A framework for writing business continuity exercise objectives
- Published: Friday, 09 December 2022 09:14
Charlie Maclean-Bristol, FBCI, FEPS discusses what to consider when preparing objectives for your business continuity exercises. He presents a framework that he has developed, consisting of four specific areas.
I have been doing lots of thinking about business continuity exercises and improving the skills and capabilities of those managing incident management teams. After carrying out a couple of exercises recently, I have been thinking about how to write exercise objectives so that the exercise provides the outputs and experiences that the person commissioning it is looking for.
If we can get the objectives right, everything flows from this. Exercises are learning experiences and should be approached as this, so we very much need to focus on what are the outcomes of the exercise are and what we are trying to achieve.
I have concluded that all business continuity exercises should have objectives developed around the following framework:
- Almost all exercises should have a scenario, apart from the simplest plan walk-through.
- Sometimes, a very simple scenario can be used, for example loss of building, if the concentration is on the process of incident management and for those taking part to understand the plan, not on the response to the scenario.
- Identify the risks or issues to your organization associated with a future event. This could be a demonstration or protest, a strike, or an event which could affect your supply chain. You don’t have a response plan in place, so you use the exercise to help develop the plan and explore some of the issues associated with the future event.
- The focus of the exercise can be understanding the particular response requirements of a particular scenario. I ran an active shooter exercise recently for a client as they saw this as the highest threat to their USA operations. We planned and evaluated the exercise on the team's availability to deal with all of the issues associated with an active shooter.
Plans and Procedures
- Objectives can be written around validating the plans and ensuring they are fit for purpose. This might be especially important if the plan is new.
- The exercise could include getting the team to carry out elements of the plan, such as filling out forms and situation reports.
- The exercise could check that procedures or strategies can be implemented within their required RTOs.
- A technical exercise, such as a server recovery, switching to an alternative data centre / center, or cyber exercise, can have plan and procedure objectives.
- Coordinating plans, responses, and understanding the response of external organizations.
Incident Management Skills
- Managing an incident can be an art, with judgement playing a part in crafting the response, but there are also good practices in incident management which can help in a successful response. Objectives can be written around the team, demonstrating incident skills such as logging, information management, or using an agenda to ensure that all aspects of the response are considered.
- If the team has been taught elements of incident management, an objective of the exercise can be developed to see if they effectively use the skills taught. This can improve members of the team’s performance to deal with an incident and can develop 'muscle memory' of how to deal with an incident.
- Members of the team may have specialist roles and tasks outside of their usual day-to-day tasks. For example, a HR person may be responsible for all people aspects, staff welfare, and responsibility for dealing with families of casualties. Their day job within HR may be recruitment.
- An objective could also be around raising awareness of issues which others have faced managing incidents, and what we can learn about incident management from their experience.
- Do the team have the right skills, knowledge, competencies, and authorities? Do people know their own roles and responsibilities?
Team and Teamwork
- One of the objectives I often use during exercises is to improve the team’s confidence. This can be measured by carrying out a confidence survey before the exercise and then another at the end of the exercise.
- A formal Incident Team Performance Assessment can be carried out which looks at the performance of the team.
- The leadership of the team can also be part of an objective but, on the whole, I have shied away from making this an explicit objective.
- Is the team the right size? Does it work effectively? Are the correct people on the team? These can be useful objectives, especially if the organization has a large number of people in their incident management team.
I have always written objectives during exercises and had possible ones as a list before, but I think this is the first time I have built a framework rather than a random list. I now need to think through how to make them smart and how to evaluate their success.
Charlie Maclean-Bristol FBCI, FEPS, is Training Director, BC Training Ltd, and and CEO at PlanB Consulting.