Use tabletop exercises to stress-test your business continuity management and make sure critical personnel are familiar with the BCM recovery plans.
The wildfires wreaking havoc from Southern Europe to Scandinavia to California offer a timely reminder that natural disasters are difficult to plan for and businesses need to make sure their continuity plans remain robust and current, stipulating exactly how business operations will resume after a natural disaster — or an operational one, such as a broken contract.
In a recent Gartner survey, 83% of respondents reported having a defined response plan for a cyber-related incident, and 75% had plans to deal with the effects of a fire or explosion.
“Even just a few moments of downtime can be costly, so it is essential that firms implement sound business continuity procedures,” says Gartner principal executive advisor Ian Beale. “In fact, more than 40% of businesses will never reopen after a major natural disaster.”
The number of incidents that organizations face continues to rise. In a 2016 survey, 22% of organizations reported 11 or more disruptions over the prior 12 months, a 15% increase from the year before. The costs of such incidents are also rising. In 2016, an unplanned data center outage cost $740,000 on average, up 38% from just six years prior.
“Tabletop” your plan
Without formal processes and guidelines, ad hoc responses will likely extend downtime and business loss. An effective business continuity management (BCM) program will enhance enterprise resiliency and help the organization react and recover more effectively from unanticipated business interruptions. Plans must be tested to ensure they will enable the organization to weather disruption.
Tabletop exercises for BCM test the effectiveness of procedures and safeguards in place to respond to and recover from specific continuity incidents. They are an effective way to gauge organizational preparedness and awareness, as well as to uncover flaws or gaps in recovery plan design.
Mind your own “business”
The first step in the tabletop exercise is to define what threats and risks are specific to yourorganization. A risk being top of mind due to the global news cycle doesn’t automatically mark that risk as being the No. 1 threat to every organization.
Although business continuity incidents are becoming more frequent overall, organizations should still prioritize their own scenarios. When prioritizing risks, it’s important to first consider your firm’s regulatory obligations, response plan maturity, criticality to business operations and, finally, response plan complexity. From there, leaders can draft relevant and comprehensive scenarios.
The single most important consideration when conducting a tabletop exercise is the clear assignment of roles and responsibilities for participants and facilitators. Effective tabletop exercises should include each of these roles:
Tabletop exercises serve as an effective and inexpensive way to test the efficacy of business continuity and disaster recovery plans. They can be applied across a broad set of scenarios and are not confined to testing IT resiliency and security. To fully benefit from tabletop exercises, organizers need to determine how to prioritize the response plans to test, draft relevant and comprehensive scenarios, and clearly define the roles and responsibilities of those involved.
Gartner Principal Executive Advisor Ian Beale is hosting a webinar on this topic for IRM members on Thursday, 6 September at 11am. Register today to secure your place and learn about the key steps for a successful tabletop exercise.