From theory to practice: the value of exercising, training and awareness in building resilience
- Published: Tuesday, 02 October 2018 08:18
Gianluca Riglietti extracts some statistics from Business Continuity Institute (BCI) research to show how the advantages of exercising, training and awareness can be quantified.
One of the main tasks of the business continuity professional is to make sure that staff are equipped to face a crisis. Activities such as training, raising awareness and exercising are essential to make sure the plan is carried out effectively in the case of a disruption.
Training and awareness initiatives should be employed to embed business continuity within an organization, to make sure personnel know the function of response plans and understand their importance. Training and awareness campaigns have to go through several stages to be conducted successfully. First of all, the business continuity manager needs to assess what the current situation is and who is the target, then the campaign is designed and finally it is reviewed to monitor its outcome (1).
Differently, exercises work towards validating the plans. They have a key role in showing whether an organization is ready to face an actual crisis, while providing information on what may not work. There are various types of exercises that can be set up, ranging from table top to simulations or unit-specific ones. Similarly to training and awareness, after the exercise is over there needs to be a monitoring phase where the outcome is reviewed (2).
It is important to keep in mind that exercises should bring a clear benefit to the organization. Hence, the business continuity manager must identify realistic scenarios and design the exercise so that it would be of practical help should a crisis happen. To tailor this type of activity to a specific organization, it is also necessary to conduct a sound risk and threat assessment to better identify the threat landscape. This process should look at the likelihood and impact of any risks and threats, to better understand what trends to focus on (3). It is somewhat worrying that roughly a third of organizations (30 percent) perform no trend analysis at all when scanning for potential dangers (4).
The value of exercising, training and awareness lies in an improved response to disruptions across various resilience functions. For instance, in the case of emergency communications management, organizations that have training and education programmes in place are able to activate their plans more quickly than those who don’t. Previous BCI research shows that 91 percent of the organizations that have adopted such programmes activate their emergency communications plans in less than one hour, which is a 12 percent increase compared to those who do not have training and education at all (5).
Similarly, those who do not check or validate their business continuity plans tend to have significantly less visibility of their supply chain. Indeed, 41 percent of those that do not perform supply chain exercises also admit not recording or reporting disruptions. On the contrary, this figure is much lower (21 percent) among those who do run exercises. In addition, validating your plans tends to affect top management buy in, as those who run exercises experience higher levels of top management commitment (6).
Preparedness pays off in the context of cyber resilience too, since having awareness-raising initiatives as well as exercising plans is associated with a more effective cyber response. For instance, 40 percent of those who promote awareness and conduct regular exercises initiate their response to a cyber attack in less than one hour, a much higher figure compared to those who do not validate their plans at all (23 percent) (7).
As these figures show, training, awareness and exercises show a positive correlation with improved responses across different cases and different functions of organizations. No plan can be good enough if all those involved do not feel comfortable or are not familiar with it. A good response plan begins before a crisis occurs, by preparing for it and reducing the margin for error to a minimum.
Gianluca Riglietti is a senior analyst with the BCI.
- BCI GPG
- BCI Horizon scan report 2018
- BCI Emergency communications report 2017
- BCI Supply chain report 2017
- BCI Cyber resilience report 2018.