Figure 11-1: A test exercise.
Planning the Exercise and Its Objectives
Of course, your dedicated BC leader needs to be fully involved in planning your approach to validation, but which other staff take part depends on the size, complexity and structure of your organisation. In a company with a small workforce, the business owner probably wants a hands-on role.
This planner can be your BC leader or a senior manager with a thorough knowledge of the organisation, in particular of the critical activities, processes and products, the business’s strategy and priorities, and the inter-dependencies of the management processes that support the product or service you provide. If your processes are very complex, someone with technical expertise may need to provide assistance. These people often know where to put the spanner in the works to get the best (worst!) effect.
Make effective use of your preparation time to ensure that everyone uses the exercise time well. Ask yourself whether anything’s missing from your exercise plan. If so, can you fit that missing aspect in? If you do, make sure that any additions/changes you make to the exercise don’t skew the objectives you may already have set. Disturbing the balance of the exercise that you thought you had in place, by over-elaborating or with second thoughts, is all too easy. Keep the first few exercises simple. (Experience will test ambition.) As your experience grows you can become more ambitious about what you want to test.
Identifying exercise objectives
Identifying your objectives is in essence deciding what you’re trying to achieve. Your overall aims needs to include:
Making your organisation more resilient by validating your response capability.
Identifying ways to improve your BC system and related arrangements.
A bit of a mouthful, but by identifying these relatively straightforward objectives you make clear that your exercises are about finding ways to improve business performance, and not about putting people on the spot or worrying them to death.
You need system-specific objectives too, as we describe in the following two sections.
Setting quality objectives
Choose four or so clear and achievable objectives. For example, the exercise needs to demonstrate that you can identify:
The likely impacts from (a variety of) disruptive events.
How you intend to restore your business activities.
The value – to everyone – of your BC system.
That you have key staff ready and available.
You also need to be able to mobilise the necessary technological skills to survive.
Setting measurable objectives
Focus on specific measureable targets for your exercise, based on your plan, on previous exercises or on emergencies. These aims may include being able to demonstrate:
A timetable for recovery and to respond to business/customer needs.
Your speed of access to current data; for example, you reported on the number of X available within three hours.
That you can recover those activities identified as critical to business; for example, you were able to meet your recovery time objectives for all critical tasks (you need your up-to-date register of critical business activities – see Chapter 4).
Which staff you expect to respond and know for sure they can; for example, staff members were available for all roles in the disaster recovery plan and attended the meeting point within one hour.
You’ve addressed previous exercise shortcomings and learnt lessons.
Assessing the cost
‘How much is the whole process going to cost?’ you may well ask, and the flippant answer is, ‘Less than a badly handled disaster!’ A more useful response is that the cost depends on what you need and what you want to spend. The main cost items for a desktop test are likely to be:
Planning time.
Staff time away from normal work.
Perhaps room hire and catering – getting away from your normal location can be very helpful (as can tasty sandwiches!).
Choosing a format
All businesses are restricted in what they can exercise to some extent, with possible costs, location, equipment and knowledge of players being a problem. Ask yourself how these or other factors may restrict what you want to do.
Do you need senior management agreement (extra buy-in) to accommodate these or any other issues? If that’s likely, secure that support now (factor them in now). Don’t compromise the exercise by silly, avoidable planning defects.
Selecting who takes part on the day
Here’s a rough idea of the people who need to take part in your exercise:
Executive director
BC leader
Key staff including business process leaders
Facilitators (if you’re doing a live exercise)
Experts (if you’re relying on specific knowledge or expert advice; for example, on power, or tackling fire or water damage)
A record keeper or note-taker
Telling your staff
Inform your staff that an exercise is going to take place and that they need to be up to date with the business’s recovery procedures and the roles and responsibilities those procedures identify for them. You may need to provide a brief explanation about what the exercise is going to involve, but details depend on the type of exercise. You may want to say something like:
We will be running an exercise to see how we would cope in a disruption. This is to see whether the plans we have been developing will meet our needs. We will be testing the plans and not individuals. All staff should update themselves on the plan contents and the roles they will undertake. The exercise will take place at . . .
By now, of course, all staff are clear about your recovery procedures and their roles and responsibilities – aren’t they? Don’t forget that you shouldn’t give staff scenario detail in advance. You may want to spring an exercise upon them (if doing so is feasible and doesn’t damage your business activity for the time involved). That’s your call, of course.
Figure 11-1: A test exercise.
Emphasise that a desired outcome of the exercise is to give you – and staff – the assurances you all need that appropriate measures are in place to maintain your business.
Developing an effective exercise scenario
Part of your exercising preparation is to create a scenario, which is a bit like writing your own nightmare – a story of bad things that get worse. To work, a scenario needs to present a realistic set of circumstances, which means something that may reasonably happen to your business (no alien storylines please!).
All the included technical material needs to be accurate. The last thing you want is for people to dismiss the scenario as impossible or for someone with greater knowledge, or who’s simply better prepared, to tell you that you’re wrong about a critical item.
This eventuality can happen; don’t let it because it sinks the exercise before it starts. Worse, the credibility of the facilitator – which may be you – vanishes and staff can start to worry about issues such as leader competence (definitely not something to encourage).
So, to develop your exercise scenario:
Identify source materials and check out what you don’t know with experts.
Make it plausible and relevant.
Create an appropriate trigger mechanism.
Be specific and include enough detail to make it realistic: for example, consider location and collateral damage, denial of access, threats, damage to reputation, utility, and information and communications technology failure, staff access and so on.
Prepare more event possibilities and added difficulties than you think you need – you don’t want to exhaust all your options before you’ve explored everything you need to.
Consider how the story’s going to work with the questions you plan to ask.
A good exercise scenario achieves the following:
Contains content that’s appropriate to the objectives you set.
Offers a challenge and is solvable – even if the solution is imperfect, its resolution shouldn’t be impossible.
Challenges but doesn’t overwhelm.
Involves all key players.
Works with your key players or their deputies who should fit easily into their roles.
Doesn’t require the emergency services to answer questions, unless they’re taking part or you know what they’d say.
Unfolds to timescale within the time available.
Carries minimal risk of causing real disruption (unless you want it to).
Creates lessons to learn.
We provide a sample exercise in the later section ‘Considering an Exercise Scenario’.
3.19.26.186