought about doing tests of individual departments vs larger units (in a big firm) or the whole company (in smaller businesses). My view is that, for most small businesses, the whole company has to respond together, so it should be tested together. No department is an island.
Determine the goal for your DR plan. This will depend on your type of business. If you are a 24X7X365, like a newspaper, hospital, or law enforcement agency, you have to prepare for all scenarios. If you are a service business - law firm, marketing company, consultant - you may be able to just shut your doors for a day or two. But you may need to plan for continuing operations, including access to records, files, contacts, if your offices are severely damaged or destroyed.
Establish a scenario. Disasters come in many forms and the impact on your company could vary, requiring different responses. Consider situations that happen at night, or on weekends, as well.
Pick a place for the test. If you choose to do this in your office conference room, establish a “no interruption” rule. You need the same undivided focus on the test, as you do during the real thing.
Whatever materials people bring with them, make sure that these are things they would have access to regardless where they are, the time, or the day of the week a disaster strikes.
Test your response by walking through each step - not just saying “we need to call everybody” but by pulling up the DR calling list and making sure it is current.
Depending on the age of your plan, you might find there are new systems or vendors in place that are not included in the plan. In many cases, that makes emergency preparedness easier, such as VOIP phone systems or cloud-hosted applications. But only if critical users are aware of how to access them offsite.
Record all observations on updates needed, missing data, or overlooked steps, and assign a member of the team to prepare a complete list of action steps to be distributed to team members.
Yes, test again.
The tabletop test is a few hours out of your day to determine if you are as ready as you think you are for the next unexpected hurricane.