By Chris Bakowski, MBCI.
As we are all aware, a business continuity plan is only effective if it accurately reflects the needs, technology and structure of the organization. But, more importantly, a business continuity plan can only be considered to be truly effective if the content and the components of the plan have been exercised.
Continuous exercising ensures that there are no gaps or issues; that the key people involved in either the emergency response and / or business recovery teams are fully aware of their respective roles and responsibilities; and helps ensure that teams will interact effectively during a major operational disaster.
I am often asked what is required to ensure that an exercise is effective? In essence the key components of an effective exercise can be broken down into three simple activities:
1. Planning and preparation
2. The exercise itself
3. Exercise outcomes and remediation.
1. Planning and preparation
An exercise’s effectiveness has a direct correlation to the amount of planning and preparation completed beforehand.
A poorly planned and constructed exercise will result in poor outcomes; the exercise participants will become disillusioned with the business continuity process and they will question their future participation in similar exercise activities.
A number of key elements in the planning and preparation process are the consideration of the following:
* What type of exercise will we conduct?
* What type of exercise scenario will be used?
* Who will participate in the exercise activity and what level of knowledge and understanding of the business continuity management process do the participants have (including their roles and responsibilities)?
* What parts of the business continuity plan will be tested?
* Who will facilitate and observe the exercise outcomes?
The first step we need to determine is the level and scale (i.e. complexity) of the exercise as well as to contemplate any risks that may be associated with it. An organization with an immature or poorly tested business continuity plan should not contemplate a complex exercise such as a Function End to End Exercise, involving the physical relocation of business functions and the associated staff to an alternate site. It would be highly likely that this type of exercise would be destined to fail.
If an organization was insistent on running such a complex exercise, it should at least be highly conscious of the potential operational impacts and associated risks in undertaking this type of exercise activity, particularly where it is considering relocating functions and staff to alternate sites or considering the fail-over of the IT environment to support the relocation process.
Effective exercising is about learning to ‘walk before you run’, so it is important that the type of exercise is commensurate with the organization’s BCM maturity.
The planning process also needs to consider the nature of the exercise scenario. Ideally the nature of the scenario needs to be pragmatic and, more importantly, should be an event that is plausible. The ‘big bang’ approach may look impressive, but it should be remembered that we are trying to highlight an event that has a greater likelihood of occurring and which therefore reinforces the need to have an effective business continuity management program in place.
Small scale localised events, such as leaking plumbing, office fires due to shortened electrical equipment, staff health issues associated with pandemics, sprinkler heads being knocked and activated, power shortages and so on are far more credible scenarios and hence far more realistic.
This ‘softly softly’ approach will ensure greater audience participation, rather than using an event that is highly improbable and causes wide-scale devastation and may be difficult for the audience to fathom.
As part of the scenario planning process, do a visual inspection of the local area to see if there are any obvious ‘threats’ that could be used to form the basis of your scenario. In exercises that I have helped plan, we have had examples of client sites where construction work using overhead cranes is involved and where these have been in direct line of site (and reach) of the primary operating site. We have also had sites where there are hazardous chemicals stored within close proximity of a key operating area. Alternatively, consider other tenants that are located in the building or local area. What incidents with these neighbours could have flow on impacts for your organization?
In terms of the components of the business continuity plan to be tested; in the initial instance it may be pragmatic to only focus on the organization’s immediate response to the operational disruption. You may decide to simply consider the first few hours of the event as opposed to delving into the business recovery aspects of the operational disruption.
Depending on the understanding of the exercise participants, you may decide to test both emergency response and the business recovery processes, but limit the recovery timeframe to perhaps the first two days. This approach would enable the exercise participants to focus on those operational areas that would need to be contemplated in terms of the recovery of the time critical business functions and services within the defined timeframe.
The exercise participants would consist of a combination of the crisis management team as well as the recovery coordinators responsible for implementing their recovery procedures.
Once the exercise participants are identified, the components of the business continuity plan that will be tested and the scenario is identified, then the last stage of the planning process is to identify who will facilitate the exercise and who will act as an observer. Given the importance of these roles, these activities need to be undertaken by people with appropriate training and skills in these areas. The facilitator’s role is to ensure that discussions and responses remain central, people do not get bogged down in issues during the exercise and to ensure that the exercise remains ‘on track’. The observer can also help the facilitator by suggesting that the participants move on if they believe an issue is becoming too granular or the group is getting too focused on solving the issues identified.
2. The exercise itself
During the exercise activity it is important to ensure that all of the participants have access to the business continuity plans and any other reference material that would be considered appropriate or have access to spare copies of the documentation, where appropriate.
In establishing the context of the exercise activity, it is important that the exercise participants are aware of the purpose of the exercise, its objectives and the key outcomes that are expected to be achieved.
The role of the exercise facilitator (director) and the observer should also be clarified to all of the exercise participants.
As an exercise usually involves key executives as well as business managers, it is imperative that the exercise facilitator maintains an appropriate balance between testing the participant’s knowledge and understanding of the business continuity process as well as individual comfort levels. An effective facilitator will ensure that nobody is ‘hung out to dry’ or made to look bad if they are unsure of the BCM documentation or of how they should respond to a situation during the exercise itself. If this happens, it is important that the facilitator provides appropriate prompts and suggestions as a trigger to help the exercise participants work through the situation.
While one of the key exercise objectives is to identify and document issues and gaps in the BCM documentation and supporting recovery procedures, it is also important not to labour on these points and become bogged down trying to think of solutions. This becomes counter-intuitive and distracting. What is important is that the issue or gap is highlighted and the observer has noted that the issue requires further remediation.
At the conclusion of the exercise scenario it is always good to allow the exercise participants a five to ten minute break before proceeding with the exercise debrief. This allows them time to get their minds and thoughts out of the exercise scenario and back into the ‘real’ world.
The purpose of the exercise debrief is to seek feedback regarding:
* Initial incident response: key learnings…
* Operational relocation, restart and recovery: key learnings…
* Feedback from observers:
• What happened?
• What went well?
• What could we improve?
* What have you learnt about exercising?
* Next steps.
3. Post exercise: exercise outcomes and remediation
It is important that the key issues and gaps identified during the exercise activity be documented and formalised into an exercise report.
The content of the exercise report will consist of a list of all of the issues identified during the exercise activity and which are areas that require some form of remediation or at least require further consideration in the context of the organization’s business continuity management program.
The content of the exercise report would provide a summary of the exercise specific to:
* The purpose and objectives of the exercise;
* Who participated in the exercise; and
* The components of the organization’s BCM program that were used and tested for its effectiveness during the exercise session.
In terms of the issues identified during the exercise, these should be categorised as a means of simplifying the management and remediation of the issues and broken down as follows:
* Emergency response
• Key issues
* Emergency response – policy
• Key issues
* Business recovery
• Key issues
* Business recovery – policy
• Key issues
* General issues.
The gaps and issues identified by the exercise should be prioritised by the organization based on potential impact and addressed as a set of separate activities. These should be assigned to the appropriate person within the organization, who is then accountable for the remediation of the gap/issue within a prescribed timeframe.
It is important that each of these issues are tracked and monitored for completion. This will ensure that the same issues do not continue to resurface when subsequent exercises are undertaken.
Finally, as part of the exercise process an exercise program should be established that is a structured and agreed program of independent exercise activities signed off at the executive level and required to be completed over a defined period of time. This will ensure there is an agreed timetable of exercise events, thus stopping these activities from ‘slipping through the cracks’.
Executive endorsement of the exercise program also shows the management team that regular testing of the organization’s BCM capability is supported at the highest level. Based on the exercise program, this will enable the complexity and scale of the exercises to grow in line with the organization’s BCM maturity.
In conclusion, the key message to remember is that there is no such thing as a failed exercise! Good luck and happy exercising!
Author: Chris Bakowski, MBCI, is senior consultant, LINUS Information Security Solutions. www.linus.com.au
•Date: 15th Jan 2010 • Region: Australia/World •Type: Article •Topic: BC exercising
Rate this article or make a comment - click here