Choosing an appropriate scenario for your business continuity plan exercises
By Ray Abide
The choice of business continuity exercise scenario is an important factor in its success, but how do you go about deciding what you should focus on?
Start by determining the top risks for *your* organization but avoid being influenced by external hype and scare-stories.
For example, in the middle of flu season, it is likely that some people might suggest that an appropriate exercise would simulate a response to an increasing number of influenza cases among workers which escalates into a workforce shortage. I am reminded of the intense focus on pandemic planning during the mid-2000s when there was significant attention given to a strain of avian influenza which rarely is transmitted to humans becoming much more easily transmitted to people and setting off a pandemic; or, the H1N1 (Swine Flu) pandemic of 2009 which drove the World Health Organization to create a lot of anxiety when it raised its pandemic alert level for the first time to phase 5, meaning that a full pandemic was considered imminent. While both are still very much risks today, they became subject to high-levels of media attention but then quickly subsided when the media found something more interesting to follow.
Simple scenarios that have no direct correlation to the risks that concern management only serve to produce superficial exercises that do little to further the development of a business continuity plan and are likely to reduce the value of business continuity management in the organization.
If your business has an enterprise risk management (ERM) function or a risk committee, approach them to share their risk data and design an exercise that uses a risk already identified as a significant concern to your organization. If you do not have an ERM function or a formal risk committee, speak with the people involved with managing your company insurance policies. Often, key risks are identified in the policies and your insurance broker or carrier may be helpful in determining appropriate scenarios for your exercise.
Many business continuity exercises focus on notifying key staff identified in a call tree, assembling them for a quick briefing on the ‘business continuity event’ and then abruptly ending the exercise based upon an erroneous belief that this is an inherent limitation of a table-top exercise and any discussion of steps to be taken beyond the safety and security of staff or ‘what to do’ for the next 12-24 hours is merely hypothetical and of little value.
The real opportunity in a business continuity exercise is to explore whether the plan will support the continuity or resumption of critical business processes, not just the safety and security of staff. Many focus on staff safety emboldened by the mantra that ‘people are our greatest asset’. The reality is that in these instances the business continuity planner is either limited in subject knowledge, unempowered, or intellectually lazy in pursuit of real value in an exercise which is the capability to maintain critical business processes or guide their restoration if interrupted. By communicating clear objectives and key milestones for an exercise, all participants will learn and benefit.
A major flaw that I see in table-top exercises is that people often state what they ‘would’ do without ever determining the feasibility of that decision. What would be more constructive is that if during a table-top exercise there is a rule that when a person states they ‘would’ do something, they demonstrate that it is hypothetically feasible rather than simply an aspiration. (They should be required to explain both how and why they would take the stated action.)
Exercises are tools used to evaluate an organization’s strengths and weaknesses. Ideally, the business continuity planner continually evaluates the organization’s position against both itself and its peer organizations. Evaluation is a critical examination of an organization’s policies, procedures, terminology, equipment, training, etc. A word of caution – evaluation may become unwieldy if the parameters of the exercise are not carefully defined.
This business continuity management strategy allows for continued development of table-top-exercises with a potential for full-scale functional simulations.
The most important part in organizing an exercise is to determine its objectives. I am not speaking of vague objectives, but precise, measurable and agreed upon objectives. I have seen many exercises with vague or no objectives. Also, there are organizations that repeat essentially the same exercises, cycle after cycle. There is very little learning opportunity when this is the case.
With precise and measurable objectives, it is much easier to determine an appropriate scenario, whom to include in the exercise, its duration, after exercise action items to be addressed, and ultimately the efficacy and success of the exercise.
© 2013 CoreLogic, Inc. All rights reserved.
•Date: 3rd September 2013 • US/World •Type: Article • Topic: BC exercising