How will you perform?
In recent discussions with a financial company prospect, we were reviewing their last Disaster Recovery test. The feedback was that it went very well, and most of their IT systems were available within 2 hours, which was their RTO (recovery time objective). Generally speaking they were very happy, their DR test had worked and the compliance and risk departments within the business could be pacified until the next time. A job well done.
But then they mentioned the week of preparation that they had to put into it, getting their systems updated and prepared, their team briefed and the DR plan reviewed before the big day. Some of you may understand this – you want a DR test to go well so you therefore need to prepare. But there’s a problem with this approach in the world of Disaster Recovery – Disaster’s don’t come with any warning! In a real world, that test should be deemed invalid by the stakeholders of the business and a genuine, unsuspecting DR test performed.
But how do you perform the ultimate genuine DR test? One customer has recently done just this. Their consultant one day asked them to perform a tabletop DR test. Out of the blue, with no warning, no preparation. She told them that they had just lost access to a number of servers and left them to deal with it, monitoring their progress so she could follow it up with a risk report. It might have taken the team a little while to think the strategy through, and effectively problem solve a solution that would work, but that time they spend weighing up their options will be saved next time when they encounter a real situation. They worked as a team and uncovered areas they didn’t feel confident with, and areas that could have done with improvement. And, they encountered some systems that they thought were protected by Plan B but which weren’t, so alternative solutions needed to be found. You don’t get a better training exercise than that; until you meet the real thing.
We believe the ultimate test is unannounced, unsuspecting and uninformed. This is what the real results of an IT disaster will look like. And if you’re looking for a driver to improve the results? Make your Head of IT’s bonus rely on every recovery meeting the RTO target. This will drive the change that may be needed in your organisation.