Test the organisation, not just the plan By David Tickner, MBCI, Melbourne, Australia This paper sets out why planning for the testing of response, recovery or continuity plans in isolation will not ensure that an organisation can survive a critical event. The paper and presentation not only show the real challenges but include a practical component based on examples of a proven, effective and innovative testing technique. Note the section headings will directly relate to the slides in the supporting PowerPoint presentation. What s your Testing Baseline? In practical terms, business continuity planners rely on a broad library of documents on which to base their testings plans and scenarios. At this conference alone it would be reasonable to assume that some of the following business continuity planning and corporate strategy documents are the drivers for the testing program: The BC Management Plan The BC Plan The BIA report The Emergency or Crisis Management Response Plan Crisis communication plans Operational or Service Delivery Procedures The organisation s strategic plan A straw poll would clearly prove this. How many different base documents are used as the BC testing drivers? On the basis of the poll it might be worth considering what you are really testing. Have you set a clear business focus in your test plan, or are you just going through the motions? Observations on Testing Response and Recovery Plans The single greatest mistake made by continuity and recovery planners is to have the specific BC, DR or EM plan too close at hand whilst planning testing strategies and scripting scenarios for critical response, business continuity and disaster recovery exercises. The result of such a folly is a test that only replicates the plan step by step and process by process. Consequently it also replicates the plan flaw by flaw without necessarily uncovering those flaws. True compliance requires more than a basic test of the plan. Commonsense dictates that a test based on the results of a regular business impact analysis, a strategic planning document or even a contract or service level agreement would be far more effective.
Above all the key to Business Continuity Testing is the business not just continuity after an impact event. The testing should challenge and surprise the organisation and its stakeholders. The Real Goals of testing plans The primary goal should be a test that challenges both the plan and the organisation, including all of its stakeholders. To guarantee a better outcome the testing should not be planned or prepared by the planning consultant alone. Nor should it involve only those who helped prepare the plan. It must involve just as many staff, specialists and stakeholders who were not involved as those who were. Imagine the effectiveness of a plan developed by a team led by a BCM specialist supported by key operational staff, divisional or regional specialists, key suppliers and customers, emergency services representatives and even your landlord. Not only will you have a more rigorous test plan, you are guaranteed to be capable of responding to all the challenges of the test. In addition the test scenario should be unpredictable, driven by the same unexpected and unpredictable events as they might happen in any real business environment. The test scenario must be realistic and focussed on the risks and impacts highlighted in the BIA. It s not just about testing the plan The final phase of any testing program should be User Acceptance Testing [UAT]. UAT sources its validation and verification criteria from the original requirement specifications and not the functional specification prepared by the developers. In the same way, testing a BCP should go back to the real requirements. These must include: BIA documentation Strategic Business Plans Contracts, KPIs and SLAs MOUs Legislation and specific industry standards [eg. Basel Accords, BS25999 etc.], and The BC Management Plan Only after these have been taken into account should the specific BC Plan be considered in terms of the test plan. Each of the above original requirements documents contain key components that must be met by an effective BC Plan. Therefore to test the plan you need to verify and validate that those requirements are being met. If all the test did was to verify the content and processes of the BC Plan, then any errors of understanding or requirement contained in the BC Plan would never be picked up.
The Essentials of the best test plans So the test plans and scenarios should have two mandatory components: 1. Content prepared by all stakeholders internal and external drawn from the original requirements and the key strategic goals of the business; 2. Random and unpredictable events and their sequencing. Exactly the sorts of experiences we should expect in any critical impact event. Achieving those essentials The first is achieved by creating a core test team with broad company knowledge and experience to identify those impacts and events that can happen, might happen, and surely will happen. The second is achieved by replicating the simplest of all random event games Monopoly. Through the use of the equivalents of a roll of the dice, the drawing of cards and the resultant impacts, multiple syndicates of stakeholders can share a testing exercise whilst no two syndicates would have exactly the same challenges, impacts and outcomes to address. A case in point Here is a simple example that was established to test plans for a major health authority in Australia in preparing for the influenza pandemics that eventually occurred in 2009. ** a brief working exercise of Pandopoly ** see footnote One of the valuable bi products of this testing experience came only a few weeks later the area immediately around Melbourne was decimated by the worst bushfires ever experienced. In the aftermath, the health authority needed to deploy case managers, case workers and advisors into the bushfire zones. To ensure that they got the resourcing right, they returned to the loss of key personnel tables of their Pandemic BC Plans. They knew they would work in any circumstances. After all they had tested them in many and varied ways during the syndicate testing. The real upside of this approach The beauty of testing in an unpredictable scenario environment is that stakeholders realise that good all hazards plans can be effective for more than just the events for which they were intended. Thus they tested more than the plans themselves they tested the organisation both internally and externally. You really can t do better than that.
What next? Applying the best options. Consider a change to your approach, Form a new and independent core testing team, and allocate key roles Develop your backbone scenario with multiple options and outcomes Prepare your kit[s] Run your syndicate tests Record and review all results Review and update your plans Learn from the experience and then do it all again next time with different syndicates, a revised backbone scenario and as many variations to the random events and outcomes as you can come up with. But remember to test the organisation and not just the plans. One final thought Consider the different planning and testing necessary for organisations that are either spread across multiple campuses, or where your organisation is one of many that share a multiplex environment one building, one campus, an industrial estate or any one general location. How different would that be? Are you and your organisation testing your recovery and continuity capability for all circumstances or just covering the minimum for a tick in the box? But that s a discussion for another time. **************** This paper will be presented with a supporting PowerPoint presentation built around the key sections.
Footnote on Pandopoly Pandopoly, by virtue of its name and origins, was a syndicate based testing game. It was developed as the core Pandemic BC Plan test for the Department of Human Services in Victoria, Australia. DHS had 8 regions and 12 divisions covering multiple health and human services programs. Syndicates comprised personnel from divisions, regions and specialists [SMEs]. Chance factors related to the infection driven unavailability of key personnel. Community factors related to impacts on information, supply chain and infrastructure. The conduct of the test was as follows: Flow chart here
o o During each round, each syndicate drew from Chance, Community and related numeric and alphabetic cards to drive the variables of their experience. After 5 rounds, no two syndicates had experienced the same challenge, so there was no cribbing!! Since the Pandemic experience, expanded versions now labelled Continopoly have been developed. It was updated for more general use in 2010. The kit, to be briefly demonstrated with the paper presentation, contains: multi stage scenarios, equivalents to CHANCE and COMMUNITY cards [called IMPACTS and ENVIRONMENT] related impact and environment lists status dashboards single forms to be updated at each stage of the test other syndicate materials As a result of attending this presentation, attendees should be more than capable of preparing a kit to suit their continuity and recovery circumstances. *********** The Benefits of this Paper and Presentation to Attendees 1. It will provide an alternative and more effective approach to testing response and recovery plans. 2. It will show the real difference between testing the plan and testing the capability of the organisation as a whole to respond to impacts and events. 3. It sets out the value of planning and testing involving all stakeholders. 4. Syndicate testing using this approach provides a more time and cost effective outcome for all stakeholders. 5. Attendees will be able to examine the syndicate workshop materials. 6. This is practice and not just theory. 7. The presenter developed and refined the approach and can share the experience first hand with attendees. 8. As the presenter I am happy to share my experience and materials with attendees. I choose to do this as a professional courtesy.
The Focus and Positioning of this paper. Stream A Fundamentals of BCM with specific focus on two areas: Developing and Implementing a BCM Response Exercising, Maintenance and Review
A brief CV of the presenter David Tickner MBCI. David Tickner has over 35 years management experience in Professional Services, IT Consulting, Practice and Project Management. Over the last 15 years he has specialised in Business Continuity Management and related disciplines. He is presently the Consulting Principal of Computrix Services, in Melbourne, Australia. He has served on a number of Business Continuity forums and working parties, especially during the major government pandemic planning and response programs in Australia between 2007 & 2009. Over his career David has provided his skills and experience to major organisations in both the public and private sector as well as defence. In recent years David has regularly been invited and has delivered a number of professional papers and presentations on Business Continuity and related disciplines including: 1996 Y2K Conferencing Sydney, Canberra, Melbourne Year 2000 Impacts on the Supply Chain 1998 DECUSWorld Gold Coast Business Continuity Planning for Y2K 1999 DECUS Local Users Group Melbourne Speaker of the Year Y2K Risk Management 2004 2005 & 2006 In BCP, less is more a paper on establishing the best focus for organizations in building their Business Continuity Management framework. 2007 Business Continuity Institute [Victorian Chapter] Presentation on the focus of the pandemic business continuity program at the Victorian Dept of Human Services, at the March chapter meeting. 2007 World Conference on Disaster Management [Toronto, Canada] reserve speaker David s paper was on the Effectiveness of MOU s in business continuity planning. 2007 European Institute for Risk Management Public Risk Forum [e Magazine] Continuity Planning for a Human Influenza Pandemic is Everybody s Business A call to arms for all public and private sector organisations to be aware of and prepared for the likely impact of a major pandemic outbreak on public infrastructure and services. http://www.primo europe.eu/content/wpcontent/uploads/2009/02/prfnov07.pdf 2008 At the ARK Conference [Sept 2008] on Business Continuity Management, David presented a paper on Pandemic Tipping Points the Interdependent Impacts of Critical Infrastructure Sector Failures during a pandemic. 2009 David was invited, and subsequently presented his latest update on Pandemic Tipping Points, to the World Conference on Disaster Management [WCDM19] in Toronto, Canada, in June 2009. 2009 David was invited by WCDM to present a further update of his paper at an Australian road show of WCDM held in October 2009.
2010 David was a key speaker to National Security Australia 2010 http://www.nationalsecurityaus.com/about.html on the subject of Planning for Critical Infrastructure Availability during a pandemic. Did we learn enough to do it better next time? 2010 David delivered a key paper on the past history and directions of business resilience planning at WCDM20 in Toronto in June 2010. He repeated the presentation at the WCDM summit series in Sydney in October 2010. Ref: www.wcdm.org