This edition of DISASTER RECOVERY TESTING: EXERCISING YOUR CONTINGENCY PLAN is a reprinting of the version originally published in 1994. In the fourteen years since I first began development of this book out of a sense of frustration with the lack of published resources on the subject, Business Continuity as a discipline, as an industry, and as a professional practice has evolved dramatically. In addition, the role of exercises in the continuity management program has grown significantly.
And yet – more aspects of business continuity have stayed pretty much the same over the years. Of course, there have been some changes – in 1994, the Internet was incidental to most organizations; today, it is indispensable. Email use was limited. Cell phones were prohibitively expensive and impractical. Amazon.com was a struggling startup. And don’t get me started on iPods! On the other hand, there are still plenty of organizations who have yet to implement meaningful continuity structures, let alone to conduct effective exercise programs.
Nevertheless, two factors prompted me to agree to reprint this book:
- Upon rereading this book, I was pleased to see that most of the concepts, processes, issues and recommendations remain current and effective with, of course, some allowance for current technologies; and,
- After fourteen years, nobody else had stepped up to the plate and written a book to replace it.
So, what has changed since I first set fingers to keyboard? Technology, certainly – both as a recovery issue and in offering recovery and exercising opportunities that did not exist in the mid-1990s; for example, there are now numerous web-based recovery planning and exercise management solutions. The Internet, of course, has become a major consideration to most any business, regardless of size; VoIP telephony, satellite phones and cellular phones have changed the way we think about and use telephones, and have provided new recovery support options as well as contingency issues. Remote workplaces as well as outsourcing have affected recovery options and exercise strategies. Ubiquitous dependence upon email and wireless networking have not only complicated recovery strategies but also the management of vital business records. As Walt Kelly said in the comic strip Pogo years ago, “we are confronted with insurmountable opportunities!”
I have said for as long as I can remember, “An unexercised contingency plan can be worse than no plan at all.” I believe this more than ever. It is far too easy to document a plan which looks good on paper (or on a screen), tuck in lots of impressive content, and assert an enterprise is protected from disruption. In reality, without exercise, there is no evidence that your plan and its supporting procedures will be functional when called upon; even more critical, there is no assurance that the underlying assumptions and strategies would be appropriate and effective.
The exercise process assures your team members fully understand your plans and procedures, along with their roles and relationships; that your resources and infrastructure will be in place and sufficient; that your plan and its underlying assumptions are up to date and adequate. There is no substitute for exercising your contingency plan!
As a profession, we have learned a great deal about exercising every type of contingency plan – from community emergency management to IT disaster recovery to departmental and business unit continuity to trading floor recovery to telecommunications network recovery, crisis management/communication, and more. I hope that this book will provide you with the benefit of the collective experience and wisdom of the thirty contributors. As I have been fond of saying over the past 25 years as a management consultant, “A consultant’s job is to have made all of the mistakes already – at somebody else’ expense.”
FROM THE INTRODUCTION TO THE ORIGINAL EDITION:
There are those of us who would argue that testing the business continuity or disaster recovery plan is at least as critical as actually developing the plan in the first place. Without testing, the continuity plan is little more than an exercise in speculation – or even futility. After all, how else could any organization assess the effectiveness of a continuity plan, short of the “ultimate” test: experiencing an actual disaster?
Regrettably, many organizations find it difficult enough to develop a plan, let alone to find the resources and time to conduct meaningful testing. Recovery testing has, for these organizations, held many similarities to the classic dilemma of application software documentation: always budgeted at the end of the project, yet seldom enough time or money left to do a decent job. Why is it that some organizations never get around to recovery testing, and others test aggressively?
Where recovery testing is planned, budgeted and conducted, the predicament is, as often as not, a dearth of practical experience or knowledge. The typical disaster recovery book has a chapter near the back entitled “Testing and Maintenance,” or something like that. In a handful of pages, the author communicates the desirability of testing, the basic types of tests, and little more. This is not meant to be a criticism of these valuable books, so much as an observation that they are usually focused on plan development and implementation. This book does not attempt to convey the process of recovery plan development – it assumes that the reader at least understands the mechanics of disaster recovery / business continuity / contingency planning.