By Duncan Ford MBCI.
Could you get more out of your business continuity exercises? Do you have an inner concern that last year’s exercise programme didn’t demonstrate as much as you would have liked, or that there may be alternative ways of delivering the exercise that would be more cost effective and less effort?
Guidance from the various business continuity institutes and regulators, also included in recognised standards, puts a strong emphasis, quite correctly, on the essential requirement to exercise plans and recovery procedures. However, how do you assess the quality of the exercises, as opposed to the quantity? Are different types and styles of exercises being used, within an integrated programme, to meet different business needs?
Take a couple of seconds to consider whether:
- The maximum return is being gained from the time people commit to exercises;
- Different techniques could be used to engage directors and senior managers;
- The exercise(s) sufficiently challenge the organization’s assumptions about its ability to respond and recover.
Revisit last year’s exercise programme and identify areas where the actual delivery was not as effective as it could have been. There are many reasons for this, many of which may seem to be outside your span of control.
Examples below are some of the constraining factors heard in the last 24 months of exercise design and delivery for clients:
- Senior management struggle to make the time available and often feel they have to take part rather than wanting to.
- We have never had a discussion with the head of risk to align business continuity exercises with issues facing the business.
- Business divisions run their own exercise programmes: there is no integrated approach to exercise cross-business dependencies.
- We use broadly the same scenario every year because it focuses on our single most important process and risk (usually the loss of facilities) and have never invited outside agencies (emergency services, suppliers, regulators) to take part.
- Exercises are too short and never develop far enough to really demonstrate that the recovery strategies will work.
- Nobody actually looks at the plans during an exercise.
- The exercise is the only training team members are given on their role during an incident.
- There is no independent review of exercises. We always use the same observers and end up with a list of tactical points to change.
This isn’t a tick list nor an assessment but if you recognise some of these concerns, or have others of your own, then perhaps a new approach would be worth considering.
It’s not sensible to change everything at once; so concentrate on what can be influenced, starting with an improvement objective for 2015 that has the aim of getting the maximum benefit from the exercise programme.
Use the list above, or be honest about the comments you would (or have) received, and identify those areas where you can make changes quickly and easily; it could be about:
- Improving communication about the exercise programme with staff and outside agencies.
- Getting an independent review of an exercise.
- Running the exercise at a different time from last year.
- Talking to risk and governance to identify a different scenarios and building the scenarios around the risks and capability of the organization.
It’s your choice but past experience shows that the results can be amazing. Changing the approach leads to greater engagement and involvement from everyone.
Communicating about the exercises creates an opportunity to engage right across the organization and to encourage individual involvement and responsibility. This is both internal communication and external to a range of stakeholders. Get the messaging right and you not only raise awareness of business continuity but you start to build bridges and improve engagement.
Success of the crisis and continuity management exercise programme is about building and then demonstrating:
- Knowledge: of the risks and exposures and also about solutions
- Capability: from trained people and established procedures
- Relevance: your exercise programme focusses on current risks and potential impacts
- Openness: to engage at every level and share the results to demonstrate capability and relevance
- Continuous Improvement (CI): all the above help demonstrate CI.
The nature of emerging threats and major disruptions to business take many forms. The single factor which connects every instance is that it is people who must respond, sometimes late at night or under stress. In every case they have to deal with challenges which are outside the norm. When this also puts them too far outside their individual comfort zone you are heading rapidly towards crisis and potential business failure.
Capable people, who have been trained in their role, taken part in exercises which have relevant scenarios, been allowed through open discussion to identify shortcomings and the changes required to solve these problems and recognise the importance of continuity to the organization, will be confident in their capability to respond whatever the problem.
Selecting the most appropriate style of exercise, will maximise the engagement of the target audience and using different delivery styles and relevant scenarios create opportunities for embedding the business continuity message.
Together this feels like crisis and continuity management is working.
It is important that the exercise creates the right environment for learning the right lessons. Who knows, tomorrow you could be faced with a very similar set of circumstances and problems and the last thing you want is a response based on false lessons gained from ineffective past exercises.
Let’s consider ways to freshen the exercise programme to deliver the improvement objective:
Every exercise begins with discussion of the exercise objectives, assessment of how success will be measured, identifying the target audience and selection of an appropriate scenario. From this we can design the most appropriate exercise format.
Of these parameters the most important are the objectives:
Why we are doing this exercise? And identifying the target audience: Who is taking part?
- Is it team training?
- Requires a progressive programme of different styles of exercises which allow time for team members and nominated deputies to learn their individual roles, understand the process and recovery capabilities available and work out their departmental strategy.
- Preceded by briefings/training for team members to give them individual confidence.
- Is it a rehearsal of a specific recovery strategy?
- A technical exercise to test a capability probably assessable as success or failure.
- Requires a progressive programme to move from detailed testing to a large scale exercise to prove that the recovery strategy does scale up to protect the business.
- Audience is both the participants and the external stakeholders: regulators, customers and suppliers.
- Is it designed to challenge the ability to recover when faced by emerging threats?
- This is about making the response and recovery capability real.
- Work with risk management to identify potential scenarios; relevant to the organization which means the scenario is on the risk horizon with a level of impact that engages executive thinking.
- Output is new areas of work to provide business continuity management for emerging risks; better understanding of impacts which feeds back into the risk profile; senior management engagement because the outcome is relevant to their current concerns.
How can you build reality into delivery?
- Choosing the location: consider the facilities that are being used for the exercise how closely they will reflect the actual rooms, equipment, data supply in a real event? Challenge why the exercise is not being conducted in the actual facility: particularly if this is an offsite location.
- How will the scenario develop? Will the inputs feel realistic? Remember that in the real world nothing works perfectly.
- Map the scenario against the objectives so that you understand how inputs will put the focus onto particular issues.
- Use live inputs whenever possible, delivered by role players who understand the input and can answer questions confidently.
- Plan additional inputs to guide the response team towards a full appreciation of potential impacts of events to the organisation.
- How will the exercise start? Prepare to transition from briefing to response; build in surprise to develop stress and uncertainty
In the end the exercise is only limited by the planner’s imagination.
Commit this year to review the effectiveness of your exercise programme and to incorporate new techniques of exercise design considering alternative styles and making it real. Foster greater awareness of your business continuity message and ensure your people are engaged, trained and confident.
Duncan Ford MBCI is a Partner in Corpress LLP. He has practised for many years as a crisis and continuity consultant helping a wide range of organisations to become more resilient. He is also an active member of the BSI Business Continuity and Risk Management panels responsible for development of British and International standards in these subject areas. Contact at [email protected]
To help deliver these objectives check out the Corpress Exercise Checklist which can be downloaded after registration here.
•Date: 4th March 2015 • UK//World •Type: Article • Topic: BC testing & exercising