Business continuity and disaster recovery plans are often left on the shelf (electronic or otherwise), protection against questions from auditors and regulators of ‘do you have a business continuity plan?’
Putting a sensible plan together is not, however, an easy task, and it’s a shame to waste that effort to ‘tick a box’. Validating and testing your business continuity plans can be a good way of improving them, spotting gaps and training people on how they work.
Many organisations are, however, wary of testing their business continuity plans: they don’t want to be in a position to have to recover their entire business. However, there are other things you can do that will incrementally test your plans. Here are three to consider:
Plan walkthrough
This is an easy one. Once you have documented the plan, get all the stakeholders in a room and run through it, step by step. Does it make sense? Is it useful? Is it missing information? Is it easy to understand? By doing this, you not only walk through your plan, but also train the stakeholders on how the plan works.
Limited technical recovery
Rather than trying to recover all your systems, start small. If Office 365 is critical for you, recover a key SharePoint site, a mailbox or OneDrive. This proves you can do it, if needed. It may not test the recovery of all systems, but if you’re a small organisation with simple data storage, one may be enough.
Incident scenario
You’ll need a facilitator for this, but it can be worthwhile. Essentially, get the stakeholders in a room and the facilitator runs you through an incident scenario. For each step, the facilitator determines who would do what, and checks back to whether this is in line with your plan. If you can involve key third parties in this, so much the better. You have to be open to the process (and not say ‘that would never happen’ or ‘we’d just fix it’) to get the most from it, but scenario exercises can help flush out whether your plans are fit for different types of events.
Ideally, you’d do each of these three every year. They don’t take long and can be really helpful in making continuity planning second nature to your organisation.