The benefits of planning a series of exercises versus a one-off:
A three-year exercise program should replace the current annual validation method. An effective training programme will ensure the participants learn to deal with incidents in an effective manner and will train them to work as part of the group that manages incidents. Our programme will establish their response capability built through a steady escalation in complexity and pressure, from desktops and walkthroughs through to multi-party simulations.
There are numerous benefits of a three-year programme over conducing a series of unconnected annual exercises:
- The opportunity to build a progressive programme that will upskill your incident teams and build and improve on each exercise undertaken. At the moment each exercise event is a one off activity.
- The opportunity and time to link all training to team requirements and demonstrating this during the exercises.
- The opportunity to measure the incident teams’ performance and maturity improvement over a fixed time period allowing management to check that they are improving and the organisation’s capability to manage an incident is getting better.
- The opportunity for deputies to attend the exercises so they don’t lag behind in skills and experience. It is difficult for new team members, in one off sessions, to “catch up’ on the skills other team members have.
- The opportunity to train team members, that may have specialist roles, such as Human Resources who may not be sure what skills they are meant to demonstrate and how to perform their role during an incident.
- The opportunity to develop within the programme the vision, the skills, knowledge, behaviours and competencies required for managing an incident and an effective pathway to gaining the skills over time.
- The opportunity to continuously promote the incident management skills, behaviours and knowledge that otherwise may get forgotten with annualised one-off training events or short exercises in-between annual exercises.
PlanB Consulting will develop a three-year exercise programme which delivers these benefits and equips your incident management team with the skills, behaviours, knowledge and competencies to manage a major incident. At the end of the programme the organisation will be able to show a demonstrable improvement in incident management skills and increased maturity in responding to incidents.
Each year will build on the skills of the previous year and follow an agreed improvement pathway. At the end of the 3-5 year period there is the opportunity to review the programme and decided on whether to build on the existing skills or start at the beginning of the programme again.
Business Continuity Exercise Programme development
In the Good Practice Guidelines (GPG) it states that: ‘An organisation’s continuity capability cannot be considered reliable or effective until it has been exercised’. The section on validation goes on to say, ‘An exercise programme should ensure that desired level of capability by: Rehearsing all plans’. If you look at most mature business continuity organisations, on the whole, they will have an exercise programme and it usually consists of each plan being exercised once a year by the team. Some go a bit longer between them, but these are the main exercise activities. Their technical people are likely to do some DR exercises, sometimes they are discussed with the BC person but often they take place separately, and the BC person relies on IT to conduct suitable exercises.
What many practitioners are missing is the next requirement of an exercising programme, which according to the GPG is ‘Verifying all business continuity solutions’. There is a requirement to make sure that the solutions (strategies) proposed do actually work, and that as part of the exercise programme these are verified. We need to check that no changes have been made in the meantime, which makes the technical solution we propose unworkable, and we must check that the solution is still valid.
By way of an example to demonstrate an exercise programme, I use an organisation which has a call centre and their solution if they lose the call centre, is to work from another building owned by the organisation. In the recovery location, they would use a displacement strategy, so some of the staff in the recovery location would be sent home to make way for call centre staff to use their workstations and telephones.
To verify this solution, I suggest that five separate exercises are needed to make sure that all parts of the solution works.
All call centre staff need to be aware of the proposed solution to move to the alternative recovery site. They need to know which of them will go to the site initially and which of them will be sent home. If part of the solution was to rotate staff working in the recovery centre, they would need to know this. Staff would also need to know the sequence of events from leaving their existing building after an incident, to arriving at the recovery centre. Will they go straight from the existing building to the recovery centre, or should they wait until the next morning once the recovery facilities have prepared and the IT switch has taken place? Staff will need to know how they will be contacted and when they should be expected to go to the recovery centre if an incident takes place outside working hours. As part of an exercise programme, this awareness training or information could be discussed at a plan walk-through/discussion exercise and could be conducted for all staff at least once a year.
The call centre incident management team needs to be exercised. They are responsible for implementing the recovery solution and then managing it. As part of their exercise programme, they should be carrying out a tabletop/scenario exercise or a simulation exercise at least once a year.
This involves 2-3 members of the call centre going to the recovery centre and checking that they can log on to the PC of a member of staff they are going to replace. They need to check that they can download their profile within a reasonable time and that all the applications they require are available on the PC they are going to use. This exercise may only take an hour to carry out. Due to possible changes in the organisation’s IT infrastructure and updates to applications, this part of the exercise programme should be carried out every three months.
This exercise involves the telephony team within IT checking that they can switch calls coming into the call centre to the recovery centre. This exercise could be conducted at the weekend when the call centre is not operating. Members of the call centre may act as customers and call in, with a number of agents sitting in the recovery centre to practice taking calls. By carrying out this exercise, the call centre is able to verify that calls can be switched to the recovery centre and they can be dealt with appropriately by the call agents. Due to how critical this solution is, this part of the exercise programme should be conducted every six months.
Carrying out a full rehearsal of the business continuity solution. If 50 staff are going to work from the recovery centre, all 50 are taken to the recovery centre and the full deployment of staff is practised. This could be done during a weekend or bank holiday, or if the technical solution allows it, all staff working for a day at the recovery centre taking live calls. As this exercise is likely to disrupt business as normal or if there a cost of overtime for staff, then this exercise could only be carried out every three years.
You can see that an exercise programme is not just about how often each business continuity plan is exercised but is also about conducting a number of different exercises to verify the whole end-to-end business continuity solution. Some of the exercises may not be onerous, such as exercise 3, going to the recovery centre and checking you can log on, but for me this exercise is as important to verify your business continuity solution as running an incident team desktop. As part of our long list of things to do, you should review your business continuity recovery solutions/strategies and see if there are other exercises you need to do to ensure that the solution will work.