Without regular Exercise your Business Continuity Plan may be lifeless, flabby, out of date and of little real value, as we know from experience.
How much exercising is enough? For a Business Continuity Plan, the Coach says twice a year at least.
To supplement Exercising we also recommend you use your Business Continuity Plan as a daily tool for incidents immediately they arise, small or large.
The exercising of a Business Continuity Plan is what separates successful crisis management and continuity of business from possible disastrous failure.
Developing good business continuity planning habits takes time and discipline, but it is essential for effective Business Continuity Management.
Exercising Business Continuity Plans is one of the best business investments that YOUR CLIENTS ORGANISATION will ever make. Insuring for loss arising out of business interruption is another.
How individuals will react under stressful and dangerous situations is difficult to determine. The military realises this, so they train their soldiers in difficult situations so that they will know what it feels like before they have to make life or death decisions under fire.
Business continuity is no different. In order to know how a particular team or individual will react under adverse situations can only come from proper planning and exercising of those plans. The business continuity profession has known this for some time.
However, based on numerous surveys taken before and after 9/11, business continuity plans exist for most organisations but they have never been exercised. A wide preponderance of organisations has indicated that they have NEVER exercised their Business Continuity Plans. Exercising of a Business Continuity Plan is what separates successful recovery from failed attempts.
Unlike planning, which defines what you do, exercising relates to actually doing it. Regular exercising helps to build habits and establishes learned behaviours.
An organisation, through exercising, can develop these learned behaviours if they do not have them already.
The bad news is that developing them is never easy. It takes time and a desire for perfection. It often involves the painful process of thinking and re-thinking incident scenarios and developing new mitigation strategies until the Business Continuity Plan are running like well-oiled machines.
There are five basic types of exercises that can be undertaken to properly assess the effectiveness of the Business Continuity Plan:
An un-timed exercise to review all of the elements of the plan in a stress-free environment. The participants are management and response team members who gather across the table to ensure that all are familiar with the plan; questions are asked and answered; changes are made to the plan if problems are discovered. This exercise is usually facilitated by the plan developer or business continuity plan co-ordinator.
TABLETOP EXERCISE OR WALK-THROUGH
A tabletop exercise simulates an incident in an informal, stress-free environment. The participants who are usually the responsible managers and the response teams gather around a table to discuss general problems and procedures in the context of an incident scenario. The focus is on training and familiarisation with roles, procedures, or responsibilities.
The tabletop is largely a structured walk-through guided by a facilitator. Its purpose is to solve problems as a group. A scenario is developed in advance but there are no attempts to arrange elaborate facilities or communications. One or two evaluators may be selected to observe proceedings and progress toward the objectives.
The success of a tabletop exercise is determined by feedback from participants and the impact this feedback has on the evaluation and revision of policies, plans, and procedures.
This type of exercise involves a predefined scenario, which is developed prior to the event. It is unannounced and once started it is timed from beginning to end. The exercise addresses the scenario using only the plan. It is used to determine the state of readiness and awareness of the plan’s response teams.
It incorporates all plans and tests the accuracy of all plan procedures including Contact lists.
The functional exercise simulates an emergency in the most realistic manner possible, short of moving real people and equipment to the Recovery Sites. As the name suggests, its goal is to test or evaluate the capability of one or more functions in the context of an adverse or emergency event.
It involves controller(s), players, simulators, and evaluators.
The atmosphere is stressful and tense because of real-time action and the realism of the problems.
Exercise is lengthy and complex; requires careful scripting, careful planning, and attention to detail.
Geared for policy, co-ordination, and operations personnel (the players).
Players’ practice their response to an incident by responding in a realistic way to carefully planned and sequenced messages given to them by simulators.
Messages reflect a series of ongoing events and problems.
All decisions and actions by players occur in real time and generate real responses and consequences from other players.
Guiding principle: imitate reality.
FULL PLAN EXERCISE
A full-scale exercise is as close to the real thing as possible. It is a lengthy exercise that takes place on location including the Emergency Control Centre and Alternative Work Site, using the equipment and personnel that would be called upon in a real event.
In a sense, a full-scale exercise combines the interactivity of the functional exercise with a field element.
Eventually, every incident response organisation must hold a full-scale exercise because it is necessary at some point to test capabilities in an environment as near to the real one as possible.
THE TWO MAIN BENEFITS OF AN EXERCISE PROGRAMME:
Individual training: exercising enables people to practice their roles and gain experience in those roles.
System improvement: exercising improves the organisation’s system for managing incidents and emergencies.
These benefits arise not just from exercising, but from evaluating the exercise, evaluating problems, and acting upon the recommendations.
Management should be clear that exercises are NOT tests. The intent is not to establish a pass or fail. An exercise should be viewed as the normal work required to refine and to tune Business Continuity Plan. An exercise has value only when it leads to improvement.
Exercises should be conducted periodically. The period of the exercises should at least be yearly, or, if business is rapidly, changing twice a year.
ONE LAST THOUGHT
Exercising of Business Continuity Plans and verification of their accuracy and efficiency are fundamental to achieving the objective of a responsive and recoverable organisation.
Desk top exercising is best to start with, using the BCP document and scenario options the Coach has for you or of your creation – usually something topical e.g. terrorism, pandemic, loss of power, fire, flood, denial of access to your premises
One Exercise for each separate Business Unit, except for small organisations, who may have one exercise only for all critical staff
One-two hours duration for a Exercise is plenty
Document the outcomes and upgrade your BCP immediately to fix any gaps
Exercises should be held at least annually
The more involvement you can get from critical staff the better, as they will enjoy active involvement and provide your organisation with valuable feedback e.g. delegate to them the placing of test telephone calls to random critical contacts
Contact us for assistance if required (there may be a small extra cost for extended Exercise assistance)
To keep your Business Continuity Plan alive, discuss the subject of Business Continuity Planning at regular staff meetings and explain the following main reasons why this subject of Business Continuity Management and a Business Continuity Plan is important to all staff and the organisation:
Loss of customers, revenue & extra costs could cripple your business following any incident that escalates
External threats are beyond your control
Reputation can be destroyed quickly if unprepared
Security breaches could be ruinous
Staff availability is vital
Communication with staff, customers & stakeholders must be speedy after a crisis
Technology changes are ongoing & create new threats
Supply chains & outsourcing needs protection
Senior managers & directors are expected to implement Business Continuity Plans or face the consequences
Insurance is only a partial risk solution
Your business will flourish if you use Business Continuity Planning properly
Reinforce these points at staff meetings and ask your staff for input.
You must apply to us for Certification when you have completed your first Exercise.
You will need to provide us, from your Business Continuity Plan with a copy of:
Business Continuity Plan Authorisation
Business Continuity Plan Date of issue
Date of last review and revision
Date of last Exercise and result
We may need to check your information and subject to that, we shall issue your Certificate or recommend steps for you to attain Certification.
When Certification is approved we recommend:
Framing and hanging of your Certificate in a prominent place visible to as many as possible e.g. office reception areas or work station locations.
Renew your Certificate annually. We shall remind you of the need to renew your Certificate.