Business Continuity Exercising

Business continuity itself is focused on ensuring your organisation can continue delivering products or services at acceptable, pre-defined levels following a disruption.  It's not about being impervious to disruption, but instead about prioritising the continuity of your operations and establishing a framework for recovery.

‍

‍

Exercising is a critical part of this framework.  It typically sits at the end of the BC management lifecycle, the first steps of which are to understand your organisation and its context, identify appropriate strategies for the plans your organisation needs to have in place, and to develop and implement your plans.  Once those plans are in place (for example, identifying a relocation site in case of an incident and outlining who moves, what gets taken, and how continuity is maintained), you will need to exercise them.*

An exercise is an activity that allows you to practise using your BCPs, incident management plans (IMPs), disaster recovery plans (DRPs), etc., and to train your team members on and establish their current performance around executing those plans.   Exercises also look to establish your organisation’s ability and readiness to continue its operations.  In some scenarios, the focus of this will be on recovering from loss, but in others, you may look to understand your organisation’s ability to maintain critical operations and core business functions. For example, if your exercise scenario involves a reputational crisis, you may try to ensure your customer support is not overwhelmed by enquiries relating to that crisis, and that it can continue to function at an acceptable level.

It is also important to understand that these activities are an exercise, not a test.  Whilst the term ‘test’ implies a pass/fail outcome, there is no such binary judgement in exercising.  Every BC exercise is a learning opportunity, and identifying a problem should not be considered a failure, but progress.  

*To learn more about creating effective BCPs, read our blog on How to Develop a Robust Business Continuity Plan.

As discussed previously, the most significant benefit of BC exercising is that it enables you to establish whether your BCPs function as intended and provide you with an opportunity to identify and address gaps in your plans, and to resolve them without the much higher stakes of a real incident.  For example, it is not uncommon for URM to identify issues relating to role suitability or capacity during exercises due to individuals becoming overwhelmed by the demands of a role they have been assigned, subsequently prompting reconsideration and reassignment of that role.  Such insights are invaluable when identified in a controlled, simulated environment, rather than during the pressures of a genuine incident.

Exercises also help you improve teamwork across departments and roles that may not typically interact, as well as enhancing your understanding of how the individuals executing your plans react under stress, i.e., who takes the lead, who communicates effectively, and who might need support or training.  In addition, exercising your BCPs can help you identify dependencies you were previously unaware of.    

Finally, ISO 22301, the International Standard for Business Continuity Management Systems (BCMS), requires conformant organisations to conduct exercises.  Even if your organisation is not aiming to conform and/or certify to ISO 22301, it is globally recognised as the authoritative framework for BC management, and its recommendation to regularly exercise plans is considered best practice.

When determining the timing and frequency of exercises, your starting point should be an exercise schedule.  If you don’t have an exercise schedule, creating one should be a priority.  A well-structured and effective schedule will cover all elements of your organisation, several types of exercise, and target different tiers within the business (e.g., departments, staff, board).    

Exercises should also be conducted in response to major changes within your organisation, such as an acquisition, office moves, or changes to your product or service offerings.  Such changes should either trigger an exercise, or, at a minimum, have an influence on when you decide to conduct one.

Another useful time to exercise is following a near-miss or a real incident.  This may initially sound redundant – if you’ve just handled a crisis, why run an exercise?  However, many organisations emerge from an incident with the sense that they only managed to maintain continuity by a narrow margin.  Running a follow-up exercise can help refine your response and address any shortcomings in a controlled environment.

Exercises can also be used to mitigate high-priority risks that you have identified within your organisation.  Your risk register should be a key input into your exercising, not only in terms of when you exercise, but also which aspects you exercise, the types of exercises you conduct, etc.

You should also consider the time of day.  If your business operates 24/7 or across different time zones, your exercises should reflect this.  Your exercising strategy should be rooted in a strong understanding of how your organisation works and when key functions are active, which you will establish in the ‘understanding your organisation’ stage of the BC management life cycle.

There are several types of BC exercises, each with their own set of benefits. Your overall strategy should combine different approaches across the year to balance disruption, resource requirements and value gained.  The most common types of BC exercise include:

• Technical tests
• Desktop documentation walkthroughs
• Walkthroughs
• Table-top simulation
• Full live exercises
• Building evacuation/redeployment test
• Communications testing.

Tabletop simulations are the most common format.  These involve progressing through a realistic scenario, often with your crisis or incident management team, and simulating your response as the scenario unfolds. Tabletop exercises are particularly effective as they don’t significantly disrupt business-as-usual (BAU) activity, yet they provide valuable insights into team dynamics, plan effectiveness and communication flows.

A less intense BC exercise format is a documentation walkthrough, where teams review their plans together to ensure alignment.  These are useful for identifying inconsistencies or outdated information.

Among the more intense exercise formats are full live exercises, which can involve restricting access to premises and mimicking a real crisis in real-time.  Such exercises are highly valuable, as they most accurately reflect the unpredictability of a real incident, however they can be resource intensive and should be planned carefully.

The short answer is: everyone.  That is not to say that every individual should be involved in every exercise, but that over time, your exercise schedule should involve a broad cross-section of your organisation, including relevant members of staff and members of the senior management team.

You should also look to involve your critical suppliers where possible.  If your business continuity depends on a supplier’s ability to deliver or communicate during a crisis, their participation is necessary to ensure your plans are realistic and effective.  It is not uncommon for suppliers to technically meet their obligations in an incident, but not in the way you expect.  Exercising with your suppliers allows you to set expectations and improve real-world coordination, as well as helping to improve your working relationship with them.

The same is true of key clients.  If your service delivery is closely tied to specific customers, involving them in joint exercises helps strengthen relationships and streamline crisis communication.  

You will also need to consider emergency services.  In certain disruptive scenarios (e.g., a fire), the emergency services are likely to take control of the incident.  As such, having a clear understanding of how your plans interface with theirs is invaluable, and involving emergency services representatives in your exercises can provide you with this clarity.  Whilst availability of representatives varies, emergency services will often welcome the opportunity to participate in exercises.

BC exercising is an essential component of an effective BC management programme.  It is the mechanism by which you validate and stress-test your plans, and give your teams the necessary practise to respond effectively during a real crisis.  Ultimately, consistent exercising ensures that when disruption occurs, your organisation is prepared to maintain critical operations and recover with confidence.