How effective are your business continuity and crisis response exercises?
- Published: Wednesday, 04 January 2023 09:06
Business continuity and crisis response exercising is a surprisingly weak area in many organizations says Robin Bucknall MA MSc MBCI. Here he looks at why this is the case and how to improve in this area.
“Planning for emergencies cannot be considered reliable until it is exercised and has proved to be workable, especially since false confidence may be placed in the integrity of a written plan.”
UK Government (1)
What’s the problem?
The benefits of organizations exercising their business continuity and crisis response plans are well documented, yet exercises remain a surprisingly misunderstood area. For many organizations they are viewed as a box-ticking chore rather than something that is proactively conducted to test and refine crisis management capabilities; and in others they are enthusiastically embraced with little understanding of what can be realistically achieved with the time and resources allocated to it.
This article will argue that the benefits to an organization significantly outweigh the disadvantages, but most organizations will have limited time, budget and resources available for exercising. To optimise success, facilitators and senior management must set realistic objectives and be clear how well the type of exercise they select will prepare them for a real-life disruption.
Art imitating life?
Inevitably within an organization there will be differing expectations for exercise outcomes and vested interests at play that will seek to expand or constrain the exercise objectives. In some cases, this may result in under-ambitious aims which result in a boring exercise and in others overly ambitious exercise aims create unrealistic pressures on the exercise participants who may end up feeling over-loaded and exposed. A disincentive to future participation.
Whichever exercise method is chosen (2), it is impossible to anticipate or reproduce every possible permutation of events that could unfold during a disruption. Real-life incidents require days or weeks to resolve, but most organizations can devote less than a day to an exercise. This creates an asymmetry in terms of the time scale over which information must be managed and business processes coordinated to deliver the multiplicity of corrective actions required, whist still delivering core outputs.
Discussion-based and scenario exercises can be used to promote experiential learning and collaborative planning to identify gaps in responsibilities, duplications of effort, flawed assumptions, and allow wider stakeholder groups to discuss the response to the incident. Exercises comprising multiple scenarios and problem sets can be a useful advocacy tool to socialise different risk profiles with senior leadership, develop and verify the significance of risks and to examine and refine existing plans. Similarly, simulation, live and test exercises can replicate the interaction between incident response teams and present the demands and interests of external stakeholders. These exercises can condition individuals to some of the pressures of an incident, but seldom the cumulative degradation and fatigue of a long-lasting crisis.
The key balance to be struck in determining the type of exercise required to achieve the organization’s needs is the likely complexity of the exercise and the corresponding preparation time needed to research and develop a plausible scenario; produce the supporting exercise data and administrative support framework. Axiomatically the more complicated and ambitious the exercise, the greater the preparation requirement.
Problem? Which problem?
For some organizations the choice of scenario can be problematic as unpalatable threats or vulnerabilities to the organization that are well understood at the operational level can be filtered out by line-management interests and never reach the executive level. There can also be a temptation to believe that a more detailed exercise means a better exercise and that more data must result in a better-quality decision by the incident response teams. Ironically, this may not be the case. After a year in the planning and a week-long cyber ransomware live-exercise, the board of a global commodity company were still split in their view of whether to pay the ransom: one third of the board believed they would not pay under any circumstances, one third were minded to pay and the last third wanted more data. Arguably this position could have been equally achieved after a three-hour strategic table-top scenario exercise.
The benefit of exercising is not to carry out an elaborate dress rehearsal for the disruption that might happen, but to develop the institutional synapses and muscle memory of how to respond to any incident. For the most part it does not matter what causes an outage, many of the impacts such as reputation management, communications, stakeholder engagement and the need to restore operational output remain the same. By training and exercising regularly through a progressive exercise programme, organizations can develop adaptive ways of thinking and problem solving, build individual and team confidence, develop competence, and confirm delegations and authorities. By utilising a range of scenarios, leadership teams can familiarize themselves with the types of problems and their associated impacts they may encounter and agree recommended approaches in advance.
One of the most valuable results from an exercise is developing an understanding by the leadership teams of what decisions need to be taken by when and determining what is the lowest practicable level a decision can be delegated. Time in a disruption is often the critical factor and through exercising, leadership teams can satisfy themselves that the tactical and operational levels have the necessary authorities to affect an immediate action with confidence.
Exercises done badly with unrealistic or implausible scenarios can be perceived as a waste of time and without participant buy-in, organizations will seldom reap any benefit. By contrast, exercises done well can be fun, confidence boosting, team-building events that break-down barriers between stove-piped divisions, promote a holistic understanding of the organization and enable better, more informed, decision making.
No exercise can ever truly replicate the complexity of a real-life disruption, but the benefits to an organization in rehearsing its decision-making sinews significantly outweigh the disadvantages in terms of cost and staff time. However, in designing an exercise, organizations need to be clear what it is they are trying to achieve and where the exercise selected fits into a progressive programme.
The bigger and more complex an exercise the more time and resources it will require in preparation, but foundational to the creation of a successful exercise is a clear set of objectives, a realistic scenario, and the preparation of suitable supporting materiel. The key is to allow sufficient time for onsite research and to harness the detailed knowledge of staff at the operational level to capture the nuance of issues and any possible second and third order effects.
Robin Bucknall MA, MSc, MBCI, is Senior Consultant, Needhams 1834 Ltd.
(1) UK Government Guidance: Emergency planning and preparedness: exercises and training, accessed 25 July 2022.
(2) Discussion-based exercises, scenario exercises, simulation exercises, live exercises or test exercises. BCI Good Practice Guidelines 2018 p90.