Business Continuity Exercises and Tests

Business Continuity Exercises and Tests

What best practice is there for training and exercising within Business Continuity/Emergency Planning?

• Regular
• Mix of small and large exercises
• Departmental and whole of organization
• Realistic, engaging scenarios
• Utilize your Business Continuity Plan
• Debrief

Feedback from BCP Builder Community on LinkedIn:

Objectives

• The objectives of the Business Continuity exercises and tests should be clearly defined.
• Make it more about learning rather than some sort of test that has to be passed.

Start with Table-top exercises

• Best piece of advice I’ve had about exercising is, don’t go mad undertaking wide ranging against the clock exercises too soon. You will be overwhelmed by compounding problems and issues. This will only lead to a loss of credibility and a real loss of buy in to the the programme by the participants. Work your way up to them. Build on success and maintain that essential engagement. Resolve the problems you find and get ready to go again.
• Definitely stair step delivery, beginning with training in discussion-based seminars and workshops. Once trained, tabletop exercises (many for different scenarios) and then operations based exercises. Do drills first, where applicable, and only move on to full scale when confident people will be safe, and they understand their role and responsibilities.
• Tabletop exercises and walk through exercises for evaluation of your Business Continuity Plan should be held quarterly. This is to make sure that Business Continuity coordinators understand the plan and are ready to use it during any event or crisis. Unit or department exercises should be held every year.

Make sure you progress

• More often than not we end up staying at the table top exercises and not trying the rigorous ones due to cost and fear of failure, but you are better off failing during simulation and ensuring the T’s are crossed than having a disaster and failing as lives and assets may be lost.
• In my personal experience, table top exercises are okay initially. But I have found that given the costs and efforts of more rigorous exercises, organizations tend to stay with table top types forever. This not healthy. We need a combination of exercises small and big which include not just the internal groups but also the significant parts of the supply chain.
• Start small, then make them huge with surprise drills designed to educate, learn and then verify your Plans. 

Full Exercise

• When you eventually get to the more challenging Business Continuity exercises and tests, rigor is very important. Ensure the exercise and response is as close as you can get to the real circumstances as they will experiencing in a real incident. If there are any caveats, then these are identified on the post exercise report.
• From running our exercise for University, one of the learning points that came out was having knowledgeable observers who were able to contribute information to our participants. This was important as the exercise we chose to focus on required our participants to focus on recovery rather than response.
• Conduct unannounced, full interruption exercises starting from department-level, then floor-level and eventually premise-wide. Also consider conducting simulated cyber attack exercises.
• Full exercises can be very costly and they depend on organization critical services and capabilities. Usually they should be completed annually, or every two years.

What if you don’t have a Plan?

• Instead of developing a plan and exercising against it, exercise first to determine what is intuitive and instinctual among your audience and then build procedures from that. This way, your response process becomes more familiar and not something foreign that we must “train” people on.
• I would not spend a lot of time developing scenarios and details. Instead, make the event random so nobody – including the Business Continuity practitioner or facilitator – knows what to expect. This provides the Business Continuity participant(s) an opportunity to learn and train in responding to the unexpected.
• Use the opportunity to identify improvement opportunities. In fact, I would make this an objective instead of encouraging people to respond and recover within a specific time or following a defined set of procedures.

Emergency Notification System

Use a robust, intuitive Emergency Notification System which will provide:

• A private and secure multi-channel communications platform. The web and mobile app can be used by your Response team(s) to manage important communications that often happen outside of any formal incident.
• An Incident Management platform for your Response team supporting the responders, assessing safety, executing critical tasks for a faster recovery. At all times the system should keep a full audit of events which are visible on the command and control dashboard.
• Personnel Safety. Track and trace people to ensure they are safe, either during an incident or during travel times. Every user is also given an SOS button on their app to notify the Response team and begin tracking.

Free Resources

• New Exercise Starter Kits: https://preptoolkit.fema.gov/web/em-toolkits

If you want to increase your Organizational Resilience, start with preparing a Business Continuity Plan and check out BCP Builder’s Business Continuity Planning Templates.