Treating The Causes Of Bad Exercises
Faults and Fixes: Bad Exercises
Practice—it’s a key to success in any pursuit. Whether it’s within sports, hobbies, or business, practice is integral to fostering success, and business continuity planning is no exception. Arguably, the most effective way to practice implementing business continuity plans, processes, and strategies is by performing exercises. Not only will a good exercise improve preparedness, it will also socialize business continuity planning among the organization’s key leaders and demonstrate the value of business continuity planning. However, many exercises fail to “impress” and meet the goals of socializing capabilities, building competencies, and identifying opportunities for improvement. Within this perspective, we’ll take a look at some of the key causes and simple fixes that will allow business continuity practitioners to plan for and facilitate an engaging, beneficial business continuity exercise.
To assess the faults and fixes within exercises, we’ll break the practice into three key phases:
- Exercise Planning
- Exercise Execution
- Exercise Reflection
SYMPTOM: LEADERSHIP AND OTHER STAKEHOLDERS ARE RELUCTANT TO PARTICIPATE IN EXERCISES
Root Cause: Exercise Lacks Direction
Before planning begins for a specific exercise, business continuity planners should to ask themselves the following question: “What do we intend to accomplish with this exercise?”
If you can’t answer this question, the exercise is on track to fail before it even starts.
An exercise session should have a clear purpose – whether it’s validating a newly implemented strategy, identifying opportunities for improvement within plan documentation, or training new team members regarding their roles, responsibilities, and plans. Insufficient reasons (or objectives) include “because we have to” or “we need to meet an audit requirement”. Even though those reasons may be accurate, the outcomes are likely to be non-value-adding with less than active participation.
To achieve the intended purpose established for the exercise, business continuity practitioners should, first, create relevant goals and realistic objectives for the exercise session. The objectives for the exercise session should contain specific success criteria to judge the effectiveness of the exercise once completed.
Next, the business continuity practitioner should define the scope of the exercise, including the business activities, resources, plans, and teams. Overall, detailed objectives and a clearly defined scope helps ensure that the organization’s exercise session achieves its intended purpose, leading to higher participation levels throughout the organization.
When senior leadership can see clear direction, purpose, and value, they are more likely to participate.
Root Cause: Participants are Unsure of What to Expect
Once the organization has clearly established the exercise’s purpose, objectives, and scope, assess who within the business continuity planning effort needs to be present during the exercise session. Send a message to these participants clearly communicating the purpose and objectives of the exercise well in advance of the planned exercise date(s). Using the information created in the planning process, establish a compelling business case for conducting the exercise, which will drive participation for senior leadership and other exercise participants and stakeholders. Work with the exercise participants to establish a date and time that works with their schedules to ensure you get the right people in the exercise for a sufficient amount of time. Lastly, offer ways that participants can prepare, as many exercise attendees often show up nervous because they are unsure what to expect and don’t want to embarrass themselves.
SYMPTOM: EXERCISE SESSIONS LACK FOCUS AND DIRECTION
Root Cause: Unrealistic Scenario Development
Once the business continuity practitioner establishes the “why” through initial exercise planning, the planner should build out the “how” through detailed scenario development. Looking at the exercise’s purpose and objectives, decide what type of exercise best meets evaluation and awareness-building objectives. For a simple, low-impact exercise, business continuity practitioners may consider conducting a basic plan walkthrough that guides participants through plan content and focuses on response and recovery at a high level (without a cause of the disruption, just a summary of the outcome). One of the more common and effective types of exercise is a tabletop, which is a facilitated exercise where participants make specific decisions to respond and recover from a business disruption based on scenario information presented. For a more detailed, action-oriented exercise, the organization may consider executing response and recovery strategy rehearsals, like activating a crisis command center, performing mass notification testing, or resuming operations at an alternate work location. From there, the exercise planner can develop more detailed, intensive scenarios like live-play exercises that closely mimic the actions of a real event.
After the organization chooses the exercise type, assuming it involves a fictitious scenario, the business continuity practitioner needs to develop a realistic scenario or scenarios relevant for the organization and the environment in which it operates. The scenario(s) should provide a detailed narrative that creates a business disruption targeted towards a loss of resources that aligns to the exercise scope and objectives. Additionally, business continuity practitioner may consider supporting the scenario with periodic injects of scenario content either meant for the group or specific roles. This exercise tactic should mimic the flow of information that would occur during an actual event. The business continuity practitioner is obligated to create the best exercise scenario possible to fully explore plans and strategies within the scope of the session. In case you’re stuck with identifying a scenario topic, check out the news! Disruptive incidents occur all the time, look for a relevant topic and tweak it to apply to your organization.
Root Cause: Poor Exercise Facilitation
Even with perfectly executed planning and scenario development, an exercise can quickly fall apart without an experienced exercise facilitator leading the session. The exercise’s facilitator should be familiar with the organization and its response/recovery strategies (it helps if the facilitator understands business continuity planning too). Oftentimes, business continuity practitioners insist upon facilitating their organization’s exercises. While it is often appropriate to do so, if he or she serves in a role being evaluated, the organization should seek an outside facilitator. Further, this approach enables the business continuity practitioner to practice his or her role with other members of the team, while the chosen facilitator drives the session in order to meet objectives without participating in a response or recovery role. The facilitator should present the exercise scenario, deliver information injects, field clarifying questions from participants, steer the conversation in accordance with objectives, and keep the session as realistic as possible (helping participants make decisions and avoid the hypothetical). It is important that the facilitator urges participants to treat the exercise as a real event and not let the validity of the scenario color discussion or response. Additionally, the facilitator should lead after-action discussions and verbal debriefs where participants assess the success of the response effort and identify key opportunities for improvement within plans and strategies.
SYMPTOM: THE ORGANIZATION NEVER REALIZES THE FULL BENEFIT FROM THE EXERCISE SESSION
Root Cause: Lack of Follow-up and Corrective Action Documentation
Although the exercise session may be over, the work to wrap-up the effort isn’t. Castellan recommends that the business continuity practitioner create a summary report detailing exercise results. Based on the objectives established in the planning phase, capture the strengths and opportunities for improvement. This report should also contain a list of action items and corrective actions to improve business continuity plans and strategies based on observations and feedback. Once created, the business continuity practitioner should distribute the report to the exercise participants and other program stakeholders to collect their feedback or endorsement. Additionally, ensure that the corrective actions identified within this effort are promptly acted upon, which further demonstrates the value of this practice to the organization. Your organization should strive to ensure a business continuity exercise is not a “one and done” affair and show that the practice is key to maturing and evolving an effective business continuity program.
The symptoms and causes listed above are by no means the only issues that can arise within business continuity exercises, and there are many solutions and approaches that ensure success for your organization. Regardless, exercising plans and strategies are absolutely critical to the success of any business continuity program, and the strategies listed above will help you succeed. Regular exercises will keep senior leadership and all other business continuity program participants engaged and aware of regular planning activities. More importantly, business continuity exercises provide personnel with vital knowledge and experience prior to the onset of a disruptive incident.
Business continuity and IT disaster recovery planning is all that we do. If you’re looking for help with building or improving your business continuity program, we can help.
Get resilience insights delivered to your inbox.