How to exercise your crisis management team
By Chris MacArthur, CBCP, MBCI.
The new chief information officer summoned two executives and myself, the BCP coordinator, to his office to be briefed on our business continuity management program. As we reviewed the latest executive dashboard report, I could sense his growing impatience. Finally he blurted out that while he appreciated the update, he really needed to know what exactly to do if disaster struck one of our data centers / centres.
Is your crisis management team (CMT) ready for the unexpected? Do you feel comfortable that they know exactly what to do in a disaster situation? Don’t fall into the trap that just because they are executives that they will be able to ‘figure it out.’ As we all know a disaster is not the time to think about what to do next. Now is the time to take steps to improve your organization’s readiness to respond to a disaster while boosting the credibility of your plans and organization.
- Improve confidence in knowing exactly what to do. By facilitating a well-planned exercise the CMT will have more experience and knowledge about how they should respond in a disaster scenario.
- Save valuable time and effort. It is said that in a serious medical emergency there is what is called the ‘golden hour’ in which there is that brief window of time - often sixty minutes - following an injury where there is a higher chance that critically injured patients can be saved if they receive prompt medical treatment. Based on my personal experience if your senior management are familiar with the pre-defined protocols to follow within the first 60 minutes of a disaster being declared, then there is more likely a more favourable outcome to be achieved. Precious time will be saved if they are provided with awareness and training on how to respond.
- Provide knowledge on the appropriate response actions to take. During a crisis management readiness exercise your executive team will acquire more knowledge of the response action steps they may need to take when faced with a disaster. This may help to reduce the severity of the crisis, as some confusion would be alleviated.
Let’s now explore concrete ideas to help you improve the readiness of your CMT. Although there are many choices available, I would like to recommend a table top exercise. This type of exercise is low in cost, has a high degree of finding errors, and will contribute to your executive’s ability to respond more quickly and effectively in a non-threatening environment. Let’s explore some steps to consider to help you develop this type of an exercise.
CMT table top exercise design
As you begin to design your CMT readiness exercise, treat this like a project. This means you will need clear objectives, scope, timeline, budget, top management support, and stakeholder involvement. Although the actual table top exercise should last about two-three hours, there are many hours of preparation needed to ensure you will have a successful outcome.
Here is an outline to assist you:
- Obtain support and commitment from senior management. I recommend you develop a clearly worded memo to the CMT stating the purpose of the exercise, the benefits, and expected outcomes. Don’t forget to include the budget required (i.e. catering costs, travel for out of town participants, meeting room costs, etc.), and the date and time duration of the exercise. Due to the amount of advance planning required, aim for an exercise date at least two months away. Prior to sending the memo verify that there are no other conflicting events which may prevent the majority of your CMT members from participating. Although this may be a challenge each CMT member should have a pre-designated back up person. If the primary isn’t available then the back-up person should be invited to participate.
- Scope and objectives. Considering our data center example, you will need to form a working group comprised of stakeholders from the data center, a CMT member (alternate member is suggested), communications, operations, and other groups as required.
- Craft a memo inviting your stakeholders to the working group meeting. Once again you will need to articulate the purpose, benefits, time commitment, and expected outcome of the exercise. In regards to the time required state that there will be a need to meet bi-weekly for about one-two hours for the next two months. Experience has also shown that if this stakeholder memo were to be sent from an executive sponsor it may have more impact. Doing this clearly demonstrates top management support and it will influence your stakeholders.
- Develop key issues to focus on in the table top exercise. When engaging stakeholders consider using open ended questions to get the discussions flowing. This should help you to identify some common areas of concern. Review any prior documentation that may help you better understand how your CMT responded to previous business interruption events. Obtain agreement from key stakeholders on the key issue(s) that need to be focused on in the exercise. For example: All CMT members need to clearly understand their roles and responsibilities in determining whether or not to invoke affected disaster recovery plans.
- Identify exercise objectives. Once you have agreement on the issues, engage your stakeholders in discussions to set two-three exercise objectives. Some possibilities are:
- Scenario development. Involve the working group members in developing a scenario and in selecting a triggering event. Some possible sources could be the results of a recent BIA. Should your BIA be not up to date or not yet finalized you may consider facilitating a discussion with the working group to reach a common understanding of the threat landscape. This conversation would need to identify threats and risks, list the internal and external risks, categorize the probability of occurrence and impact, and identify current mitigation strategies and controls that are in place.
- Once this information has been documented, it may be helpful to complete a risk and vulnerability assessment. As you know this requires reviewing the data you have compiled and classifying and assigning a weighting factor to the risks and vulnerability of the data center. This information will be included in your table top scenario, and as well aid the team immensely in risk mitigation for the data center.
- The final step is to prioritize the threats and vulnerabilities based on the weighting factor. I suggest that you consider a matrix to make this information more visual. Please note that during the table top exercise the CMT members will be asked to also review, validate, and prioritize this information.
- Prepare a crisis response team guideline package which participants would refer to during the exercise. Some points to consider in this guide include:
You now have all of the ingredients necessary to deliver an effective table top exercise which should last no more than two-three hours.
In conclusion, a well-planned crisis management team table top exercise can significantly improve the readiness of your executive team. They will be better equipped to make informed decisions while the clock is ticking. There is no question this will also raise awareness on the strategic value of the business continuity management program and boost the credibility of your plans and your organization.
Sample CMT Quick Reference Guide
•Date: 18th May 2012 • North America •Type: Article • Topic: Crisis management