9 Steps to an Effective Tabletop BCP Test
Every year when we turn our clocks back, we’re also encouraged to check our smoke detectors to make sure they are working. Why? Because a smoke detector is more than just a device installed on your ceiling. It’s a critical tool that could save your life, but only if it’s working properly.
Unfortunately, smoke detectors don’t always work. Their batteries can run out of juice or they can reach the end of their life expectancy and stop working. Yet they’ll still look perfectly operational on the surface.
The same goes for your business continuity plan. No matter how nice your business continuity plan looks, you won’t know how effective it is until you test it. That’s why you need to run through it at least annually, more often if outside circumstances are changing.
One popular method for testing your plan is a tabletop exercise. During a tabletop, your institution runs through a potential scenario to determine how well your plan helps you respond to the event. The following eight steps will guide you through a successful tabletop exercise to uncover the strengths and weaknesses in your disaster recovery plan.
- Set goals. What do you want to achieve in this test? You may want to evaluate the viability of your plan, the preparedness of your staff or vendors, or the readiness of your resources and redundancies. You’ll also have to decide how exposed you want your participants to feel and set up a situation where they’ll be open to learning and prepared to take responsibility for their actions or lack of planning.
- Selection functions (plans). Decide which functions and plans will be tested. Keep it simple in your first go around. It’s often best for the plan administrator to run through a tabletop exercise with her own department first to work out any major kinks. When choosing functions, think about how they interrelate. For instance, Internet and mobile banking both relate to core information systems.
- Select participants. Begin with a facilitator. The plan administrator is an obvious first choice, but it can be useful to consider alternates for future tests. Team leaders and their backups must participate, and other team members may prove useful. Someone from senior or executive management should observe the proceedings.
- Establish ground rules. Ground rules are necessary to create a good testing environment. First, there should be no fault and no blame. The exercise should focus on problem solving. Participation shouldn’t be encouraged, it must be required. Facilitators may answer a few questions, but participants are ultimately responsible for working through the event. Any unanswered questions should be documented to be addressed later in the plan.
- Develop a disaster scenario. Begin by thinking about your environment, location, and region and past disasters including hurricanes, tornadoes, earthquakes, floods, system failures, cyberattacks, ransomware, etc. The scenario you choose must be feasible and should be something from which you could recover. Don’t choose a nuclear holocaust. Your disaster should be able to progress. For instance, a hurricane exercise could move from a warning to increasingly imminent. A cyberattack might initially be isolated to one department, but then spread to the entire network, causing massive data loss. It could then become a ransomware event when data high-jackers call demanding cash.
- Confirm assumptions. Certain assumptions must be made to begin the exercise. These are typically associated with the availability of items like Internet, cellular networks, staff members, facilities (including 1st backup location), and other resources. Don’t make the same assumptions for every table top exercise. Up the challenge level over time by eliminating the availability of items in future tests.
- Conduct the exercise. Start by assembling the group, introducing the facilitator, monitors and record keepers. Go over the ground rules and answer questions. Then present the scenario and explain any assumptions. Collect the roundtable reaction by participants and have the record keepers document the exercise’s progress.
- Key Vendors. Are particular vendors part of the exercise? Are the functions being tested tied to the performance of particular vendors? Is our institution relying on a particular vendor to perform in order to meet the expected recovery time? Understanding these assumptions will be key to a successful table top exercise.
- Document post mortem. Stop the event and have the recordkeepers share the information they’ve recorded with the group. Add in anything that’s missing. Talk about what went well and what didn’t, documenting successes, failures, and changes in a post mortem report.
The end result should be similar to a smoke detector test. You’ll know whether or not your plan works, and if the plan doesn’t work, you’ll have the opportunity to probe for flaws and determine whether your plan needs fine tuning or a major overhaul.
Regulators expect you to test your business continuity plan just like your insurance company wants you to test your smoke detector. But just like with a smoke detector, don’t test your plan just because someone else is telling you to. Do it because you know that one day it might save your customers, your employees and your institution. Do it because it’s the smart, responsible thing to do.
Visit our business continuity planning resources page for more great BCP info.