CHAPTER 6: EXERCISING AND TESTING

A classic failing of a great many business continuity plans, is that they are written and then left on the shelf. People are usually amazed at how quickly their organisation changes and thus how quickly their plan becomes no longer operable as intended. There are also plenty of examples of organisations attempting to use plans in earnest, only to find that they are too difficult to follow, with the result that the leadership resorts to ‘making it up as they go along’. This inevitably means that poor decisions are taken, and that the overall impact sustained is worse than expected.

ISO22301 quite rightly demands that BCM arrangements are reviewed regularly, are updated to reflect change, and are exercised from time to time, so that their operability is checked, and people involved in managing the BCM response have a chance to practise what they may have to do for real.

Exercises

This is an opportunity to demonstrate application of the PDCA model referred to earlier in the book. The Planning and Doing have been executed with the development of plans and contingencies, and their implementation, including awareness and training for people involved in managing the response. The exercise is an opportunity to test, or check, how practically feasible the response actually is. The record of what happened should subsequently be used to modify, or improve the plan and related arrangements, which is the Act part of the PDCA actions.

Planning the exercise

In an ideal world, an exercise would comprise complete simulation of a major incident, including shutting down systems, premises and critical activities, then invoking all of the contingency resources. It would also be allowed to run for as long as necessary to ensure completion.

Such an exercise would be the most rigorous test of all the assumptions, capabilities, availability and resource performance possible, but is unlikely ever to be carried out, because of the cost. In fact, ISO22301 states that exercises should ‘…minimise the risk of disruption of operations’, and, whilst interrupting normal activities to conduct an exercise may not be an incident in itself, the result would be much the same. The Standard’s predecessor, BS25999, also required that an exercise should not cause an incident, which is arguably a statement of the obvious, and in any case largely falls within the requirements of minimising disruption.

In most organisations, exercises are likely to take place only annually, so every opportunity should be taken to test as much of the BCM arrangements as possible.

Probably the most common exercise scenario in use is the fire, which is often also used to test fire evacuation performance.

The general objective is to set a scenario, including a major incident, and then see how the command structure and the organisation as a whole, respond. It is usually necessary also to accelerate the evolution of the business continuity phase in an exercise, so that what might normally take several days to happen, can be simulated during the course of half a day.

Of course, people would not actually be sent home, and customers, for example, would not be contacted. The exercise though, should include the decisions being taken to do all these things, but with their execution limited to within the boundaries of the organisation.

The overall objective for the exercise should be stated at the outset. It will be a matter of testing the content of plans, procedures and other documents, checking the availability and specification of contingency resources (including DR), and rehearsing the command team(s) in their execution of the BCM arrangements as a whole.

The decisions that may be executed during such an exercise could include:

  • Evacuation of premises
  • Convening command teams
  • Testing deputisation in command teams
  • Testing the cascade system(s)
  • Testing deputisation in cascade systems
  • Generating media and corporate communications statements
  • Conducting simulated media interviews
  • Testing IT disaster recovery (where available)
  • Deploying small numbers of staff to alternative workplace locations
  • Checking samples of contact information.

These activities should be designed to test the ‘logic’ of the plan and arrangements, and the behaviour of those involved in the process, to see whether those people appointed to particular roles or tasks behave in more or less the way expected and assumed.

Exercises generally require facilitation. There will need to be at least one person, external to the organisation’s command structure, driving the accelerated timeline of the exercise, inserting conditions of further incidents, and helping to keep the team(s) focused on objectives.

The exercise plan can be a simple, one-page document describing the objectives, incident scenario, further incidents along the timeline, additional resources to be brought in to add realism or urgency, and requirements for recording what actually happens.

It may be desirable for the command structure to have limited or, indeed, no knowledge of the exact time the exercise will start, or of the scenario itself.

Generally, time should be allowed at the end of the exercise for debriefing, giving participants the opportunity to ask questions, seek clarification, and make suggestions as to how things could be improved. This is the best time to capture this sort of information; people are much less inclined to provide feedback later on.

Execution

The facilitator, or team, should simply inform a relevant person that the exercise has started, and tell them the nature of the incident.

If the exercise is the first for the organisation, due consideration should be given to how conversant, members of the command team(s) can realistically be with the BCM arrangements, and how the plan works. The exercise will be as much an opportunity for the organisation to learn how to operate its own BCM arrangements, as to test the specifics of resources, provisions and mechanisms.

In addition to the nominated person(s) maintaining the incident log(s), the facilitation team will probably benefit from a more comprehensive record of what is happening. In many cases, the use of video recording in the command location can be put to good effect.

In most organisations, the exercise will be time limited, so the facilitator will need to ensure that the planned evolution of the business continuity phase is achieved, and that there is time for a debrief at the end.

Reporting

Some time will be required immediately after the exercise, in which to analyse information recorded at the time. The key deliverables from an exercise will be:

  • Lessons learned
  • Changes needed– not only to components of the BCMS, but also to review frequencies where relevant
  • Successes.

ISO22301 requires that a written report is produced, which should embody these key deliverables, with exercise records as appendices.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.119.102.160