It’s fairly common for businesses to think short term, and to not worry about what isn’t right in front of them. That’s one reason it’s a struggle to focus on disaster recovery or business resumption planning, or to build up stronger security practices to firewall against cybercrime.
Take hurricanes. Over a 165-year period from 1851 to 2016, a total of 24 hurricanes hit South Carolina. In the last two years, we’ve had three, going from roughly one every seven years to one every eight months.
There’s no getting around it: Bad things will happen. When they do, it is the 3Ps you’ll have to rely on to get through: policies, procedures, and planning.
Many businesses don’t have a formal disaster recovery plan. Those that do often don’t take the time to fully test the plan to find the vulnerabilities or the critical function that was overlooked. Regardless of which of those buckets your business is in, a dry run — a tabletop test — of how you would handle a disaster will give you visibility into your strengths, weaknesses, and risks.
Here are 10 steps for setting up a tabletop test.
- Define key players. Identify the key players and note that they may not always be department heads. Depending upon the type of incident you’re dealing with, the payroll clerk or shipping manager may be a critical player.
- Who is tested? There are different schools of thought about doing tests of individual departments versus larger units (in a big firm) or the whole company (in smaller businesses). My view is that, for most small businesses, the whole company has to respond together, so it should be tested together. No department is an island.
- Determine the goal for your disaster recovery plan. This will depend on your type of business. If you are a 24X7X365, like a newspaper, hospital, or law enforcement agency, you have to prepare for all scenarios. If you are a service business — law firm, marketing company, consultant — you may be able to just shut your doors for a day or two. But you may need to plan for continuing operations, including access to records, files, contacts, if your offices are severely damaged or destroyed.
- Establish a scenario. Disasters come in many forms and the impact on your company could vary, requiring different responses. Consider situations that happen at night, or on weekends, as well.
- Pick a place for the test. If you choose to do this in your office conference room, establish a no-interruption rule. You need the same undivided focus on the test, as you do during the real thing.
- Decide what to bring to the test. Whatever materials people bring with them, make sure that these are things they would have access to regardless where they are, the time, or the day of the week a disaster strikes.
- Test your response. Walk through each step — don’t just say “we need to call everybody.” Instead, pull up the disaster recovery calling list and make sure it is current.
- Don’t forget new systems. Depending on the age of your plan, you might find there are new systems or vendors in place — such as VOIP phone systems or cloud-hosted applications — that are not included in the plan. In many cases, that makes emergency preparedness easier, but only if critical users are aware of how to access these systems offsite.
- Build a list of action steps. Record all observations on updates needed, missing data, or overlooked steps, and assign a member of the team to prepare a complete list of action steps to be distributed to team members.
- Yes, test again.
Ultimately, the tabletop test is a few hours out of your day to determine if you are as ready as you think you are for the next unexpected hurricane.