How can you ensure that your organization’s Business Continuity Plan (BCP) and Disaster Recovery Plans (DRPs) are successful? The answer is simple: When you test them! Until you’ve tested the Business Continuity Plan and Disaster Recovery Plan, they are literally useless. Suppose the BCP and DRPs are not tested, their flaws undiscovered and unresolved.
In the face of disaster and downtime, the organization is at risk of significant financial loss. This article discusses how to test a BCP and DRP. It serves as a higher-level overview guide for these plans and provides some methods to help you get started.
WHAT ARE BCP AND DRP TESTS?
During and after a disaster occurs, an organization needs to be able to continue its essential business functions. The process of understanding the organization’s weaknesses and threats in times of crisis, and addressing such situations is what BCP is about.
So, here are some examples of disasters that need plans in place:
- Disease outbreaks, such as the one the world is facing now in COVID-19
- Natural disasters, such as cyclones, floods, earthquakes, etc.
In such events as those mentioned above, how does a company continue to serve customers, at least with essential business functions, while ensuring minimal downtime?
A DRP is a policy or process in a documented format built to serve as a guide to the recovery process in a disaster or emergency.
THE MINDSET NEEDED FOR SUCCESSFUL TESTS
A successful DRP and BCP test suite should involve the key stakeholders, customers, and key employees. These tests should be planned at the project level and then flow upward to the organization level.
Hence, the organization needs to ensure that upper management will:
- offer managerial and financial support to execute BCP and DRP tests.
- carefully structure, plan, and execute tests involving key employees and stakeholders.
- observe post-test plans: teams need to plan for time and effort for the correction of defects.
- provide transparent reporting of the test results that everyone can understand and easily share.
According to the test results that emerge through this activity, meticulous planning is needed to respond appropriately to required action.
A PROJECT SCENARIO EXAMPLE – MAKING WISE DECISIONS AS PER BCP AND DRP TEST RESULTS
For example, as per the results that emerge from the DRP and BCP tests, a QA project may decide on their choice of test environments.
Perhaps they may choose to rely on a cloud-deployed test automation tool instead of their earlier on-premises test automation tool set up.
Remember that an on-premises setup is vulnerable to disaster situations with possibilities of loss of data and resources.
However, the Cloud offers high security, scalability, and high availability. Relying on cloud solutions may be one solution for quicker disaster recovery plan executions and associated cost savings.
Similarly, by involving key employees and stakeholders of the organizations, wise decisions such as these can be taken as per the BCP and DRP test results. Quick actions need to be taken because disaster can befall an organization at any time!
STEPS TOWARDS EFFICIENT BCP AND DRP TESTS
Lower-level teams need to observe the following steps when incorporating the tests. For planning which tests to choose, they can begin here:
- Identify which business functions are vital for the customer.
- Identify the business impact if these vital business functions are down.
These activities would involve business impact analysis and risk assessment processes for brainstorming and collaboration.
Next, they can move on to:
- BCP and DRP development
- BCP and DRP tests, maintenance, and updating.
STRATEGIZING WELL-PLANNED TESTS
There should be a testing framework in place with steps:
- Pre-test plan – A disaster-like situation and environment can be prepared and set up before executing the tests.
- Test execution – The actual tests can be executed. When there is a real business disruption scenario, the response may differ from what was planned in the tests.
Hence, it is better for the organization to plan ahead and be well-prepared. While designing tests, plan for different levels of complexity in the disaster scenario, and involve the business stakeholders and users to make it close to what could really happen in a scenario. Apart from scheduled tests, you can even try surprise tests for the people on the teams!
- Post-test reviews – As per the test execution, there will be suggestions, views, and comments from the team. These review comments ought to be collated, and along with the BCP and DRP, get them reviewed by experts. Accordingly, the BCP and DRP can be updated.
- Final report preparation – The test reports can be built which help the organization understand the current situation of the BCP and DRP test in place.
Also, the BCP and DRP should not miss these aspects in covering scenarios for testing:
- Who are those most affected by a disaster or business disruption?
- When a disaster occurs, how will the users be notified? Hence, test the notifications systems accordingly by mimicking a business disruption.
- By priority, what are the business functions to be operational within the first few hours?
The key to a successful test suite is that the testing activity should be well-structured, with test scenarios, test scripts, and test injects. They should all be structured clearly with well-defined steps that anyone can understand.
PRESCRIBED METHODS FOR DRP TESTING
DRP tests should include these five prescribed methods:
- Walkthrough tests – involve the organization’s critical people in walking through the essential steps of the plan in place. The measures are reviewed and updated accordingly in case of inaccuracies and omissions.
- Simulation tests – these tests involve engaging the critical members of the company in staging an emergency-like situation simulation, acting out the steps in the DRP in detail. Simulation tests thus involve simulating disaster-like situations, though in small scenarios that don’t halt the whole system.
- Checklist tests – involve the employees going through the checklist of the DRP, marking the checklist status as checked or unchecked. When the task is completed, they mark it as completed.
- Parallel testing – will ensure that backup operations are in place at the typical process runs.
- Full interruption testing involves a complete mock-up of the disaster, and the responses are verified.
When a BCP and DRP are tested thoroughly, with flaws and shortcomings addressed and resolved, the resultant process enables a business to react quickly and efficiently to an unexpected disaster. While, ideally, a BCP and DRP are to be re-visited regularly, it is also necessary to test and update the plans periodically. Remember, the cost of recovering from a disaster is expensive. Plan wisely and keep your BCP and DRP tests robust and efficient!