There is no arguing that exercising is an essential part of business continuity (BC) preparedness. The challenge is how best to exercise our business continuity plans (BCPs) or incident management plans (IMPs). This week’s blog is the first in a series of blogs around exercising where we will lay down what we see as the essentials.
BC exercises take staff, incident team members, the IT team and anyone else deemed necessary, through different disruptive style scenarios to assess if they are fully prepared for an emergency, disruption or BC level incident, should one occur.
Exercise or test
First thing’s first – do we exercise or do we test? In the world of IT, ‘test’ is the typically adopted word, but, in the world of business test implies pass or fail, whereas the real goal is one of learning and improving hence ‘exercise’ has become the more commonly used term.
Understanding the context:
The starting point when developing an exercise programme is to identify and understand the context. The type, scale, cost etc of exercises must be driven by the aims or objectives of the organisation. As stated in Clause 8.5 of ISO 22301 (the International BC Standard) ‘the organisation shall conduct exercises and tests that (amongst other conditions) taken together over time validate the whole of your BC arrangements’. So before starting out make sure you understand why you are exercising and what you are hoping to achieve.
Identify the scope of the exercise:
Now that we have a good idea of the ‘why’, we next need to consider and establish the type and scale of the exercise, in other words, the ‘what’. A global corporate style event has a high cost and provides a high degree of coverage and confidence in your global response capability whereas a desktop session with a few individuals from one department is low cost and unobtrusive and provides good local awareness. You need to decide what you want to achieve in terms of coverage in relation to dealing with an incident and then move onto the next essential.
Identify the who and also what level of challenge they will benefit from:
Selecting the audience or group to attend the exercise should be based on the scope. A simulation-style crisis event will be attended by an organisation’s crisis or incident management team members, whereas a single or multiple department’s members might attend a short desktop session. A ‘global’ level exercise will involve multiple staff, stakeholders or representatives from all levels connected with the organisation.
Before delivering the exercise, it is important to understand the group’s current levels of knowledge. Is it sensible to deliver some basic training in advance to highlight roles and responsibilities and what to do in the event of the incident order to get the most from the exercise? Understanding the group’s experience level is key to deciding the balance of training and practice required. New teams with new BCPs or IMPs will need more training and less time spent on practice to start with, whereas teams experienced in handling incidents or in practicing for them can be presented with more challenging scenarios.
Setting exercise objectives:
You can’t stand back and assess whether the exercise has delivered what you intended unless you set objectives. Simple and clear objectives are key to successful outcomes. Objectives must cover the aims based on the context, scope and who is involved. They must be measurable and must be agreed and signed off by the sponsor. Ah, here’s another ‘essential’ component – every exercise must have a sponsor.
Planning and writing the scenario:
So, now we have the sponsor (!), the context, scope and objectives, what next? Our next step is mapping out the exercise and putting pen to paper or fingers to keyboard. Exercises are most effective when simple, plausible and something that resonates with the group being exercised. Use real-world examples, ideally with local or topical nature, to influence the exercise as these will really help improve the group’s engagement. Consider your objectives and, on that basis, seek to use the knowledge of the group if relatively inexperienced in BC and incident management, and draw on their personal experiences of disruptions.
Although fires, terrorism and disasters are statistically less likely to occur than say an IT outage or a severe weather incident in the UK, they naturally lead to greater levels of engagement. But remember that no scenario is the wrong choice if the group can relate to it.
Running the exercise:
It seems an obvious statement, but do actually run the exercise. It is not uncommon to hear of well thought through and prepared exercises that just never take place. This may be due to a lack of sponsor, unsigned objectives, other business pressures or participants deciding that they have more pressing priorities than attending the exercise. If it’s the latter, ask for deputies to be nominated and to attend. After all, incidents don’t conveniently occur when everyone is in the office and nobody’s on holiday!! When you have the group together, provide introductions, set the ground rules and go! Always ensure you capture thoughts and feedback on what went well, what could have been done differently and what improvements could be made. It’s so much more effective to do it immediately before everyone leaves the room and gets reabsorbed in their day jobs.
Summary and actions:
When you have captured the feedback, document it and again get it out as quickly as possible. Agree on a format for producing a summary of the exercise including the feedback and then manage any identified actions to ensure they are addressed. Although individuals will benefit from the exercise, if you don’t address the actions and improvements we are back to relying on exactly the same people being available during an incident – and we know how likely that is!!
So, as stated, hopefully, we have provided you with a whistle-stop tour of the essentials of BC exercising. And whilst some of these appear obvious you would be surprised at how many exercises we see that are missing one or more elements! Exercising presents an invaluable learning opportunity for all involved and to the organisation as a whole, particularly if the actions are tracked. It is also an excellent way to validate plans and identify whether the teams you have earmarked to manage an incident have the right mix of experience, knowledge and skills.
If done well, an exercise will always be an effective use of time, money and resources.