This week I thought I would discuss what I think is a missing part of the business continuity life cycle.
It was brought home to me when I conducted some crisis management training on Monday and then again when I conducted a major exercise on Tuesday.
The new business continuity life cycle starts with ‘analysis’ or understanding the organisation, as we used to call it, and then goes on to ‘design’ (strategy). Once you have your strategy you can develop your plan (implementation). The next stage of the life cycle is ‘validation’, which used to be called exercising, maintaining and reviewing.
But at no stage is anything mentioned about training people in using the plan before going forward and exercising it.
I have just taken a look at the GPG 2013 and on, page 90 the process under implementation for developing a plan goes from: “Amending the plan as appropriate”…straight on to…“validating the plan through and exercise with the business unit”.
This was very obvious from the exercise I conducted where the team had no training on their plan or how to manage an incident. In fact they didn’t actually have a plan for the team that was dealing with the incident.
They had individual plans for their own departments but not for their tactical team. The team were very good at solving the problem, dealing with the issues caused by the incident and communication with staff and customers.
At the beginning of the incident the team interaction was more like an old fashioned trading floor, with everyone shouting at each other, but after a while things calmed down and they worked well as a team. I felt they were handling the issues as they would a normal business incident rather than looking at it as a potential company-ender.
Teams in incidents thrown in at the “deep end” during an exercise revert to what they know and try to solve the problem rather than looking inwards and thinking about the effect of the incident on their interested parties and their reputation.
I think there should be an extra step in the business continuity life cycle – training – though they might call it something a bit fancier than that.
As plans are written for the first time all those members of the team will need to be trained in the plan and their role in an incident. As plans change and develop this will generate additional training requirements.
I think there is an additional element of training, which is also forgotten, which is the process of managing an incident. Very rarely do I see organisations that train their staff in the process of managing an incident. This can be down to simple items such as conducting an incident team meeting. Current thinking from the emergency services is that they have a short, sharp meeting – followed by a period of time when they go and implement the actions from the meeting.
The team I saw had one long meeting with people engaging and disengaging when they had something to do. I think it is important to have an agenda or checklist to ensure that all aspects of the incident are managed and a major element is not missed. These templates or checklists need to develop and incident staff need to be trained in their use. The easiest task for staff is solving the problem which caused the incident as they are the people who manage the process. The more difficult tasks are logging information, communicating with interested parties they may not normally interact with and defensible decision making (making sure that all decisions are recorded).
As part of training those in the incident team need to see the incident from the prospect of those affected by it, rather than internally trying to solve the problem. In an incident it may be much more important to communicate with your customers than concentrate all your efforts on solving the problem which caused the incident.
Training followed by a series of simple exercises, building on this training, is perhaps a better approach to preparing your incident staff to manage an incident than throwing them in the ‘deep end’ and going for a full on exercise. Often during exercises the plan is ignored, the recovery strategy is made up on the day, the team concentrate on solving the problem. They don’t communicate, and at the end of the exercise they think they have done a fantastic job and they are ready to handle an incident. How much better would it be if the team are trained step by step on the plan, the strategy and the process of managing an incident. This should be done as part of the business continuity life cycle rather than taking part in an exercise where – in fact –little is learned.