+44 (0)2039 098573

+44 (0)1505 228898

Search

In this week’s bulletin, Charlie discusses the importance of no-notice exercises and the importance of planning in an exercise.

Shortly, I will conduct the largest exercise I have ever carried out. It is a live exercise involving five different teams responding to a cyber incident. The exercise will involve a full role-playing cell, with role players from both PlanB and the client playing all external parties, and our MITS platform, which simulates media, social media and the client’s website. The exercise will be played in real-time over a day. It has been four months in the planning, with a team of subject matter experts from the client first developing a credible scenario and developing the exercise injects from this. What is interesting about the exercise, apart from its scale, is that it will be a ‘no notice’ exercise. A few of the senior managers have been informed, and also some of the exercise planners will take part in the exercise as participants, as they will have to explain the scenario to their team. Otherwise, nobody will know about exercise.

A live exercise with the full incident management response structure deployed and being executed with no prior warning that it is going ahead, is the ultimate exercise and practice of the organisation’s response. You can assess from a standing start whether an organisation is really ready to manage a major incident or if they are much better at managing one if they have a few weeks or months to prepare for it. Most incidents don’t come with prior warning that they are going to happen, so you don’t have time to put in the extra preparation, dust off and update your plans, and check your response procedures to ensure you are ready. There are a number of downsides to no-notice exercises that have to be taken into account when deciding if you are going to be conducting one.

It would be nice if you could turn up on site and say all your systems have been encrypted with ransomware and that was all the exercise preparation needed, but it doesn’t work like this. We have had to prepare a plausible scenario, and we have had to be clear on what has been affected and what has not. Much work has gone into preparing injects so that the team has additional tasks and issues to manage. There has to be a wide range of injects to ensure that all parts of the organisation are involved. Objectives and performance indicators have to be prepared for each team so that the relevant umpire can assess them. Role players have to be briefed, and the exercise management infrastructure needs to be practised and checked to ensure that all elements are ready to go. So, even if it is a ‘no notice’ exercise, the planning that goes into the exercise is similar to that of an exercise with notice!

There are a number of downsides to a no-notice exercise that have to be judged against the benefits of conducting a no-notice exercise. The first is that there is a danger of the exercise going wrong and dissolving into chaos. If people know there is an exercise taking place on a certain day, they start in their incident room, and they are in an exercise mindset and know they have to respond. If an exercise is sprung on people, they may be unsure how to react. They have their day job, and they may try and continue with it and ignore the exercise or try and juggle both. Key people may make themselves ‘unavailable’ or not embrace the exercise, and if people see seniors not engaging, they are less inclined to take part as well. If the exercise does dissolve into chaos, all the time and effort planning the exercise will be wasted. It could lead to a lack of confidence in the organisation’s capability to manage an incident and can undermine the credibility of the business continuity personnel who planned the exercise.

If people don’t know the date of the exercise, they may have planned a key meeting or activity on the day, which they may have to abandon or try to juggle with the exercise response. If participants have time to plan their participation in the exercise, they can make sure that the exercise has minimal impact on day-to-day operations, and they can concentrate fully on the exercise. I always think people secretly enjoy exercises, and no notice could lessen this enjoyment and lead to extra stress on staff.

I often feel it is the preparation that goes on before an exercise by participants which can often be as beneficial as the exercise itself. Participants are likely to ensure their plans are updated, new staff are briefed on their roles, and people generally think about their role and how they would respond. If the scenario type is broadly given or known, they will ensure that any contingency plans are reviewed, or even written, or briefings on the subject take place.

So in conclusion, conducting a live no-notice exercise is the ultimate test of an organisation’s preparation for dealing with a particular scenario and practices all elements of response, including decision-making, leadership, teamwork, and communications, and allows participants to practice their incident management skills. The key risk is that the exercise dissolves into chaos, the credibility of the exercise planners is dented, and the organisation’s morale and belief in its ability to manage an incident is lowered. Also, the organisation does not benefit from the preparation usually carried out when those who are going to participate in the exercise ensure they are prepared. If you can conduct a live no-notice exercise successfully, there are substantial benefits, and you prove the organisation is prepared, but there are also substantial risks.

Recent Posts

Is your business fully resilient?

If you would like to discuss how PlanB can help your business, speak to one of our consultants today!
Speak to a Consultant
Scroll to Top
Scroll to Top