It is difficult to assess the effectiveness of a Business Continuity Plan unless it is tested by running a Business Continuity exercise. There are considerable risks if the first occasion that Business Continuity Plan is used is when a major incident situation occurs. Furthermore if an organisation is seeking ISO 22301 certification the auditor will expect evidence of intention to conduct Business Continuity exercises of your plans.
However a valid Business Continuity exercise that adequately tests Business Continuity Plans requires the time of a considerable a number of people, many in senior roles. The convening of a Business Continuity exercise can be challenging both in terms of coordinating the participants and the opportunity costs of the participants’ time. So how often should you run a Business Continuity exercise? We conducted a survey, on behalf of a client, on the frequency of Business Continuity exercises in a range of organisations in the private, public, and not-for-profit sectors which provided some interesting results.
While every participant needs to be available during the exercise period, in today’s connected world participants will not, and do not need to be in the same place. As conferencing technology is being adopted in the day-to-day operations of business, organisations are starting to use it for Business Continuity where it may be the most practical and, in some circumstances, the only option. As well as providing the opportunity for participants to become familiar with the technology in a Business Continuity scenario, for a Business Continuity exercise it has the added benefit of reducing the logistical challenge of arranging for participants to meet together at the same place. However it is important to make sure the collaborative technology is robust and the participants are competent and confident in its use.
A factor in deciding the frequency of exercises is the duration of the exercise. In our experience most organisations cannot afford a full day for a Business Continuity exercise and a half-day exercise is now the norm. A few organisations are making use of conferencing technology to reduce the disruption of an exercise on daily operations by running a Business Continuity exercise over a number of days with participants committing an hour or less of their time each day. This can provide a real-time experience of a scenario that unfolds over a number of days.
So how often should Business Continuity Plans be tested?
The chart below shows the percentages of the organisations surveyed that run Business Continuity exercises at different frequencies.
Respondents’ frequency of running Business Continuity exercises
Over half the respondents (55%) run a Business Continuity exercise once a year and an admirable proportion (15%) manage to run exercises twice a year. Worryingly one in five organisations have yet to test their plans with a Business Continuity exercise.
Types of Business Continuity exercises
There are of course different types of Business Continuity exercises. They range from reading through the exercise plan collectively (of limited value) to full-blown simulation of potentially catastrophic event (where this use of often very expensive resources needs to be justifiable). In our experience what works best for most clients are exercises that focus on decision-making in realistic and challenging scenarios with a limited and controlled amount of role-play. The purpose of a Business Continuity exercise is to test the plan and rehearse participants by providing them with some experience of the decision-making required of their Business Continuity roles rather than assessing the dramatic talents of the participants.
There are also Call Cascade (i.e. communication) tests which should be easy to plan and run with direct benefits - e.g. checking the process works, checking the methods of delivery works, and confirming you have the right contact details for all staff - specially those who have an important role to play. They’re also easy to measure in terms of success. If the organisation’s Business Continuity Plan is robust, it should be possible to run a call cascade at short or no notice, with relatively little planning except to ensure there is a robust method of capturing the results. Best done out of hours for best effect!
Another decision is it what level the exercise should be pitched. Some exercises will test the major incident plan, sometimes called the crisis management plan. These will involve senior managers making decisions at the outset of the event where the focus is on the safety of employees and the public and communications with the press and stakeholders, including managing social media. Other Business Continuity exercises will focus on testing how the organisation can maintain its essential processes with reduced resources. In some cases it is possible to accommodate both in a well-designed exercise that accommodates both be management of major incident and the continuation of the business where all participants are actively engaged.
Effective Business Continuity exercises checklist
- The exercise needs to be engaging so that participants are motivated to continue. While the experience can be stressful or full of challenges it should also have an element of fun.
- The exercises need to be realistic in terms of what most participants believe will happen and agree with the probable impact of events.
- There should be sufficient preparation - a new Business Continuity exercise can take 10 hours or more preparation for every hour that the exercise runs.
- There should be sufficient facilities with a room of an appropriate size for facilitation. Ideally away from the normal workplace. Refreshments should be provided as a minor thank you for the participants’ time and effort.
- Almost all members of the designated team or their deputies should attend. Some absences may reflect the position at a real crisis event, but poor attendance will reduce the value of the exercise and may be regarded as a waste of management time. However, all deputies should also have the opportunity to rehearse their Business Continuity roles in an exercise.
- It is important to set expectations that the Business Continuity exercise will succeed – failure can create anxiety, which could negatively impact their desire to participate. However, there should be an understanding by all participants that gaps and shortcomings will be identified. Indeed, there should be an expectation that this will happen as part of normal exercising in the name of continuous improvement.
- A Business Continuity exercise is a safe environment to try out new ideas, and creativity should be encouraged – stepping outside of the current documented plans and procedures if necessary.
- In facilitating, the team dynamics and interaction of the exercise individual members should not be permitted to bully or push their own agenda and views on others. All members of the team feel they are able to contribute.
- There should be a dynamic atmosphere for the exercise. The scheduling of role-players, provision of new information, assessing the impact of changes on the event, providing results from previous decisions, etc. on a continuing basis (every few minutes); particularly in the first hour of a major Business Continuity exercise.
- A senior executive should act as champion and thank the crisis response team for their dedication and efforts.
- There should be ample time for an initial ‘hot debrief’ at the end of the exercise session. There should also be a Post Exercise Report written reflecting the lessons learned with recommendations on how the Business Continuity Plans should be revised.
Of course, real incidents will occur and it is important that a full Post Incident Review is conducted and the lessons learned are incorporated into revised Business Continuity Plans.
