Ten steps to a great business continuity exercise

Published: Friday, 06 March 2015 10:16

By James Stevenson

The first few exercises I ran were pretty nerve wracking. Would the plans work? Would the team play nicely or start throwing stuff? Would they realise I was new to this?

Since then I’ve been fortunate to work with many different groups around the world facilitating exercises, coaching and training new business continuity managers to design and run their own successful exercises.
It’s not rocket science but there is a skill to setting up and running a great exercise.

To help with this, the ten steps below are packed full of tips and suggestions to develop this skill, run great exercises and maximise your business continuity programme:

1. People first

Well ahead of the exercise it’s important to understand the people involved;

Part of this investigation is to determine how difficult the exercise needs to be. In my experience, a new local team learning their way around the plans will gain more knowledge, confidence and enthusiasm from properly managing a smaller incident rather than failing miserably to manage a fast pace massive incident you could work up to that over time.

2. Understand the business

Understand the business and the state of its business continuity and disaster recovery plans.

If you’re planning an exercise for a business that you’re unfamiliar with then you’re going to need help from someone in the business. Find someone in the business who isn’t part of the team being exercised and who will help you to understand that area. Then together you can develop exercise the objectives and a realistic scenario that will grab the team’s attention.

Ask about:

3. Balance training and practice

There’s no point launching straight into an exercise if the team don’t know how to work together and manage an incident. So, well in advance, the facilitator needs to gently assess the capability of the team and decide on the required balance of training and practice.

New teams with new plans will usually benefit from an introduction to incident management followed by a simple desktop exercise. After that they’ll better understand their abilities and where future training or practice should focus.

Executive teams might not have the patience for training but appreciate a short process update or briefing, just in case they’ve not read the plans for a while.

4. Set exercise objectives

You need to develop simple, clear objectives for the exercise.

5. Pick the right type of exercise

In essence there are four levels of exercise increasing in complexity and difficulty. They’re summarised below to help you choose the right one:

A walkthrough
A walkthrough of the plan involves the team sitting down together and asking themselves whether, based on their knowledge of the business, the plan has all it needs. Good for very process oriented system recovery plans.

A desktop
In a desktop or table top scenario, the team sit down to see how the plan withstands a deeper examination under a specific set of circumstances. It involves the team working to manage a scenario that evolves during the exercise with ‘injects’ being used to place different demands on plans and the team. Probably the most popular type of exercise and great for new or intermediate teams.

A time-pressured desktop
As a desktop but with injects designed to arrive at pre-determined times. Each inject tends to put more pressure on the team and they can be more realistic because several different injects could arrive within a very short period. Good for more advanced or overconfident teams.

Live or real time
The exercise is tackled in real time with normal business suspended. The participants down tools and concentrate on a time pressured scenario with live injects. The aim is to see whether people can do what’s expected of them and within the timescale. Participants are expected not just to explain what they would do but to actually do it. A live exercise is complicated to organize, expensive and can be unpredictable. Useful when you’re dealing with lots of people, public areas and when the focus is on emergency response. Not for beginners.

6. Write a great exercise

Take what you know about the team, the plans and the objectives to develop a scenario.

Here’s a simple example to demonstrate:

Exercise objectives
For ACME’s new incident management team to become familiar with the incident management and business continuity plans. For the team to train and practice working through a site wide incident. To identify any weakness in plans or ACME’s incident management capability and schedule appropriate training, planning and further exercises.

According to the Environment Agency, access roads to the ACME site are prone to 1 in 100 year flooding. It’s been raining solidly for the last two weeks, the ground is saturated and rivers are bursting. ACME business operations are currently normal and an important overseas customer is due to visit later this week to see the operation and discuss placing new orders.

Then the injects might be something like this:

1. Day one. Local weather forecasters are predicting more heavy rain for the week ahead and potential city centre flooding if this continues.
Facilitator may prompt: Is this an incident? / Who decides? / What, if any, action will you take?

2. Day two. BBC News update. Rivers in the city centre are expected to flood sometime tomorrow night. The local council advise that tonight they will close several roads around the city (including to the ACME site) due to rivers bursting. They recommend that the public avoid all non-essential travel into the city. They have also recommended that some local schools close due to potential health and safety problems accessing the area to collect children.

Facilitator may prompt: What are your priorities? What’s the message to staff and customers, how will you get it out? What about parents with children in schools that are closed? Is it safe to keep operating?

3. Day three. Last night roads were closed and your site isolated, a local electricity substation also flooded and you’re running the ACME building on emergency power; that is just lights for security. A contract cleaner at the site is off work and has been tweeting “[ACME site] are flooded and nothing’s getting done this month #wetthrough #ACME”
Facilitator may prompt: Where are your team now working from? / What are the priorities? / Media Message / Twitter response? / Recovery plans / what about that customer who is due to visit?

4. Day four. It’s stopped raining. Water is going down and the power has been restored on site, schools and roads should be open today.
Facilitator may prompt: The priorities? / Can you get staff back to work today? / What if it rains some more?

Wash up. This is a relatively simple short term loss of access problem with no real damage to people, data or the building. What went well? What should we do more of? What should we do differently?

7. Do the admin

8. Run a great exercise

- Don’t create a real incident.
- Any communication outside of the room must start with “Exercise, Exercise, Exercise” and can only be with people on the approved list – i.e. they’re expecting it and know there’s a game being played.
- If a real incident occurs the facilitator will stop the exercise.
- If additional information or material is required, then [name] will provide it, or make it up!
- Any assumptions.
- How potential areas for improvement will be recorded.

End the exercise with a good amount of time to do the wash up – i.e. initial feedback and thoughts from the participants. I like to ask everyone involved for thoughts on:

In large, more complex exercises the full review could take several days and require follow up interviews / investigations.

As a facilitator if you’ve noticed someone struggling, then it might be appropriate to speak with them outside of the session. Not everyone is cut out for managing an incident and while training and practice helps, sometimes it makes sense to change the people.

9. Set up the next exercise

Toward the end of the exercise, I like to ask for the teams for their ideas for the next exercise. What do they think needs to be covered next time, who should attend and when should it be scheduled? With a captive audience, its great timing and you’ll often get some good ideas for future objectives or scenarios.

10. Take action

There’s a danger with business continuity or disaster recovery exercises that everyone has a great time and a box is ticked but nothing actually changes afterwards.

So, promptly after the meeting it’s important to document the actions agreed along with owners and due dates. Have these agreed by the exercise sponsor, issued and completed.

The author

James Stevenson MBCI has worked in corporate risk management, insurance and business continuity roles for the last 20 years. He is currently heading Business Continuity Management for Rolls-Royce Plc and has a personal blog with hints, tips and practical advice for business continuity managers at www.smartbusinesscontinuity.com