BCP & The Importance of Tabletop Testing
Author: WolfPAC Team
You’ve been busy with your business continuity plan (“BCP”). You know how long it will take you to get your systems back up. Your alternate site is selected and ready to spring into action should the need arise. But what about everything that comes before?
- Do the people in your organization know what to do prior to the disaster declaration?
- Are you 100% certain they would know what to do and who’s responsible for what? Are you willing to bet the organization on it?
If you can’t respond with a resounding yes then tabletop testing could be the missing piece in your BCP testing program.
What is Tabletop Testing?
In typical disaster recovery testing, the focus is on the recovery of systems to ensure that transactions can be processed from a location other than the production environment. These tests are usually performed from the point following the formal disaster declaration and focus specifically on the recovery of technologies and performing business functions.
BCP tabletop testing exercises test your plan in ways that typical disaster recovery cannot. In a tabletop test, every aspect of the plan is discussed from the onset of a business interruption event. This means your plan is examined against a potential business interruption scenario prior to the pressure and consequences of a real incident.
Who is Involved?
Tabletop testing provides you and your colleagues an opportunity to test assumptions and confirm definitions based on real-world scenarios. In the exercise, you’ll go over the internal and external communication chains, notifications, assessment of damages, and the decision to declare a disaster. The people participating should be the key individuals responsible for the execution of the BCP. You will consider and review specific details in the plan together, all while keeping in mind the Maximum Allowable Downtime.
Keeping it Friendly
Tabletop testing can be done with no outside assistance. However, many people find using a third party offers objectivity and removes the elements of the exercise that could become political within the organization. It may be challenging for people who have spent a lot of time and effort creating the disaster recovery test plan to recognize where there is missing or incomplete information.
The role of the third-party moderator is to gently highlight the challenges and decision-making that may not be possible with those so close to the plan development. As an independent party with industry experience, the third party can often bring a different perspective grounded in disaster recovery best practices and provide constructive criticism to make your plan even better.