SUBSCRIBE TO
CONTINUITY BRIEFING


Business continuity news

Never miss a news story: signup for our free weekly email newsletter.

REGIONAL PORTALS
Continuity Central currently offers three regional business continuity portals:
North America
United Kingdom
Asia Pacific / Australasia

Business Continuity books

In Hindsight - A compendium of Business Continuity case studies

Add to Google  

Use Google?
Click the button to add Continuity Central news to your Google home page
.

Follow us on Twitter  

Get immediate news
and information updates via our Twitter feed.

SUBMIT YOUR NEWS
To submit news stories to Continuity Central, e-mail the editor.

NEWSFEED
Want an RSS newsfeed for your website? Click here

OUR COOKIE POLICY
Before using this website ensure that you understand and accept our cookie policy. More details

Choosing an appropriate scenario for your business continuity plan exercises

By Ray Abide

The choice of business continuity exercise scenario is an important factor in its success, but how do you go about deciding what you should focus on?

Start by determining the top risks for *your* organization but avoid being influenced by external hype and scare-stories.

For example, in the middle of flu season, it is likely that some people might suggest that an appropriate exercise would simulate a response to an increasing number of influenza cases among workers which escalates into a workforce shortage. I am reminded of the intense focus on pandemic planning during the mid-2000s when there was significant attention given to a strain of avian influenza which rarely is transmitted to humans becoming much more easily transmitted to people and setting off a pandemic; or, the H1N1 (Swine Flu) pandemic of 2009 which drove the World Health Organization to create a lot of anxiety when it raised its pandemic alert level for the first time to phase 5, meaning that a full pandemic was considered imminent. While both are still very much risks today, they became subject to high-levels of media attention but then quickly subsided when the media found something more interesting to follow.

Simple scenarios that have no direct correlation to the risks that concern management only serve to produce superficial exercises that do little to further the development of a business continuity plan and are likely to reduce the value of business continuity management in the organization.

If your business has an enterprise risk management (ERM) function or a risk committee, approach them to share their risk data and design an exercise that uses a risk already identified as a significant concern to your organization. If you do not have an ERM function or a formal risk committee, speak with the people involved with managing your company insurance policies. Often, key risks are identified in the policies and your insurance broker or carrier may be helpful in determining appropriate scenarios for your exercise.

Many business continuity exercises focus on notifying key staff identified in a call tree, assembling them for a quick briefing on the ‘business continuity event’ and then abruptly ending the exercise based upon an erroneous belief that this is an inherent limitation of a table-top exercise and any discussion of steps to be taken beyond the safety and security of staff or ‘what to do’ for the next 12-24 hours is merely hypothetical and of little value.

The real opportunity in a business continuity exercise is to explore whether the plan will support the continuity or resumption of critical business processes, not just the safety and security of staff. Many focus on staff safety emboldened by the mantra that ‘people are our greatest asset’. The reality is that in these instances the business continuity planner is either limited in subject knowledge, unempowered, or intellectually lazy in pursuit of real value in an exercise which is the capability to maintain critical business processes or guide their restoration if interrupted. By communicating clear objectives and key milestones for an exercise, all participants will learn and benefit.

A major flaw that I see in table-top exercises is that people often state what they ‘would’ do without ever determining the feasibility of that decision. What would be more constructive is that if during a table-top exercise there is a rule that when a person states they ‘would’ do something, they demonstrate that it is hypothetically feasible rather than simply an aspiration. (They should be required to explain both how and why they would take the stated action.)

Exercises are tools used to evaluate an organization’s strengths and weaknesses. Ideally, the business continuity planner continually evaluates the organization’s position against both itself and its peer organizations. Evaluation is a critical examination of an organization’s policies, procedures, terminology, equipment, training, etc. A word of caution – evaluation may become unwieldy if the parameters of the exercise are not carefully defined.

This business continuity management strategy allows for continued development of table-top-exercises with a potential for full-scale functional simulations.

The most important part in organizing an exercise is to determine its objectives. I am not speaking of vague objectives, but precise, measurable and agreed upon objectives. I have seen many exercises with vague or no objectives. Also, there are organizations that repeat essentially the same exercises, cycle after cycle. There is very little learning opportunity when this is the case.

With precise and measurable objectives, it is much easier to determine an appropriate scenario, whom to include in the exercise, its duration, after exercise action items to be addressed, and ultimately the efficacy and success of the exercise.

The author
Ray Abide is responsible for the business continuity program for CoreLogic, a comprehensive data, analytics and services company based in Irvine, California. He is a Certified Business Continuity Professional and Certified Public Accountant. Ray lives in Dallas, Texas. He may be contacted at rabide@corelogic.com, www.linkedin.com/in/rayabide or www.rayabide.com

© 2013 CoreLogic, Inc. All rights reserved.

•Date: 3rd September 2013 • US/World •Type: Article • Topic: BC exercising

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.
   

How to advertise How to advertise on Continuity Central.

BCM software

BCM software

Phoenix

Business continuity software

The Business Continuity and Resiliency Journal