Planning and managing exercises for business continuity management arrangements
- Published: Tuesday, 14 June 2016 09:24
Alberto G. Alexander, PhD, MBCI, presents an overview of different BCM exercise methods and offers a methodology for designing and managing exercises within the context of business continuity management.
It is hard to believe that our armed forces, national guards, policemen and firemen would not exercise to validate that they could perform according to certain standards when required. The same is valid for business continuity management systems (BCMS). One of the oldest axioms for BCMS is that a plan that is not tested or maintained is of little value or in some cases worse than no plan at all. It is absolutely crucial that all the people who are expected to play a part in the business continuity management (BCM) arrangements understand their roles and feel reasonably comfortable with them.
Organizations must use the outputs from the business continuity strategy to develop and implement appropriate plans and arrangements to ensure continuity of critical activities and the management of incidents. To pursue this, the organization is required to build an incident response structure (IRS) and document business continuity plans that detail how a firm will manage an incident and how it will recover or maintain its activities to a predetermined level in the event of a disruption.
Organizations should document an incident management plan (IMP) that will allow the firm to plan in a very rational way how it will organize human effort to implement its business continuity strategies.
To put into action an IRS or an IMP the organization needs to have people with roles and responsibilities clearly defined, procedures and work instructions well understood.
The only way a company can assure that its BCM arrangements are validated is through exercises. The main purpose of the exercising stage in the BCM is to “validate the business continuity strategy, activities, assumptions regarding times (maximum tolerable period of disruption, recovery time objectives) procedures and work instructions specified in the business continuity plan” (Alexander, 2007). Gaps and weaknesses within the plan are identified in this stage. The idea is very simple; it is highly desirable to find the gaps and shortcomings during an exercise rather than to discover them during a real crisis situation. BCM arrangements have to be practiced and as a consequence will be reviewed and kept up to date. A company that does not have records to show that its BCMS arrangements have been tested and are ready to be implemented cannot assure it has a reliable BCM.
Regarding exercises, the purpose is to verify the ongoing effectiveness of the BCMS arrangements and to provide greater assurance following an incident that critical activities will be recovered as required.
- Develop exercises that are consistent with the scope of the BCM;
- Have a programme to ensure that exercises are carried out at planned intervals and when significant changes occur;
- Carry out a range of different exercises that taken together validate the whole of the business continuity arrangements;
- Plan exercises so that the risk of an incident occurring as a direct result of the exercise is minimized;
- Produce a written report of the exercise, outcome and feedback including required actions.
A methodology for planning and managing exercises for BCM arrangements is discussed below.
Planning exercises for BCM arrangements
A very important document needed for planning exercises is the so-called ‘program exercise’. This document gives details regarding the areas that will be exercised within the scope of the BCM; defines the outcomes of the exercise, and explains the types of exercises that will be used; determines its frequency; and refers the responsibility for coordinating the program. This is a control document and it should be approved by top management. A program exercise allows a company to plan for its exercises, usually on a yearly basis. The document should be communicated to all employees in the company who contribute to the enhancement of BCM awareness in the firm. Figure one provides an illustration of the content of an exercise program for a particular BCM scope.
Figure one: Programme exercise.
There are several different methods for exercising, each with advantages and disadvantages. Each organization will need to select methods appropriate to the state of maturity of its BCMS and, obviously, to the size of its business continuity budget. A very important issue is that exercises should be congruent with the organizational culture.
The following are some of the main exercise methods:
1. Talk through. This method consists of “probing exactly how the plan would work” (Hiles, 2000) Questions are asked about what would happen in specific circumstances and how the recovery objectives would be achieved in detail. Usually someone undertakes this method other than the plan developer or team leader responsible for the plan. The main advantages of this method are that is cheap, involves minimal interruptions to the business, and can be arranged at short notice. The main disadvantage is that it has little training value.
2. Walk through. This method differs from the talk through exercise in that it is more physical. It may involve actions like “calling people to check their contact lists are correct, traveling to the standby site, entering the control room and physically checking the continuity inventory is there” (Flynn, 2008). The main advantages of this method are that it is cheap, involves minimal interruption to the business, can be arranged at short notice, and is more rigorous than the talk through, since it involves physical action. The main disadvantages are that it has little training value, although more than the talk through.
3. Role play scenario. This exercise “is done against a specific scenario and planned out in great detail with the objective of making the exercise scenario as realistic as possible,” (Flynn, 2008). The scenario may start by taking an actual operational incident that could develop into a disruption. It could involve actual actions of the ‘incident response structure’ and the invocation of the ‘incident management plan’.
This method can be very elaborate. When running a role play scenario, the following things need to be considered:
- Initial briefing common to all teams.
- Specific additional information for each team involved.
- Situation reports to provide information on damage assessment and the state of the disruption.
- Scripts, timing activities and incidents down to the minute.
- Version of the scripts for observers showing what is expected to happen and when.
- Briefings for people who are to be simulated (customers, suppliers, top management).
The main advantages of this method are: has an excellent training value; it is challenging to participants and can be made extremely rigorous; and it challenges the business continuity plan. Its main disadvantages are: it is much more expensive than talk through and walk through; it may involve considerable interruption to the firm; it involves a lot of detailed planning.
4. Full interruption exercise. This exercise method “activates all components of the business continuity plan and assumes all critical business process is disrupted” (Syed, 2004). The full interruption test involves all business continuity exercise teams, alternate recovery facilities, offsite storage facilities, service providers and vendors.
Unlike the role play scenario, this exercise is larger in scope and involves actual operations and activities specified in the plan. The main advantages of this method are: it has an enormous training value; it really challenges the complete business continuity plan. It has the following disadvantages: it is costly and can interrupt normal operations. It needs careful exercise planning and scheduling to minimize cost and impacts to normal business operations.
The organization is a complex operation; business continuity and procedures can be complex, exercising is itself quite a complex procedure. It is imperative to consider all issues before embarking on an exercise. When choosing which method(s) to use, business continuity managers should consider the following. The exercise must:
- Be practical and cost effective;
- Be appropriate to the organization;
- Be incremental in terms of complexity;
- Grow incremental confidence.
In addition, ask whether the exercise may also have marketing benefits.
An exercise program for business continuity should combine both announced and unannounced exercise methods. When the announced exercises are used the timing and scheduling of the exercise is communicated to the business continuity teams well in advance of the start date. This method is the one that traditionally is part of the content of the exercise program. The unannounced exercise is kept in secret from the business continuity teams until the start of the exercise.
One of the main shortcomings of announced exercises is that they fail to test the state of constant readiness and the ability of the business continuity teams to react quickly. The unannounced exercise method is very important and is not used as often as it should be in many organizations. Incidents occur without warning. Companies should put more emphasis on unannounced exercises for testing the constant readiness of the teams and their ability to react to the surprise announcement of the exercise. It is appropriate to initiate unannounced exercises once the business continuity teams have gained enough training and confidence in announced exercises.
Process for planning exercises
For exercises to be effective they have to be well planned. A methodology is presented in figure two that details the sequence of steps that should be followed to plan an exercise.
Figure two: Process for planning exercises.
The various items in the methodology are discussed in more detail below:
1. Review previous exercises
When planning a future event, the results of previous exercises should always be considered. There should always be a natural progression from simple to complex exercises.
The information from previous exercises is very useful in identifying the current exercise objectives. Some of the most important issues in reviewing past exercises help determine:
- Components and areas of the business continuity plan that have not been part of an exercise.
- Components and processes of the business continuity plan that did not work.
Challenges and obstacles encountered during execution of the previous exercises can help identify exercise risks in the current plan.
2. Identify exercise objective and scope
Exercise objectives define the criteria for success. It is essential to define the exercise objectives in very precise and measurable terms. Normally the time allocated and the budget available for exercises is limited, so it is helpful to divide the exercise objectives into basic and secondary. The basic objectives are the vital ones. They focus on areas of the business continuity plan that must be achieved in order to consider the exercise successful. Secondary objectives include areas of the business continuity plan that are desirable yet the failure to do so does not render the exercise unsuccessful. Secondary objectives are assigned a lower priority for exercise purposes compared to the basic objectives and, therefore, they are only attempted if time and resources are available.
The following are some examples of basic objectives:
- Determine the fit for purpose of the business continuity plan.
- Determine the adequacy of the available resources.
- Determine the effectiveness of the backup plans.
- Restore critical applications identified in the business continuity plan.
This is an illustration of what secondary objectives could be:
- Recover specific distributed application.
- Reroute communications to the recovery facility.
- Test the transition to the original or cold site once the recovery at the alternate site is complete.
The exercise scope, which identifies the overall depth and breadth of the exercise, can range from testing specific parts of the business continuity plan to exercising the entire business continuity plan. Usually the exercise scope describes:
- Phases, activities and procedures of the business continuity plan to be exercised.
- Business units and business continuity exercise teams required to conduct the exercise.
- Business partners, vendors and suppliers assisting with the exercise.
The exercise scope should also explicitly outline any key areas of the business continuity plan that will not be tested.
3. Assess exercise constraints
The exercise constraints are elements that limit or restrict the options available for conducting the exercise. A clear understanding of the exercise constraints and their potential effects on an exercise is essential for developing a viable test strategy, logistics and schedule. Some examples of possible exercise constraints could be:
- Financial constraints. A limited exercise budget due to financial constraints can affect the exercise in different ways.
- Security restrictions. The exercise may require access to confidential data and transactions and sensitive systems and facilities.
- Availability of business continuity test teams. The availability of team members can become a constraint if the testing period conflicts with the team members. Team members may have planned vacations or may have vital day to day commitments during the test period.
4. Designing the exercise strategy
This step defines a strategy to achieve the test objectives previously defined in Step 2. The strategy information related to any current test objectives in previous exercise plans can be used in this step as a basis for developing the current test strategy. One of the purposes of this step in the proposed methodology is to ensure that the exercise plan is consistent with the test constraints identified in Step 3.
An exercise strategy has different components that need to be considered in the development of the test strategy. These components are described below.
a) Timing. Establishing a date, time and duration of the exercise requires careful consideration of the test constraints and the availability of required resources. Exercise timing is determined through an evaluation of the readiness and availability of various resources, such as: 1) test software and data, 2) specialized test equipment, 3) business continuity exercise teams, 4) recovery hardware.
As a general rule, the test timing should minimize impacts to normal business operations and avoid peak workloads, holidays and important business events.
b) Exercise methods. Some different exercise methods were presented previously (talk through, walk through, role play scenario, full interruption). The exercise strategy step selects the most appropriate testing method and also determines if the test will be announced or unannounced.
As a guideline, simpler and basic tests should be carried out prior to more complex tests.
c) Exercise scenario. An exercise scenario is a basic element of the exercise strategy. The exercise scenario describes the business disruption in terms of the following components: (1) Type of disruption: the type of disruption selected to test the business continuity arrangements must be realistic and credible. The type of disruption should correspond to real life events relevant to the company and its environment; (2) Disruptive narrative: the disruption narrative describes the business disruption events and conditions related to the test scenario. The disruption narrative usually includes two elements: the date and time of the disaster and the sequence of events and conditions following the disruption, specifying how the disruption impacts the business critical activities.
5. Exercise logistics
The logistics process plays a very important role in the business continuity arrangements testing. Exercise logistics is a process that deals mainly with four areas of concern:
- Formation of business continuity test teams: the size, structure, and members of the teams depend on the test objectives and scope. A business continuity test team is selected if its roles and responsibilities are essential for achieving the test objectives.
- Test resource procurement: to be able to ensure timely availability of required resources, a detailed list of resource procurement tasks is prepared and executed well in advance of a test date. Advance preparations are a key to minimizing costs and impacts to test timing due to unexpected delays in resource order processing, shipment and setup.
- Mobilization of personnel: the business continuity plan test generally requires mobilization of business continuity test teams to remote locations such as off-site storage facilities, alternate IT recovery facilities, alternate manufacturing and production facilities, alternate office work areas and crisis management facility. Planning and implementing logistics activities are crucial to mobilize business continuity test teams.
- Test facilities provisioning: the business continuity test plan includes logistics activities to ensure the availability of test facilities that can adequately support the test requirements.
6. Development of exercise schedule
A test schedule, like any other project schedule, demands careful planning and management skills. A test schedule details the list of recovery activities, procedures, tasks, priorities, assignments, start and end dates and times, and dependencies. Usually a test schedule divides activities into three phases:
- Test preparation phase,
- Test execution phase, and
- Test evaluation phase.
The test preparation phase begins once the business continuity test plan document is developed. The activities in this phase include pre-test meetings with offsite storage vendors and alternate recovery facilities providers. The test logistics activities of the business continuity test plan begin during the test preparation phase.
The actual test is conducted during the test execution phase at the date and time specified by the test strategy. This phase usually covers recovery activities that are part of the test objectives. The test schedule organizes these activities into appropriate recovery strategies.
The test evaluation phase begins immediately after the completion of the test execution phase. The test schedule should include activities to evaluate the test results, produce an evaluation report and present the contents of the evaluation report to management. The main purpose of these activities is to evaluate the extent of success in achieving the test objectives, teams’ performance, problems encountered during the test, and gaps and weaknesses observed in the business continuity arrangements.
7. Exercise risk identification
This step of the methodology identifies and controls potential risks of tests failures based on a thorough review of all the information gathered in the preceding steps.
Once the risks are identified, the teams should review the risks, determine possible solutions for minimizing the risks, and incorporate the accepted solutions into the business continuity test plan.
8. Post exercise written report
Once the exercise is over the organization will have invested considerable resources in the design and delivery of the exercises. The firm needs to develop a process that will generate information to assess the effectiveness of the exercises and that will allow the firm to initiate improvement actions. The standard ISO 22301:2012 states in clause 4.4.2 (f) “the organization shall carry out post exercise review of each exercise that will assess the achievement of the aims and objectives of the exercise and in 4.4.2 (g) states that the “organization shall produce a written report of the exercise, outcome and feedback including required actions”.
To conform to the standard a comprehensive report is required, which should reflect what took place on the day and be linked clearly to the exercise aims and objectives. Once the report is completed, it should provide objective evidence for:
- Identifying amendments to the existing incident management plan, supporting procedures and processes.
- Alternatively identifying requirements for producing a new plan.
- Identifying and justifying future training requirements for individuals and teams.
- Identifying and justifying additional resources to enhance the current capability.
- Identifying objectives for future exercises.
- Providing audit evidence of the effectiveness of the company´s approach to incident management.
A report should have the following sections:
These are the basic questions that an executive summary should answer:
- Did the exercise achieve the aims and objectives? A short statement is recommended that will summarize the exercise, the overall performance of the teams and the effectiveness of the plan.
- What were the key findings? Here it is recommended to select the two or three key themes that emerged during post exercise analysis.
- What are the main recommendations? The recommendations should be those that the strategic level will support so that future enhancements to the current capability can take place.
The main body of the report should cover the different observations regarding the performance of the teams during the exercise. The way to obtain this information is to follow a methodology. The gathering of observations requires a debriefing session with participants of the exercise. The debriefing session, which is mainly an evaluation activity, is basically a short session in which a small group of exercise participants assemble, ideally within a week after the exercise, to discuss in detail their experiences of the exercise. This session is usually carried out by the debriefing session leader, who is a member of the evaluation team that conducted the debriefing session. The individual should not be an exercise player but should be present to observe the entire exercise.
In this section of the report the findings and recommendations for improvement are presented to the strategic level in the organization. An action plan is recommended. An action plan summarizes the findings, establishes the requirements, and makes clear recommendations for actions and details ownership. An action plan details the steps to be followed in the next event.
It is very important to always be very clear when writing a report. Unless a report is presented in a clear and interesting fashion no one will want to read it!
The only way an organization can make sure that its business continuity plans work is through planned exercises. It is absolutely crucial that all the people who are expected to play a part in the business continuity management arrangements understand their roles and feel reasonably comfortable with them. This can only be accomplished with exercises.
The design and management of exercises need to follow a structure methodology for them to be effective and efficient. A very important ingredient for the design and management of exercises is the active participation of the organizational strategic level.
- Alexander, Alberto Diseño y Gestión de un Sistema de Seguridad de Información. Edit. Alfa Omega, Bogota. 2007
- Hiles, Andrew The Definitive Handbook of Business Continuity Management. John Wiley and Sons, 2007, London
- Flynn, Dennis. Delivering Successful Business Continuity Management Exercises Crisis Solutions, London, 2008.