This week I look at the objectives, format and scenario of business continuity exercises, and I explain why scenarios are not the most important factor when planning an exercise.
I have seen many a business continuity manager, both experienced and not so experienced, devising the most fiendish and clever scenario they can think of and working the entire exercise around that scenario. This might be good for entertaining the team being exercised, pointing out a new risk and showing how clever the exercise planner is, but in terms of learning and improving the organization’s capacity to manage an incident, this approach is of limited value. If the chosen scenario would have such a huge impact on the organization, it should be in the risk register, not in the exercise.
Unless the organization wants to exercise a specific scenario, or they have to exercise a particular scenario for regulatory purposes, the scenario is not really important and should be one of the last actions undertaken when planning an exercise, not the first. The first thing you should do is look at the objectives and what the exercise is trying to achieve. You should speak to the organization or your client and find out exactly what they want to achieve from carrying out an exercise.
There are four different objectives an exercise can try and achieve. The exercise might have one objective or be a combination of a number of these:
1. Exercising recovery processes
- Administrative: are the procedures manageable?
- Technical: does all the required equipment work?
- Timeliness: can the procedures achieve the required RTO for each activity?
- Procedural: are the procedures and plans correct i.e. does the implementation of the plan produce the desired outcomes?
- Logistical: do the procedures work together in a logical way?
2. Exercising members of the incident team or those responding
- Individual skills development: get staff to practice carrying out their incident role in an exercise and develop their knowledge and skills for dealing with an incident.
- Build confidence of team members.
- Shift attitudes, change behaviours: teach staff to manage incidents in a different way or demonstrate to the team that they are not as ready to manage an incident as they think.
- Demonstrate and practice skills and knowledge taught to team members during incident management training.
3. Exercising plans
- Verify the contents of the plan: does it contain information required on the day of an incident?
- Are the right people and skillsets on the team?
- Does the plan flow in a logical way?
4. Problem solving
- Can the team adapt the plan to changing circumstances, such as an incident going badly, where it is the organization’s fault or an incident which has not been planned for?
Once the objectives have been agreed, the person planning the exercise needs to decide on the format. There is a tendency for those that base exercises around a scenario to plan for a ‘command post’ all-singing all-dancing exercise with role play, people phoning in, journalists bursting into the incident room and providing maximum entertainment for the team. For me, this is an opportunity to put some thought into the format and actually choose the right type of exercise; one which meets the agreed objectives. A few examples of using a different format to achieve the objectives of the exercise are:
A plan walkthrough for half an hour on a one-to-one basis with a team member may give them much more benefit than a three-hour all-singing all-dancing exercise which is expensive, time-consuming to plan and in the end may give the team little training benefit, aside from a fun afternoon.
Spending a bit more time thinking about how the objectives can be met may lead to splitting up the exercise into a number of different parts. Can a recovery to another office be done by one person going to the recovery site and seeing how long it takes to log on? This may be sufficient to prove a recovery RTO.
Instead of exercising the team in real time and never getting beyond the first three hours of an exercise, consider a discussion/table top exercise where a whole series of time frames are considered throughout the incident.
Once the objectives and the format of the exercise are decided, it is time to look at the scenario. The question you need to ask yourself is: what does my scenario need to achieve? What assets do I want disrupted during the exercise or do I want a long-term incident or a more short-term denial of access? How much media attention on the incident do I want, and will my exercise objectives be met if there are casualties? Do I want a simple scenario such as ‘there has been a fire and we have lost our headquarters building’ or do we need a complex scenario with lots of input and issues for each of the roles within the incident team? We need to make sure that there are issues for every person on the team.
This is now your opportunity to use your knowledge of business continuity and real-life scenarios to make the exercise come alive and be interesting for the players, if that is what is needed. So next time you are planning for running an exercise follow this order:
- What does the scenario need to achieve?
- Scenario details.
If you follow this order, you will get maximum benefit out of your exercise and ensure that your organization is prepared to manage an incident.