How do you run a business continuity test?
So where to start? Dell EMC is the world’s largest data protection company and Matt Zwolenski, the company’s chief technology officer for Australia and New Zealand, says you need to stage tests and simulate failures to check if your continuity plan is up to the task.
“We find that the most effective simulations are run during business hours with minimal resources. Organisations operating this way are far more likely to be able to test regularly, compared with those that are required to run their tests on weekends.”
Zwolenski recommends making the tests a surprise, to simulate a real interruption, and says tests should cover multiple applications.
“The IT environment is now so intertwined that there are multiple application dependencies,” he points out. “If you don’t test all of those systems simultaneously, you’re likely to find that in a real disaster scenario, one application will work but other dependent applications will fail.”
He also recommends testing for both physical and software problems. What would happen to your business continuity plan in the event of a power outage or office fire? Is the only copy of the plan on the server or in a file in the IT office?
It’s crucial to have a quarterly review of different scenarios that could impact the business. This doesn’t mean planning for every possible situation that could ever occur, but the ones likely to impact your business, depending on the type of business and its location and size. One suggestion is to keep a copy of the continuity plan in a different physical location, and on a cloud service such as Box.
“One of our customers has a data centre located near an airport. They have a contingency plan in place in the event of a plane crash.”
Not every business has that kind of challenge, but the threat of hacking causing a security problem or data destruction is universal. Testing for both increases your chance of success.
What should a business continuity test include?
Nathan Steiner is the Australia-New Zealand head of systems engineering for Veeam, which specialises in data protection software. He recommends that tests include scenarios such as a need to relocate staff to secondary sites if the main facilities can’t be used. Organisations that run secondary data centres should test those facilities by deliberately moving workloads to those sites, to simulate the experience of an outage that invokes the business continuity plan.
Daniel Peluso, Senior Product Specialist, Infrastructure at Telstra says “for example, we see more companies are moving to cloud based services and see that there is a change in contingency plans. Five years ago businesses needed their own business continuity infrastructure. Now it’s possible to access it on-demand, which makes for massive savings in capital expenditure.”
But both Steiner and Zwolenski say you can’t just assume that the Cloud’s promises of resilience mean your business continuity plan is in safe hands.
“If you’re working with a public Cloud service, such as AWS [Amazon Web Services] or Microsoft Azure, the provider doesn’t offer inherent data protection or disaster recovery,” Zwolenski explains. Because of that, you need to devise a plan that also tests how your cloud service providers perform when you implement your business continuity plan.
You should also ask your Cloud provider about their own business continuity plans. “Cloud or other service providers must have the same well-developed disaster recovery and service continuity testing scenarios for their customers’ services, applications, resources and data,” Steiner says. Don’t hold back on asking your service provider some tough questions, to ensure their readiness matches yours.
Business continuity simulation test checklist
- Simulate a possible natural disaster scenario. Keep the test a surprise, cover all departments and staff, and test if procedures, resources and responses work
- Simulate an application (such as your CRM) failing
- Carry the simulation fail over to another building or site. Perhaps send a team to an alternate site to restart business functions and technology
- Evaluation. Debrief with all participants, check overall recovery timeframes, and note any issues required to improve and revise the plan