Ten steps to a great business continuity exercise
- Published: Friday, 06 March 2015 10:16
By James Stevenson
The first few exercises I ran were pretty nerve wracking. Would the plans work? Would the team play nicely or start throwing stuff? Would they realise I was new to this?
Since then I’ve been fortunate to work with many different groups around the world facilitating exercises, coaching and training new business continuity managers to design and run their own successful exercises.
It’s not rocket science but there is a skill to setting up and running a great exercise.
To help with this, the ten steps below are packed full of tips and suggestions to develop this skill, run great exercises and maximise your business continuity programme:
1. People first
Well ahead of the exercise it’s important to understand the people involved;
- Who’s the sponsor for the exercise? Are they ready to commit the resources (people and cash) required? What experience do they have in this area and why do they want the exercise?
- Who’s in the team being exercised and what experience or training have they had?
Part of this investigation is to determine how difficult the exercise needs to be. In my experience, a new local team learning their way around the plans will gain more knowledge, confidence and enthusiasm from properly managing a smaller incident rather than failing miserably to manage a fast pace massive incident you could work up to that over time.
- Who’s going to prepare and facilitate the exercise? Experience facilitating exercises or other activities will help. It may also help if the facilitator is from another area and is prepared to challenge management in the team and provide feedback where needed.
- Never try to facilitate the exercise and play a role on one of teams.
2. Understand the business
Understand the business and the state of its business continuity and disaster recovery plans.
If you’re planning an exercise for a business that you’re unfamiliar with then you’re going to need help from someone in the business. Find someone in the business who isn’t part of the team being exercised and who will help you to understand that area. Then together you can develop exercise the objectives and a realistic scenario that will grab the team’s attention.
- Site plans / layouts / process flows.
- BCPs / incident management plans.
- What they do / how it works / what goes wrong / what they worry might go wrong.
- Any special customers / suppliers / third parties of concern?
- Any useful information in the risk register?
3. Balance training and practice
There’s no point launching straight into an exercise if the team don’t know how to work together and manage an incident. So, well in advance, the facilitator needs to gently assess the capability of the team and decide on the required balance of training and practice.
New teams with new plans will usually benefit from an introduction to incident management followed by a simple desktop exercise. After that they’ll better understand their abilities and where future training or practice should focus.
Executive teams might not have the patience for training but appreciate a short process update or briefing, just in case they’ve not read the plans for a while.
4. Set exercise objectives
You need to develop simple, clear objectives for the exercise.
- To set the exercise objectives, think about the change that you want to see as a result of the exercise.
- This isn’t a comprehensive list but to offer a prompt, consider exercising or validating aspects of the team’s capability, or policies and procedures associated with: emergency response arrangements; communication systems; evacuation routines; incident control rooms; coordination with emergency services; media response; social media response; incident management; business continuity plans; crisis management plans; off-site recovery plans; IT disaster recovery; IT system penetration; supplier incident management; employee communications; incident management tools etc.
- If there are measurable targets that can be tested with a pass / fail criteria then these make simple clear objectives. For example: Meeting a recovery time objective of [X] hours for a certain system.
- Consider if this exercise is part of a programme, which over time will cover all the elements needed.
- Think about the team deputies and decide if they’re in scope or not. You could exercise them separately or have them play as observers / note takers / advisors during the main team exercise.
- Finally, get buy in to the objectives from the exercise sponsor. Their support should mean that the session is taken more seriously and it sets an expectation that issues discovered will be addressed. It’s easy to be drawn into discussing scenarios before you’ve agreed objectives, so try to avoid this, especially if the sponsor will be part of the team exercising.
5. Pick the right type of exercise
In essence there are four levels of exercise increasing in complexity and difficulty. They’re summarised below to help you choose the right one:
A walkthrough of the plan involves the team sitting down together and asking themselves whether, based on their knowledge of the business, the plan has all it needs. Good for very process oriented system recovery plans.
In a desktop or table top scenario, the team sit down to see how the plan withstands a deeper examination under a specific set of circumstances. It involves the team working to manage a scenario that evolves during the exercise with ‘injects’ being used to place different demands on plans and the team. Probably the most popular type of exercise and great for new or intermediate teams.
A time-pressured desktop
As a desktop but with injects designed to arrive at pre-determined times. Each inject tends to put more pressure on the team and they can be more realistic because several different injects could arrive within a very short period. Good for more advanced or overconfident teams.
Live or real time
The exercise is tackled in real time with normal business suspended. The participants down tools and concentrate on a time pressured scenario with live injects. The aim is to see whether people can do what’s expected of them and within the timescale. Participants are expected not just to explain what they would do but to actually do it. A live exercise is complicated to organize, expensive and can be unpredictable. Useful when you’re dealing with lots of people, public areas and when the focus is on emergency response. Not for beginners.
6. Write a great exercise
Take what you know about the team, the plans and the objectives to develop a scenario.
- The scenario should be plausible and something that will resonate with the team.
- For most teams and especially on desk top exercises, keep it simple. You don’t need a complicated or extreme scenario to check the usual weak spots in teams and plans. E.g. Incident triggers; raising the incident management team; communicating with all employees; coordinating with third parties; media and social media; business continuity plans being out of date, incomplete or unrealistic.
- Keep an eye on the news for ideas. Every day there are major events happening that might support your exercise objectives and fit your business. It’s particularly powerful if you can work up scenarios that have either affected competitors or happened nearby.
- With a scenario chosen you need to bring it to life with a series of injects. The injects supply the team with more information, problems and even questions as the exercise unfolds. Depending on the type of exercise you might only need three major injects to keep a team busy for a couple of hours: or you may want to simulate a more realistic steady stream of live feeds.
- The principals are the same regardless of the exercise type. Work out the story, break it into chapters or events (the injects) and then decide the best way to feed these into the exercise.
- Injects can be supplied in many different ways, so be creative. Even using some Powerpoint, screenshots and some cutting and pasting you can feed information through from a mocked up CNN News page or a mocked up Twitter account. On a more elaborate exercise, you could pre-record interviews with executives and neighbours. You might also use reporters live on the scene, or organize live phone calls to provide more information or ask the team for help. An occasional (mock) press person phoning into the room and asking for a comment on the situation can also add some colour.
Here’s a simple example to demonstrate:
For ACME’s new incident management team to become familiar with the incident management and business continuity plans. For the team to train and practice working through a site wide incident. To identify any weakness in plans or ACME’s incident management capability and schedule appropriate training, planning and further exercises.
According to the Environment Agency, access roads to the ACME site are prone to 1 in 100 year flooding. It’s been raining solidly for the last two weeks, the ground is saturated and rivers are bursting. ACME business operations are currently normal and an important overseas customer is due to visit later this week to see the operation and discuss placing new orders.
Then the injects might be something like this:
1. Day one. Local weather forecasters are predicting more heavy rain for the week ahead and potential city centre flooding if this continues.
Facilitator may prompt: Is this an incident? / Who decides? / What, if any, action will you take?
2. Day two. BBC News update. Rivers in the city centre are expected to flood sometime tomorrow night. The local council advise that tonight they will close several roads around the city (including to the ACME site) due to rivers bursting. They recommend that the public avoid all non-essential travel into the city. They have also recommended that some local schools close due to potential health and safety problems accessing the area to collect children.
Facilitator may prompt: What are your priorities? What’s the message to staff and customers, how will you get it out? What about parents with children in schools that are closed? Is it safe to keep operating?
3. Day three. Last night roads were closed and your site isolated, a local electricity substation also flooded and you’re running the ACME building on emergency power; that is just lights for security. A contract cleaner at the site is off work and has been tweeting “[ACME site] are flooded and nothing’s getting done this month #wetthrough #ACME”
Facilitator may prompt: Where are your team now working from? / What are the priorities? / Media Message / Twitter response? / Recovery plans / what about that customer who is due to visit?
4. Day four. It’s stopped raining. Water is going down and the power has been restored on site, schools and roads should be open today.
Facilitator may prompt: The priorities? / Can you get staff back to work today? / What if it rains some more?
Wash up. This is a relatively simple short term loss of access problem with no real damage to people, data or the building. What went well? What should we do more of? What should we do differently?
7. Do the admin
- Plan well ahead to fix a date.
- Have the exercise sponsor send out the invitation and have the right people attend.
- Keep the scenario and injects secret from anyone involved in the exercise.
- Set the expectation for participants (e.g. In advance of this exercise you should be familiar with the business continuity plans for your area and be prepared to play your role in the incident management team…)
- Set the expectations of people outside the exercise. (i.e. Will you need people outside of the incident management team to contribute?).
- Coach any new players in an otherwise experienced team ahead of the exercise so they know what to expect and how to engage.
- Housekeeping. Fix food /drinks /room/Webex/ conference calls etc.
- Consider bringing business continuity plans with you to the exercise. Just in case.
8. Run a great exercise
- Complete any training.
- Run through the introductions and the roles of participants. Be clear about who are players, observers and facilitators.
- Set the ground rules for the exercise (for example):
- Don’t create a real incident.
- Any communication outside of the room must start with “Exercise, Exercise, Exercise” and can only be with people on the approved list – i.e. they’re expecting it and know there’s a game being played.
- If a real incident occurs the facilitator will stop the exercise.
- If additional information or material is required, then [name] will provide it, or make it up!
- Any assumptions.
- How potential areas for improvement will be recorded.
- Share the exercise objectives, the initial scenario and then work through the injects.
- Ideally the team playing through the problem will talk through what they’d do at each stage with some thinking around, who would do what, how long it might take and the practical issues.
End the exercise with a good amount of time to do the wash up – i.e. initial feedback and thoughts from the participants. I like to ask everyone involved for thoughts on:
- What went well?
- What should we do more of?
- What should we do differently?
In large, more complex exercises the full review could take several days and require follow up interviews / investigations.
As a facilitator if you’ve noticed someone struggling, then it might be appropriate to speak with them outside of the session. Not everyone is cut out for managing an incident and while training and practice helps, sometimes it makes sense to change the people.
9. Set up the next exercise
Toward the end of the exercise, I like to ask for the teams for their ideas for the next exercise. What do they think needs to be covered next time, who should attend and when should it be scheduled? With a captive audience, its great timing and you’ll often get some good ideas for future objectives or scenarios.
10. Take action
There’s a danger with business continuity or disaster recovery exercises that everyone has a great time and a box is ticked but nothing actually changes afterwards.
So, promptly after the meeting it’s important to document the actions agreed along with owners and due dates. Have these agreed by the exercise sponsor, issued and completed.
James Stevenson MBCI has worked in corporate risk management, insurance and business continuity roles for the last 20 years. He is currently heading Business Continuity Management for Rolls-Royce Plc and has a personal blog with hints, tips and practical advice for business continuity managers at www.smartbusinesscontinuity.com