A Business Continuity exercise will help people in the business engage in the process, experiencing what the consequences of an invocation would feel like.
If properly facilitated and constructed with a relevant scenario, a Business Continuity exercise, particularly one that exposes weaknesses within the business and then the consequences of this, both the financial and human, business and personal, can give those involved a taste of what a crisis unravelling around them would feel like.
This can create an emotional experience of Business Continuity and therefore a stronger driver for buying into the process.
Planning a Business Continuity Exercise
Here are nine considerations for an exercise:
Make it Real — Take a scenario that those involved in the Business Continuity Exercise can relate to. This just makes the experience more relevant and stops the “that wouldn’t happen in real life”.
Set the Facts and Parameters for the Exercise — You can define the resources available to the team in the exercise. For instance, the server is offline so there’s no access to data, or you can present them with Grab Bags and explain that’s all the resources they have available. These should be realistic and prevent the team from creating options out of thin air. They should be using a copy of the Business Continuity Plan (BCP) or Incident Response Plan (IRP).
Model the Consequences — Work through the consequences beforehand, both in terms of impacts on individuals, the business, customers, and suppliers, and where possible put some financial implications against these. These can then be used as injects that you can introduce during the Business Continuity Exercise to make it dynamic.
Make it Dynamic — Decide on injects that you want to introduce through the exercise to make it dynamic and challenge the team, force them to make real-time decisions.
Make it Real-Time — Social media can be a useful vehicle to use in the exercise, as everyone is attuned to how real-time events are in today’s 24/7 news environment. If your scenario was a fire for example, you could have nearby residents posting pictures online, taking the control of communications away from the Business Continuity Team (BCT). You can also have designated customers reacting to the situation, and hand the team an email that has been received from a key customer who wants to talk as they have heard you’ve had an incident from a competitor.
Appoint Observers and Facilitators — The facilitator role is key, as they steer the Business Continuity Exercise. They need to challenge anything the BCT tries to do that wouldn’t be possible, and also manage the injects so they are taken on board by the BCT. Observers can record the actions and decisions of the BCT and the interaction and dynamics between them. This will provide powerful learning in the debrief.
Chain of Command — The Exercise could compromise the natural chain of command by removing the key decision-makers, and therefore challenging the team dynamics and its decision-making capability.
Lessons Learned — A debrief is essential to capture the learnings from the Business Continuity Exercise, and to build awareness. Don’t just review the activity; get the participants to reflect upon how it felt and explore how that has changed their understanding of Business Continuity.
The Golden Rule — Don’t get carried away with the realism. Your simulation should never create an incident by running the exercise.
More Information on Planning a Business Continuity Exercise
If you need best-practice advice or help with planning your Business Continuity, please contact your local Arch Branch about our available Arch Risk Management solutions.