September 2022

by Michael Herrera, CEO, MHA Consulting

[originally published on mha-it.com; written by Colin Garrison based on an interview with Michael Herrera]

Tiered testing is a way of matching the rigor of the testing applied to a given business process with its importance to the organization. It ensures that you get the most bang for your testing buck and that the most critically important parts of your organization are adequately protected.

Today’s Public Service Announcement

As usual when I write on business continuity testing, I have to start by making my standard complaint: organizations aren’t testing their ability to recover the business in the event of an outage often enough. And they’re not testing rigorously enough.

Usually this is because they assume that if something bad happens, their people will be able to wing it well enough to avoid a heavy impact. Also, they don’t want to take their people away from doing their regular jobs.

I’ve seen this attitude come back and bite people practically every month of the twenty-five years I’ve been in this business. Therefore I strongly advise every responsible organization to develop and implement a sound BC testing program.

This concludes our public service announcement for today. For those who are interested in doing better at BC testing, read on.

Tiered BC Testing

Today I want to talk about tiered testing and also run through the four types of BC testing.

Tiered testing is when you divide the business processes at your organization into tiers based on how critically time sensitive they are. Then you test them at different degrees of intensity corresponding with their criticality. The more critical a process is, the more important it is for you to test it—and the more rigorous the tests should be.

The tiers are best derived from your business impact analysis. As you know, your BIA prioritizes your business processes based on their criticality. It sorts the processes into categories based on how long a given process can be down without causing an unacceptable impact to the organization (in the view of the subject matter experts and executives who conducted the BIA).

For tiered testing purposes, you might divide your business processes and departments into four categories: 1) those that need to be recovered in 24 hours or less, 2) those that need to be recovered within 48 hours, 3) those that need to be recovered within five days, and 4) those that can be recovered in more than five days.

Those categories are your four testing tiers.

The processes in Tier 1 should be the subject of the most frequent, rigorous, and comprehensive testing and training. You need to find out if you can recover those processes quickly—and to train your people so that you can recover them quickly and under the most challenging circumstances.

Tiers 2 and 3 should be tested at an intermediate level.

Those processes that fall in Tier 4 don’t need to be tested at all.

The idea is to make sure your testing investment is closely aligned to the importance of each process to the organization. It’s also to increase the recoverability of the most critically time sensitive processes.

The Four Types of BC Tests

Now let’s look at the four types of testing. The four types of tests are:

  • Tabletop. This is where everybody sits around the table, the facilitator sketches out a scenario, the participants talk through how they would deal with it. Usually relaxed and chatty. There’s lots of laughs. Treats might be served.  These are a good starting point, but generally not that rigorous.
  • Partially functional. This type of testing might be described as “tabletop plus.” The difference is, here, you get the people to actually implement parts of the recovery plan. If the plan calls for the employees to call people up and notify them of something, then you might really have them make the calls. This is where people start to run into problems—and where things start to get stressful. From the testing point of view, this is good.
  • Fully functional. This is where you really have the people implement the recovery plan. Can be very stressful. Tends to uncover a lot of holes. In my experience, there is not unusually a great deal of laughter at fully functional BC tests.
  • Chaos testing. This is the ultramarathon of BC testing. This is where you take people by surprise, impose drastic restrictions and challenges on them (e.g., “You just lost 40 percent of your workers”), and then challenge them to recover. These tests are immensely stressful. They are also the best way of verifying that you could actually recover in a live situation—and/or of identifying gaps that need closing to improve your performance next time.

So what is the connection between these types of tests and the tiers we were talking about earlier?

For the highest tier, you should work your way, over a period of time, through all four of these test types. For the lower tiers, it’s probably ok to go through some of them. Basically, you want to match the rigor of the testing to the criticality of the process or department. This ensures that your most critically time sensitive processes receive the most protection (and hopefully adequate protection).

‘Help Yourselves to Coffee and Danish’

The last point I want to make is to point out the increasing prevalence of a misguided approach to testing in which the people who are participating are overly coddled by the organizers. Everything is made very comfortable and convenient. No one is put on the spot. The facilitator gives out the answers when anyone is stuck. Coffee and danish are provided to keep everyone comfortable.

This is all very nice, the only problem is, if and when a real disruption strikes, it won’t be this way. So training of this type is poor preparation, especially for your Tier 1 processes.

Blood, Sweat, and Tiers

Unfortunately, most organizations do not test their recovery plans often enough or with sufficient rigor. This means they are taking a gamble on their ability to retrieve the business in the event of a disruption. It also limits the staff’s opportunities to develop their skills in plan execution.

For organizations that would like to develop a sound testing program, tiered testing is the way to go. With this approach, business processes are divided into tiers by criticality. The highest priority tier receives the most frequent and intensive training, including all four types: tabletop, partial, functional, and chaos testing. This channels your testing investment to the most important processes and increases the chances those processes can be recovered in time to avoid a heavy impact on the organization.