The Exercise: Where The Rubber Meets The Road
Since 2005, Castellan Consulting has performed hundreds of business continuity exercises with organizations in every major industry and sector throughout the United States. No matter the scope of the exercise or the level of complexity, several key elements enable the successful outcome of this important component of the business continuity lifecycle. This perspective shares some of our lessons learned, highlights the importance of exercising and provides insight into our time-tested exercise methodology.
Nearly every business continuity standards and regulatory body recognizes the need for exercises to validate and continually improve continuity plans, including the National Fire Protection Association (NFPA), the British Standards Institute (BSI), and even the Federal Financial Institution Examination Council (FFIEC). Exercising is also one of the most visible activities in which a business continuity practitioner is involved; it’s where the rubber meets the road.
While technology, requirements and standards will continue to evolve into the future, the fundamental elements of exercise planning, facilitation, review, and improvement will stay the same. Regardless of if you call it a test or a drill, the following lessons learned, tips and recommendations will enable you to develop and facilitate value-adding business continuity exercises.
While planning and preparing for an exercise may seem time-consuming (because it is), it’s also the most important step in ensuring that a business continuity exercise is successful, effective and value-adding. And, given the potential that an exercise is far-reaching in scope involving many personnel or senior leaders, the ability to plan for an exercise is just as important as planning for other projects – it’s important to develop a business case (standard, requirement, policy, or SOP requiring an exercise) , define the project (scope and objectives of the exercise), identify risks and issues (safety issues, dependencies, assumptions of the exercise), define acceptance criteria (success criteria of the exercise), and establish a means for evaluation (exercise summary, feedback and action items). This process can be simplified, tracked and communicated using an Exercise Plan that captures the following:
- Exercise scope (type)
- Exercise objectives
- Success or failure criteria
- Planning timeline
One of the key building blocks of an exercise is the determination of the type of exercise that will be used. Commonly, this depends on the familiarity of the organization and exercise participants with business continuity and their previous exercise experience. The following list, organized in order of increasing complexity and aligned to British Standards Institute recommendations, provides an overview of different types of exercises.
- Seminar Exercise (or “plan walkthrough”): Exercise in which the participants are divided into groups to discuss specific issues
- Table-top Exercise: Facilitated exercise in which participants are given specific roles to perform, either as individuals or groups
- Exercise: Planned rehearsal of a possible incident designed to evaluate an organization’s capability to manage that incident and to provide an opportunity to improve the organization’s future responses and enhance the relevant competences of those involved
- Drill: Coordinated, supervised activities usually employed to exercise a single specific operation, procedure or function in a single agency
- Simulation: Exercise in which a group of players, usually representing a control center or management team, react to a simulated incident notionally happening elsewhere
- Live Play: Exercise activity that is as close as safely practicable to the expected response to a real incident
Once an exercise type is agreed upon, it will be necessary to determine the scenario(s) that will guide exercise participants and encourage the usage of, review and feedback on their business continuity plans. The following list provides general examples of scenarios, organized by resource type, which may be considered and customized based on an organization’s unique resources, needs, dependencies, or operating environment.
- Loss of Facility: Continuing the delivery of critical products and services following the loss of a key facility (i.e. fire)
- Loss of People: Continuing the delivery of critical products and services with a reduced workforce (i.e. pandemic)
- Loss of Technology: Continuing the delivery of critical products and services without access to technology or systems (i.e. data center failure)
- Loss of Equipment: Continuing the delivery of critical products and services following the loss of key equipment (i.e. metal press)
- Loss of Suppliers: Continuing the delivery of critical products and services (i.e. payroll processing)
Other hazard-specific exercise scenarios may also be developed based on your operating environment, including data breach, hostile takeover, unauthorized communication (i.e. social media), terrorist event, or regulatory activity. The overall facilitation time of the exercise will vary depending on the type of exercise selected (and in many cases, the time management commits to the exercise). In general, exercises range in length from two to four hours.
As practitioners, we understand the purpose and intent of all business continuity activities, including exercising. Outside of the business continuity program, however, personnel are often only exposed to business continuity once annually during the plan update process or exercise cycle. As such, awareness activities (for new employees) and training (for all employees) are essential to the success of the exercise. Simple, high-level one-pagers that provide an introduction to the process is a great way to help exercise participants feel comfortable.
Successful exercise planning, similar to general project planning, helps to ensure an effective and efficient exercise for all participants. And, during the exercise, it enables the facilitator to focus on the exercise instead of logistics, training, housekeeping, etc.
In addition to planning, another key component to exercising is the actual facilitation of the exercise. Depending on your organization and business continuity program, you may choose to facilitate exercises internally or work with an outside party, such as Castellan. While both have pros and cons, especially depending on the scope of the exercise, it’s important that a facilitator have the following key traits:
- Excellent presentation skills
- Proven leadership abilities and comfort with exercise format
- Knowledge of the business and/or industry
- Understanding of business and location-specific risks
- Sufficient experience with the organization’s business continuity program, especially those elements being exercised
Actual exercise facilitation and delivery can take several shapes based on the type of the exercise, complexity of the scenario, participant familiarity with business continuity, and access to technology. To increase the realism of the scenario and garner engagement from participants, the following facilitation approaches may be considered:
- Exercise activation utilizing (and testing) an automated emergency notification system
- PowerPoint slides that illustrates the scenario and provides situational updates by time period
- Paper-based, verbal or digital injects that provide additional details on the scenario
- “Breaking news” videos that illustrate the scenario or changing conditions
- Remote or work-from-home testing via VPN and/or teleconference
- Interaction with key suppliers, first responders or other interested stakeholders
Perhaps the biggest recommendation for business continuity practitioners is that they thoroughly understand their audience, especially if the exercise includes senior management. If an outside party is facilitating the exercise, make sure they are aware of the personalities of key participants and their expected level of direction and participation in the exercise.
Exercise Feedback, Review and Next Steps
Immediately following an exercise, it’s crucial (and necessary) to have a verbal debrief, “hot wash” and lessons learned discussion with participants in order to answer any questions, solicit feedback and outline how the exercise outcomes will impact future planning activities. While numerous means of soliciting feedback from participants exist, including paper-based or internet surveys and interviews, it’s best to ask for written and on-the-spot feedback using easy-to-answer questions with a ratings scale:
- To what degree did the exercise meet your expectations?
- Please rate your satisfaction with the overall time/duration of the exercise session.
- Please rate the overall style and quality of presentation materials.
- How effectively did the facilitator present information?
- Other: (recommendations for improvement, additional training needs, new topics, etc.).
While feedback is important for continuous improvement, it’s also a means of accounting for participants for training and audit purposes. Similarly, a summary document that captures key exercise details is perfect for historical records, audit documentation and review by senior leaders (i.e. Business Continuity Steering Committee) and may include:
- Exercise results
- Opportunities for improvement
- Lessons learned
- Actions items/corrective actions
Just like a plan that sits unexercised on a shelf, exercise results that are documented and left unattended to do little to improve organizational resiliency. As such, action items and opportunities for improvement captured during the exercise should be entered into an issue log or corrective actions database so that they may be recorded, delegated and tracked to completion. While testing frequency varies based on operating industry and standards, it’s best to exercise business continuity plans and capabilities at least annually or following significant organizational changes.
No matter if you call it an exercise, a test or a drill, if you’re doing it, you’re on your way to increasing the overall effectiveness of your business continuity program. At the end of the day, it all goes back to what we were reminded as we were growing up: “practice makes perfect”.
Ready to go to the next level? Schedule a strategy session with us today.
Get business continuity insights delivered to your inbox.