The Importance of an IT Disaster Recovery Exercise

Imagine installing a fire detector in your home and never testing it to make sure it works. How could you know for sure that it would protect you in the event of a house fire? This is exactly what it is like for a business to create a disaster recovery plan and never complete exercises to validate that it works. The plan could be well thought out and well written, but if it is not actionable, then it is almost as good as having no plan.

Disaster recovery focuses on developing a plan of action to recover from a potential internal or external business threat. In other words, disaster recovery is about ensuring that the business infrastructure, systems, and data can all be accessed and/or recovered in the event of a business crisis—it is essentially your IT disaster recovery plan. The plan documents the many potential disasters that could impact the business and outlines the steps the business will take should such disasters occur. Creating a disaster recovery plan is all about preparation, and a major key to that preparation is testing and amending the plan to ensure that it will run smoothly in the event of a disaster. Because disaster recovery plans involve processes and systems as well as people, it is important to run exercises to also ensure that the key players know their roles and are able to initiate the correct steps.

In addition to making sure that the disaster recovery plan is effectively actionable, exercises also help to ensure that the recovery time objective (RTO) can be achieved under the outlined processes. The RTO details how much time the business has to make a quick recovery from a disaster in order to avoid serious losses. By running exercises on the disaster recovery plan, the business can ensure that the processes allow them to successfully hit the outlined RTOs.

By far the most effective exercise is the full-scale run through. Because this scenario would require business downtime, it is important that the exercise is run as closely as possible to a real-life outage in order to reap the most benefit from the exercise. A full exercise will implement all back-up systems, offsite work areas, processes, workarounds, etc., so it is the best indication of how successful or unsuccessful a disaster recovery plan might be.

Depending on how frequently your business commits to running disaster recovery exercises, it may not always be feasible to run a full-scale exercise of the entire process. For some businesses, the full process is only run annually (or as business operations and processes change in order to keep the disaster recovery plan up-to-date) due to the time and expense of running a full run-through of the plan. However, even if a full run-through is completed annually, additional measures should be taken in the meantime.

One way method to complete an exercise on the IT disaster recovery plan is to schedule and complete a review of the full plan. Reviewing the plan regularly can help ensure that as business operations, procedures, and systems change, the disaster recovery plan changes with them. This will help eliminate any discrepancies between the current business processes and the plan and keep the plan up-to-date.

Another exercise is to run mock exercises with the staff to ensure that they each know their role and the actions that are expected of them – also known as tabletop exercises. By walking through disaster scenarios with the team, each team member will have the opportunity to gain further understanding of their role in a disaster and to turn their understanding into action. This exercise is particularly good for focusing on the people aspect of the response, as it allows you to see how each person would react and to provide guidance or correction where necessary. In a disaster situation, some people may panic, which could reduce their effectivity. By running mock exercises, you can help ensure that everyone is prepared and that their response would be second nature. However, in order to create automatic disaster responses from the team, the exercises would need to be completed frequently – at least quarterly.

No matter what kind of exercise your business decides to run, it is important to write an after-action report which involves taking notes on the successes and areas of improvement with the plan during the course of the exercise. By taking detailed notes on the failures of the plan, the business can make improvisations to it in order to further develop it. If any tweaks are made to the plan, the exercise should be redone to test the effectivity of the modifications.

Have Questions?

Want to find out more about how Resilience3™ security, risk, and compliance solutions will improve your business resiliency?