Disaster Recovery Exercises
Strengthen Your Business Continuity Plans

Disaster recovery exercises prepare organisations for existential threats.
 

For a company executive, it is a challenge to anticipate potential risks that may lead to the business cease trading. These leaders are accountable for making important decisions to maintain the survival and growth of the company. It is their responsibility to prepare both staff and systems for the most severe business interuptions.

It is however not uncommon for teams to lack formal training on business continuity. This can result in panic and poor decision making and, in some instances, the failure of the company.

As an analogy, anti-virus software used to rely on signatures. Modern systems are more proactive measures without reliance on all known threats. The company may continue to grow without issue until a major disruption occurs, much like the Christmas turkey, the company grows week-on-week, until that fateful day in December.

The events of 11th September 2001 serve as a prime example of the importance of Business Continuity planning. Earlier that year, a director at the Deutsche Bank offices in New York conducted a Business Continuity / Disaster Recovery exercise, imagining the scenario of a neighbouring building collapsing onto their own. Unfortunately, this scenario became a reality as part of one of the Twin Towers tore a gash down the side of the Deutsche Bank building.

In November and December 2023, several organisations fell victim to a CitrixBleed vulnerability cyberattack. While such events may initially appear to be unpredictable Black Swan (Opens a new window) occurrences, they often align more closely with the concept of a Grey Rhino (Opens a new window): a more probable and obvious threat that organisations fail to address in time. A Grey Rhino represents a looming danger, clearly visible and charging towards the business, demanding proactive action to prevent, or at least mitigate, its impact.

How to Conduct Disaster Recovery Exercises

• Identify critical business functions and risks.
• Create realistic disaster scenarios.
• Develop recovery plans and assign responsibilities.
• Run simulations and document results.
• Analyse outcomes and update plans as necessary.

Benefits of Disaster Recovery Exercises

• Identify and address vulnerabilities before disasters occur.
• Improve team coordination and communication during crises.
• Reduce downtime and financial losses.

Frequently Asked Questions

What is a disaster recovery exercise?

A simulation that tests your organisation's ability to recover from a disaster.

How often should we conduct these exercises?

Unless there is a cause for concern, conducting exercises annually is recommended or whenever significant changes occur in your operations.

Why involve an external consultant?

1. Internal teams can often be too close to the problem, making it difficult to see gaps or inefficiencies in processes. An external consultant provides an unbiased, objective view. You may even already suspect existing exercises are flawed in some way.
2. We can ask the "dumb question" that insiders are too scared to broach.
3. Having an external consultant facilitates organisational buy-in, especially from leadership, as their involvement signals the seriousness of the exercise.
4. Consultants can act as neutral facilitators in resolving disagreements about risks or responsibilities within the organisation.
5. Consultants are not influenced by internal politics or preconceived notions, allowing them to challenge assumptions and ask critical questions that might otherwise go unasked.
6. We have experience conducting similar exercises, giving us insights into pitfalls others have overlooked.
7. External consultants can create scenarios that are more demanding than an internal team would consider.
8. Consultants not only guide the exercise but also share knowledge and techniques that enhance the organisation's long-term capabilities.

What was your most memorable exercise?

A scenario that the Infrastructure Manager insisted could not happen.

A typical engagement will go deeper, using tacit experience.

1. Initial Consultation

A preliminary discussion with the organisation's leadership to understand their goals, priorities, and concerns. This step identifies the scope of the engagement, ensures alignment on expectations, and sets the groundwork for a tailored workshop experience.

2. Pre-Engagement Review

An on-site assessment to gather detailed information about the organisation's infrastructure, workflows, and existing recovery plans. This includes:

• Interviews with key stakeholders and staff.
• A review of IT systems, operational dependencies, and critical assets.
• Identifying high-risk areas, single points of failure, and current vulnerabilities.

3. Scenario Design

Developing a realistic and organisation-specific disaster scenario based on the pre-engagement findings. This step involves:

• Defining measurable objectives for the exercise.
• Crafting primary and secondary scenarios to test diverse challenges.
• Creating role assignments with detailed descriptions of responsibilities, tailored to each participant's position within the organisation.
• Setting up contingencies to introduce mid-exercise surprises, testing the team's adaptability and crisis decision-making.

4. Preparation

Preparing the organisation and participants for the exercise by:

• Ensuring all required tools, resources, and systems are available and operational.
• Conducting a briefing session to explain the exercise structure, rules, and expectations.
• Addressing any pre-existing knowledge gaps to ensure participants have the baseline understanding needed to engage effectively.

5. Moderation

Running the exercise, on-site, where participants work through the designed scenario. The moderator(s) will:

• Facilitate the flow of the exercise, providing prompts and context where needed.
• Monitor participant actions and decisions.
• Maintain engagement, ensuring the scenario remains challenging and realistic while fostering collaboration.

6. Debrief and Feedback Session

Immediately following the exercise, participants engage in a guided discussion to reflect on their performance. This step includes:

• Highlighting successes and identifying areas for improvement.
• Collecting feedback from participants to understand their perspective on the exercise and its relevance.
• Encouraging open dialogue to foster learning and team alignment.

7. Report

Delivering a report that includes:

• A summary of the exercise and participant actions.
• Insights into strengths, weaknesses, and gaps in the organisation's disaster recovery processes.
• A prioritised list of actionable recommendations for improvement.
• Data and metrics from the exercise.

8. Follow-Up and Action Plan

Supporting the organisation in implementing the recommendations from the report. This step may involve:

• Scheduling follow-up exercises to track progress.
• Assisting in revising and formalising disaster recovery and business continuity plans based on exercise findings.
• Annual exercises
• Providing additional resources:
  1. one-on-one coaching.
  2. Team training
  3. Consultancy: Incident & Problem Management
  4. Workshop: Vulnerability Surface
  5. Workshop: Risk Assessment & Mitigation

If you're interested in being informed of future dates, please write to enquiries@itsm-support.com.