The BCI guide to. Exercising your business continuity plan

Transcription

1 The BCI guide to Exercising your business continuity plan

2 Introduction Business continuity (BC) is all about building resilience into our organizations. It is about making sure that our businesses deliver their products and services amidst a changing environment. Sudden shocks or incremental changes may affect our ability to function and it is essential to maintain continuity of operations in order to stay resilient. As such, BC planning is an important step towards building resilience as it prepares us for when disruption strikes. Nonetheless, this is just half the job done as we have to ensure that our plans stand up during crunch time. This is where testing and exercising our plans come into play; it enables us to check even double check the robustness of these plans. It enables us to identify gaps in our planning, verify our readiness and improve on our response to incidents. This work is a response to popular clamour from practitioners globally who are seeking resources on testing and exercising BC plans. We have taken insights from several authoritative sources on BC and related subjects such as the (1) BCI Good Practice Guidelines (GPG), (2) ISO standard on business continuity, (3) BS guidance on crisis management, (4) BS guidance on organizational resilience, and (5) Business Continuity for Dummies book, among others, in order to come up with this handy guide. We also aim to provide examples which should clarify concepts from this guide and facilitate its application. This guide will begin by articulating the need for testing and exercising, and the importance of getting staff involved in the process. It will identify the broad types of exercises. Succeeding sections will detail the merits, disadvantages and resources associated with these types of exercises. Finally, the guide will offer advice on planning and assessing an exercise, making sure that you get the most out of the process. This guide aims to provide practical guidance on testing and exercising, how to integrate these activities within an agile BC Programme, and build resilience into organizations. We hope that you find this guide useful and we look forward to hearing your feedback.

3 Contents Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 Chapter 6 Chapter 7 Chapter 8 Chapter 9 Chapter 10 Why test/exercise your BC programme? Staff involvement Types of BC exercises Discussion based exercise Table top exercise Command post exercise Live exercise Test How do you plan an exercise? How do you assess an exercise?

4 Chapter 1: Why test/exercise a BC programme? We all acknowledge that planning is indispensable in making our businesses more resilient against disruption. Nonetheless, planning is just half of the story. Validation completes the process. Put simply, it is essential that we actually check if our plans work! It is much better to find out that they do not during an exercise rather than during a crisis. Validation is an important part of overall BC capability, as highlighted in the BCI Good Practice Guidelines: Validation confirms that the BCM programme meets the objectives set in the BC Policy and that the organization s BCP is fit for purpose. The purpose of validation is to ensure that the BC capability reflects the nature, scale and complexity of the organization it supports and that it is current, accurate and complete. (BCI GPG 2013, p. 94) Figure 1 Validation in the BCM Lifecycle Validation gives us an idea how our plans would stand up given a disruption. While it is accepted that no plan survives in its entirety during disruption, it allows us to check how robust our plan is, identify gaps and improve on it. It is also essential to the entire BCM Lifecycle as it provides feedback that informs later iterations of the cycle (Figure 1). Used smartly, validation may help embed agility into an organization s response capability by testing/exercising against emerging risks. Validation takes in the form of testing and exercising. The Business Continuity for Dummies guide gives a good distinction between the two: An exercise has the objective of exploring how your BC arrangements will stand up to the pressure of real events. A test is a specific type of exercise that you either pass or fail, or are otherwise graded on. (BC for Dummies 2012, p. 171) In short, validation involves an exercise of some form, but grading an exercise turns it into a test. 1

5 Example: A small organization exercises its BC plan A small organization employing around 20 members of staff identified in their Business Impact Analysis (BIA) that an unplanned IT or telecommunications outage would have a negative, disproportionate impact on their operations. A substantial part of the organization s income is derived from customers accessing their online shop and contacting them to book their services. Hence, an extended outage would compromise order-taking and delivery of their products and services to the detriment of company revenue and reputation. Realising this, the organization s top management decided to conduct an exercise which tested their capability to deal with such an incident. Previously, the organization has revised their BC plan. It was also common practice to hand out updated leaflets to staff that summarise the execution of the plan. The exercise began with a senior staff member declaring a major IT incident in the morning before other staff headed out to work. Working from home arrangements were immediately activated and an incident management team convened. Staff members were asked to communicate their difficulties to the said team. A formal debrief conducted a few days after revealed that while some departments can withstand a severe IT outage, others were experiencing considerable difficulty. This allowed senior management to revise its BC plan and focus their attention on supporting other functions that were substantially impacted by the incident. This also resulted in better flexible working arrangements and a more efficient working environment during normal operations. This real-life example clearly brings into focus the importance of validation in the form of testing and exercising. It also shows that testing and exercising may not necessarily be onerous for small businesses. Testing and exercising may be a good opportunity to check flexible working arrangements for some organizations, and allow them to verify if they can continue delivering products and services amidst disruption. 2

6 Chapter 2: Staff involvement People make plans work. This big idea should guide BC practitioners in testing or exercising their plans. No matter how good the content of a plan is, the lack of awareness or buy-in from other members of staff will weaken it. Hence, it is important to garner overall support for testing and exercising. Borrowing from BS 65000, staff should be motivated and empowered to take ownership of the organization s plan. Resilience is everybody s responsibility from the boardroom to the storeroom. Various standards such as ISO and BS reinforce this message by mentioning the importance of staff involvement in making plans work, applied to a BC or crisis management setting. This strikes at the heart of embedding BC within organizations, a key component of the BCM Lifecycle. Before attempting to conduct a test or exercise, it is essential that BC practitioners ask the following questions: What is the prevailing attitude to BC within the organization? Would there be any resistance to testing and exercising BC plans? What is the state of BC related activities in relation to my suppliers, customers and other stakeholders? How embedded is BC within my organization? Do we use BC related concepts in planning and decision making? How would management and staff likely to react during an incident? Answering these questions could provide information which should guide BC practitioners in garnering buy-in for testing and exercising. Top management direction is key for getting this buy-in and it is essential for BC practitioners to articulate the strategic importance of testing and exercising to senior decision makers. Support from the rank and file is also crucial and may be achieved by communicating how BC enables business and ensures continuity of operations during stressful times. The BCI GPG states that a BC exercise may change the attitudes of individuals such as the group s beliefs are changed. It also argues that looking at the consequences of action (or inaction) and making it relevant to an individual s goals may influence buy-in. It is important therefore that BC practitioners are keenly aware of the pulse in their organizations and engage people accordingly in order to secure their support. Example: Getting BC exercise buy-in from other departments A BC manager for a large organization faced considerable difficulty in getting buy in from his supply chain management counterparts in testing and exercising plans with suppliers. Given that their supply chain department was cost-driven and not necessarily attuned to risks, it was challenging for the BC manager to get them on board. He considered taking a fresh approach by giving BC and crisis management training to their organization s third party suppliers first. He used insights from these events to inform his supply chain counterparts about risks and its implications to cost control. Supply chain practitioners in his organization now realise that plans are not guarantees, and their collaboration in BC exercising is needed so they can perform their roles more effectively. 3

7 Chapter 3: Types of BC exercises Testing and exercising are some of the most effective tools that BC practitioners possess in building resilience within their organizations. A tested BC strategy provides confidence in the capabilities of the organization to deal with disruption. It also uncovers lessons that can be fed back into the BC planning and implementation processes. Exercises vary in levels and resources required. It is important for those who are responsible for BC to know which type of BC exercise is appropriate before planning them. The BCI s Good Practice Guidelines describes five main types of exercise and these are summarised below: Discussion based exercise These exercises are considered to be the most cost effective and the least time consuming of exercise types. They are commonly structured events where participants can explore relevant issues and walk through plans in an unpressurised environment. This type of exercise can focus on a specific area for improvement that has been identified with the aim being to find a possible solution. Command post exercise These typically involve management teams at a strategic, tactical or operational level. Participants can be located across the whole organization (and could potentially involve willing interested parties), all working from their usual day to day locations. In these exercises, participants are given information in a way that simulates a real incident. Participants can be invited to respond as they would for real, they are expected to deal with the situations that they encounter, linking in to others as necessary. These exercises have the added advantage of testing information flow, communication and equipment, in addition to procedures, decision making and coordination. Table top exercise These are commonly used where the discussion is based on a relevant scenario with a time line which may run in real time or may include time jumps to allow different phases of the scenario to be exercised. Participants are expected to be familiar with the plans being exercised and are required to demonstrate how these plans work as the scenario unfolds. Table top exercises can be a realistic, cost effective and efficient method. This type of exercise can be greatly enhanced by the use of media which can make a scenario more realistic. Live exercise These exercises can range from a small scale rehearsal of one component of the response, for example evacuation, through to a full scale rehearsal of the whole organization and potentially participating interested parties. Live exercises are designed to include everyone likely to be involved in that part of the response. This type of exercise is particularly useful where there is a legal or regulatory requirement or where a high risk to an organization has been identified and the response and recovery plans need to be fully tested. They are considered to be the most appropriate and realistic way to train people and test plans. However, there are a number of challenges that by their nature might not always make a live exercise the most effective exercise format, for example; the resources required can be significant and there may be financial implications. Test A test is a unique and particular type of exercise, which incorporates an expectation of a pass or fail element within the goal or objectives of the exercise being planned. It is usually applied to equipment, recovery procedures or technology, not to individuals. 4

8 Chapter 4: Discussion based exercise A discussion based exercise is literally what it says, a discussion with either members of the incident management team or the part of the organization being exercised. The emphasis of this type of exercise is on the plan and its contents rather than responding to a detailed scenario. A scenario may be used to frame the exercise, as the plan may contain a response to a number of different scenarios such as loss of building or loss of IT. A good way of conducting these types of exercises is to look at a series of timeframes and discuss what actions the plan says should be conducted during each. This is also a good opportunity to talk through the roles of each person and what would be expected of them during each time frame. This style of exercise could also be used for developing the plan for a new scenario. You can develop and talk through the actions which need to be carried out at each timeframe, and this can be written into the plan after the exercise. There is no specific frequency for this type of exercise, they should be conducted when they are needed. This could be when a new plan has been written and you are introducing it to those people who would use the plan as part of their role, or as new members join the team in order to familiarise them with the plan. This format is a much better way of introducing people to the plan rather than telling them simply to read it. KEY TERM INCIDENT MANAGEMENT TEAM: A Group of individuals responsible for developing and implementing a comprehensive plan for responding to a disruptive incident. The team consists of a core group of decision-makers trained in incident management and prepared to respond to any situation. If the exercise is conducted on a one-to-one basis then the exercise does not be need to Type of exercise Definition Level of difficulty to organize Discussion based Also known as a walkthrough, a discussion based exercise involves key staff (chosen through their knowledge of business operations) verifying if a BC plan is current, accurate and complete. be longer than an hour, although a larger team could require longer. To plan and execute the exercise there is very little preparation. All that is involved is making sure that the person conducting the exercise is familiar with the plan. Neither is there a need for any cost when conducting this type of exercise, except the time spent preparing and carrying it out. Unless you are using the exercise to develop a response to a specific scenario, then there is no need for exercise instructions and a post exercise report. Easy to set up Does not require significant staffing and office resources Good for verifying general aspects of a BC plan Easy Does not involve specific incidents Limited staff participation Not recommended for detailed verification of BC plans 5

9 Chapter 5: Table top exercise This type of exercise covers many different styles of exercise and often has different meanings to different people. At its basic form it can be conducted very simply, in a similar style to a discussion based exercise. In conducting table top exercises, there is a greater emphasis on responding to a particular scenario. The facilitator or person running the exercise will be looking at the team to use the plan to respond to that scenario. The exercise could be conducted with those in the incident team or it could be the organization s managers who are taking part in the exercise. It could also be conducted over a series of timeframes, shifting from the initial actions, then moving to the next day, before moving on to medium or long-term issues. The style of the exercise could be a discussion within the team and an agreement of actions that would be carried out during an incident, or the team carry out the actions as if they were actually responding to the incident. KEY TERM INJECT: A piece of information added into the exercise while it is in play. The scenario could be a single event without any further input, or it could be more dynamic with a series of injects delivered to the team being exercised. A different style of table top exercise could be conducted with a number of different agencies or parts of the organization, all in the same room and arranged into syndicates working on the same scenario. There could be a simple scenario, or there could be updates as the scenario develops. It could also happen within a single timeframe or a series of time jumps. The emphasis in this type of exercise is exploring either multiagency working or interorganization working, looking at the interdependencies, roles and responsibilities, actions and communications between the teams. This type of exercise is usually conducted as a discussion and so the facilitator will pose a series of questions on areas to be explored by each syndicate over the course of the exercise. After a period of time each syndicate can feedback their answers to the Facilitator. All those named within an incident team should take part in an exercise at least once a year. For multiagency exercise there may be a mandatory or statutory requirement for running them. They may also be run when there is the identification of a new threat (e.g. Ebola) and a response needs to be planned, a duty is imposed on an organization, or as part of an ongoing exercise programme. KEY TERM TIME JUMP: When an exercise is split into time phases and you move from one to another, perhaps even skipping phases. This can help save time and use what time you do have for the important factors. 6

10 The complexity of the exercise will determine the amount of work required. Simple scenarios may require very little work, except how the day should be conducted, such as the running order and what questions will be asked of whom and when. Larger or more complex exercises will require work on getting a suitable scenario, making sure that there is no easy solution and that it is realistic as it unfolds. In multiagency exercises, the majority of the work would be on developing the scenario and the conduct of the day. Of course a major task would be to get all the correct organizations to attend and making sure that the correct level of people come along on the day, as well as briefing those people prior to the exercise. Table top exercises should not last more than half a day (three to four hours) with a break in the middle. If a multiagency exercise is taking place, as it is difficult to get all the correct players together, you may be able to persuade those taking part of the value of conducting a full day exercise. Anything but the simplest of exercises, it perhaps takes at least three months to organize a proper table top exercise. With all exercises, the main limiting factor is player s diaries and finding a date when they are available. As we know, the more senior the manager, the more difficult it is to find a suitable date. Staff involvement depends on the style of the exercise. In all table tops you will need a facilitator. If the exercise is complex and involves the input of injects then there may be the need for a separate umpire to assess the team. For inputting the exercise injects, you may need one or two people to act as the outside world and input information and take calls from the team. In multiagency exercise then you may need to provide a facilitator per table. Depending on your confidence and level of seniority within the organization, you may want a senior manager or an external consultant to act as umpire and assess the team, especially if they are very senior, so that they can objectively feedback to the team on their strengths and weaknesses! Type of exercise Definition Level of difficulty to organize Table top A table top (or desktop) exercise involves the same staff members as a discussion based exercise but the plan goes through a specific set of circumstances. Easy to average For all table top exercises, an exercise instruction should be written. This should include, as a minimum, the exercise objectives and how they will be met along with a script for the day stating who is going to say what and when. After the exercise, a post exercise report should be written. Easy, albeit perhaps lengthy, to set up Does not require significant staffing and office resources Good for an initial verification of BC plans under specific incidents Limited staff participation Still theoretical and requires proof in practice Requires more time and a detailed analysis of outcomes 7

11 Chapter 6: Command post exercise A command post exercise is one in which you have the incident management based at one of the locations named within their plan, using the same facilities they would do in the event of a real incident. The idea of the exercise is to try and create a scenario as close to reality as possible in terms of pressure and inputs to the team. The exercise may be conducted with one team or could have two or more teams taking part in the exercise simultaneously. The teams playing could be located close together or they could be in different countries or even continents! The team throughout the exercise are fed elements of the scenario as it develops. This would be through injects. The scenario will develop or even alter depending on the decisions the incident team makes, and so the planning of the exercise must take this into account. Injects could be by telephone, , role players and there could also be a group of role players or perhaps technology to simulate the press, TV and radio and social media. The team may be given a series of telephone numbers and addresses where they can contact the external (and internal) interested parties they would normally communicate with during a real incident. This two way traffic can drive the exercise and a large amount of information can be delivered to the team which they would have to make sense of and separate the key information from the noise. There are a number of media and social media simulators which are being used by organizations to simulate injects by the media and also social media. In one exercise, a simulator was used to input news items, radio clips, tweets to the incident team. The team was also able to simulate posts to their website and social media channels. This ensured that corporate communications played a full role in the exercise and it was possible to play the media monitoring and response in real time. There is no specific frequency for when command post exercises should be run, but team member should experience one at least every three years. Their duration should be between half a day and a full day. If the exercise is too short then it does not let the team assimilate all the information, get over the initial confusion and get into the routine of managing the exercise. If the exercise is over several time zones then the exercise may need to go on longer than one day. The staff involvement in planning this exercise is high and it is not unusual for the exercise to take a year to plan. The time consuming part is in the development of the scenario, the main events list and a developing whole series of injects. If the exercise lasts an entire KEY TERM ROLE PLAYER: Individuals who take on a role within an exercise and helps add to the realism. KEY TERM SCENARIO CELL: The team that acts as role players or provides injects during an exercise to help add to the realism day then approximately fifty to seventy different injects may be needed to ensure that there is enough entertainment for the team and that there are injects for all team members. There is probably a requirement to get a team together that will develop the scenario and this team will then act as the role players and staff the scenario cell on the day. 8

12 At one exercise of this type carried out, there were four people in the scenario cell ing and answering calls, fourteen role players who were playing members of staff and the police, and a full time person working on media and social media items. All those taking part need a very good briefing on the exercise conduct, and carrying out rehearsals prior to the exercise commencing is often a good idea. As well as a debrief with the players after the exercise, a debrief with all those who facilitated the exercise is a good idea to make sure that lessons learned on the conduct of the exercise are incorporated into future exercises. This type of exercise should use a senior manager or consultant as an umpire to comment back on the performance of the team with some degree of authority and lack of bias. KEY TERM DEBRIEF: Perhaps the most crucial part of the exercise, it is an opportunity for exercise facilitator, players or role players to provide feedback on the exercise. The budget for this type of exercise need only include time if internal staff are used to develop the exercise and to form all the exercise role players and staff the scenario cell. If the exercise is planned by an external consultancy the cost can vary from four up to six figures, rising if using multiple sites, large numbers of role players and simulated media. As well as an exercise instruction, a main events list or storyboard would need to be Type of exercise Definition Level of difficulty to organize Command post A command post exercise requires a location outside the immediate exercising area where response, recovery and restoration activities are managed. Average to challenging developed including a number of individual injects. Most importantly a full debrief would need to be completed and the findings written into the post exercise report. Allows more comprehensive verification of incident response More immersive and allows greater staff participation Good for testing communication between the command centre and responders on the ground Requires more planning, preparation and detailed analysis of outcomes May involve greater staffing and office resources Requires greater expertise from staff members running the command post 9

13 Chapter 7: Live exercise Live exercises are conducted to practice or test a planned response. They could vary from testing the organization s first aiders response to a simulated casualty, to a government run exercise where a train crash is mocked up with large numbers of actors playing casualties and the response by the emergency services on the ground is carried out as though it were a real incident. Command and control and interagency working may be practiced on the ground as well at the Silver and Gold levels. Another live exercise could be an on-site private fire service responding to a fire or chemical leak or a local authority practicing the opening and operation of a rest centre. The main characteristics of this type of exercise are that the teams taking part in the exercise are responding as they would do for real, using real resources, communications and command and control protocols. Realism is added by use of role players or tasks. Type of exercise Live The in house fire service may have to rescue a colleague (a life size and weight dummy) wearing full breathing apparatus from a train crash where there may be a large number of role players who have been made up to look like and behave like casualties. There are organizations that will provide casualties for your exercise and will even make use of amputees to simulate a casualty who has lost a limb! The exercise could be conducted with no notice, but more often than not, especially if they are large or complex, the date would be known to all players. Often the frequency of exercises, especially the larger exercises, is Definition Level of difficulty to organize A live exercise requires staff to concentrate on timepressured scenarios tackled in real time with normal operations suspended. Challenging governed by law or is a statutory requirement. As with command post exercises, there can be a great deal of planning to ensure realism and to organize the exercise. The planning of a large government exercise may take up to two years. To make the exercises realistic could require a large amount of resource, especially if they want a large number of people to take part as role players. Where real equipment is used, which is normally available to respond to real emergencies, then either a second set has to be found to provide cover during the exercise, or the exercise may need to be abandoned to respond to a real emergency. Unless required by law to take part in your exercise, the emergency services and other government agencies will charge you if you want them to play a role in your exercise. More immersive and allows greater staff participation Recommended for verifying how BC plans are implemented on the ground Insights from wider staff can lead to richer lessons learned Requires more planning, preparation and detailed analysis of outcomes May involve greater staffing and office resources Requires greater expertise from staff members running the command post 10

14 Chapter 8: Test Tests are usually associated with information technology (IT) or the test of a piece of equipment. This can vary from a disaster recovery test to see if as system can be recovered to a prewritten script or whether a piece of equipment can be invoked, deployed and made operational to an agreed recovery time objective or service level. For a test exercise, what you want to know is whether the requirements have been met or not. You can either recover a system within a certain time or you can t, there is no such thing as half a recovery. Tests can also be used to see if a certain scenario would work and so the exercise is set up around testing the concept. At one test carried out to see if a courier company could cope with the loss of its main hub, the strategy was to set up three depots to carry out the role of the hub. One of the key factors to ensure that the scenario would work, was whether there was physical room within the depot for all the additional vehicles to be loaded. The exercise was set up to test on an hour by hour basis whether the proposed schedule would work. On each table was a plan of the site. During the exercise the Linehaul Manager, the person who planned and coordinated vehicle movement called out the vehicle movement in an out of the sites and paper vehicles were put on the site plans to see if they could all fit in the depot. By the end of the exercise it had been proved that the plan for the loss of the hub would work and there would not be gridlock in the yards. Type of exercise Definition Level of difficulty to organize Another type of test could be a simple one, sending a staff member to go to their recovery site, if it is at another location, and testing whether they can log onto a computer and how long it would take. In terms of planning and resources, the aims and the complexity of the exercise will determine the staff time and budget required to carry out the exercises. If your exercise requires the involvement of third parties and the test is outside their existing contract, you may be charged by them to take part in the exercise. The frequency of the tests is very dependent on what is being tested and there may be statutory, regulatory or internal requirements for a number of tests to be conducted. More immersive and allows greater staff participation Recommended for benchmarking response against key performance indicators Results are more quantifiable Test A test is similar to a command post/live exercise but with participants benchmarked against specific guidelines or metrics. Challenging Requires great deal of planning, preparation and detailed analysis of outcomes Requires clarification of key performance indicators and its assessment Not recommended for general verification of BC plans The planning of test is very important and it should be thought through what constitutes success and making sure that the success criteria is SMART. As well as this, a risk assessment should be carried out to make sure that a test, if it fails, does not impact on day-to-day operations and causes a real incident. S M A R T Smart Measurable Achievable Realistic Timely 11

15 Chapter 9: How do you plan an exercise? Planning the validation strategy for a BC plan should involve the organization s BC leader from start to finish. Of course, other staff should be involved but this depends on the context of the organization. A small business, for example, may opt to involve the business owner while a large company might have a dedicated specialist BC team to handle planning. The Business Continuity for Dummies guide recommends nominating an exercise planner as appropriate. This planner may be the BC leader or a senior staff member who has excellent knowledge of the organization s critical business operations, strategy and priorities, as well as interdependencies of management process supporting the organization s products and services. This sounds a mouthful, but in short, this means nominating somebody who knows the business inside out. It may also be appropriate to seek assistance from a technical specialist (e.g. the IT administrator, etc.) in order to bring the best out of the exercise. The guide recommends this step-by-step process in planning an exercise. The following worksheet summarises this process and asks key questions that an exercise planner must answer (Table 1). Step Identifying exercise objectives Assessing the cost Choosing a format Selecting participants Informing staff Key Questions What are the quality objectives of this exercise? What are the measurable objectives of this exercise? How much time would it take to plan the exercise? How much time would the exercise take staff away from normal work? What are other expenses (e.g. room hire, catering, equipment, etc.) that the exercise might incur? What is the most appropriate exercise to conduct given your objectives? Is extra top management agreement required for certain aspects of the exercise? Who will assume these roles as the exercise is conducted? Executive director BC leader Business process leaders Facilitators (for live exercises) Experts (for specific technical advice) Record keeper or note-taker Is it necessary to tell staff in advance about the exercise? Why? (Some exercises may require the element of surprise but this is the call of the planner.) 12

16 Step Developing an effective exercise scenario Key Questions Which source materials need to be referenced in planning a scenario? What will be the trigger for the exercise? What are the details that will make the exercise realistic? Focus on how the organization works and what would likely happen given an incident. What are the event possibilities that might occur? Keep in mind that they should be more than you think you need. The Business Continuity for Dummies guide also suggests some characteristics of a good exercise which are the following: Contains content that is appropriate to objectives; Offers a challenge and is solvable; Challenges but does not overwhelm; Involves all key players; Works with key players or deputies who should fit easily into their roles; Doesn t require the emergency services to answer questions, unless they are taking part; Unfolds to timescale within the time available; Carries minimal risk of causing real disruption, unless it is necessary; Creates lessons to learn. It is important to note that planning for an exercise does not necessarily mean planning for doomsday. Obviously, there are events so catastrophic that will shut down any business. It is important to take a common sense approach to planning an exercise in order to make the most out of it. 13

17 Chapter 10: How do you assess an exercise? An exercise should be seen as an opportunity to learn lessons that would build on an organization s resilience. As such, it is important to know which areas to assess during an exercise and use insights from it to improve. To make the most out of an exercise, it is important to communicate to staff that this will take place in a non-judgmental environment. Exercises are not meant to criticise staff but to identify areas for improvement. There are several areas that may be tested during an exercise. The Business Continuity for Dummies guide suggests these areas (Figure 2). Testing people Access to HR data Staff awareness of roles in a disruption Access of up-to-date staff job descriptions and objectives Potential points of failure Coping with the loss of staff expertise Key contributions to the business from other organizations Testing the workplace Loss of critical features the workplace provides Ability to find same requirements elsewhere and quickly Whether key requirements have been identified, agreed and recorded Implications of relocating and its effects on staff Testing ICT Ability to effect safe and swift shutdown of systems without data loss Callout contract with IT provider that covers breakdown, network problems and other failures Renegotiating service contract if it doesn t include BC options Security of systems, PCs and laptops Security of stored data Cascade call procedure particularly if land lines are down Testing communications Suppliers, customers and media contacts Capability to ensure single point of message control Communicating with staff on- and off-site 14

18 Testing finance Ability to pay bills and receive payments Reliance on IT Ability to maintain records and manage financial data Availability of skills needed to operate finance systems Other staff operating systems if key people are away Whether staff can be paid if systems fail Figure 2 Areas to be tested during an exercise It is important for the BC leader or manager to be seen as involved during an exercise. This does not mean that one cannot delegate to other staff members, but it is crucial to be part of the exercise proper in order to get the most out of it. The guide also mentions other pitfalls which should be avoided by preparing exercise players. Players must be aware that: they are not invited to judge the scenario; the exercise isn t designed to catch them out; they should not prejudge what the exercise involves; how they react to the given circumstance and maintain business is a key point; the exercise allows flexible redirection as progress demands. Maximising the benefits from an exercise requires a good debriefing session where participants can reflect on what happened during the exercise and offer their insights on what worked and what could be improved. It is crucial for staff members to be involved and listened to during the debriefing session in order to embed BC within the organization and secure their buy-in. It is ideal to hold a debrief immediately following an exercise and before people leave the location (a hot debrief). This allows participants to share their insights while their memories of the event are still fresh. It is recommended to let everybody speak at this stage. This may be followed by a cold debriefing from the desk which allows participants to reflect and share more insightful comments. This could involve putting together a formal questionnaire asking people to provide feedback on certain aspects of the exercise. Finally, it is important to demonstrate that lessons are learned during the exercise by reflecting it to the organization s BC plans and practices. Several ways of doing so are the following: drawing up a checklist of action items, setting deadlines and delegating tasks to relevant staff; reviewing operational procedures with the help of key people within the organization; updating BC plans, amending written procedures and guidelines; reinforcing good practice among staff and incentivising its uptake. These, among others, should embed BC within an organization and embed a culture that empowers staff into making resilience their business. 15

19 About the Authors Patrick Alcantara is Research Associate for the BCI. He currently manages the BCI s global research programme and provides thought leadership and commercial research output. His work on business continuity and resilience has been featured in several publications. Prior to the BCI, he has worked in the education and lifelong learning sectors. He completed a Masters in Lifelong Learning with distinction from the Institute of Education (University College London) and Deusto University under an Erasmus Mundus grant. He can be contacted at [email protected]. Andrew Scott CBCI is Senior Communications Manager for the Business Continuity Institute (BCI). He has more than 10 years of experience in public relations and media affairs. In his current role, he makes the Institute visible to a wider audience through managing its media channels, developing campaigns and providing relevant content. He finished a BA (Hons) in Public Policy and Management (Robert Gordon University) and an MSc in Public Relations (University of Stirling). He can be contacted at [email protected]. Charlie Maclean-Bristol FBCI is a BC professional with over 17 years of experience. He is a Fellow of the BCI and a former member of the Board and Global Membership Council. He is also a Fellow of the Emergency Planning Society and Director of Plan B Consulting. He also has substantial expertise in crisis management and emergency planning, and has helped clients in a variety of industries including banking, oil and gas, supply chain and logistics, utilities, and the public sector, among others. He can be contacted at [email protected]. 16

20 Business Continuity Institute Southview Park Marsack Street Caversham RG4 5AF United Kingdom +44 (0)