Business continuity: Practice makes perfect
A high-rise commercial tower engulfed in flames is successfully evacuated. A firefighter rescues a trapped child in a collapsed building. Occupants of a capsized sailboat are rescued from a stormy sea. A doctor saves a life with an emergency tracheotomy. Lance Armstrong wins the Tour de France – again.
The success of these events depended heavily on perfecting technique, skill and ability through determined and arduous practice. Yet how many public sector organizations are prepared for a significant disruption?
The private and public sector consumes billions of dollars worth of services and products for which we have little assurance of continued supply. But most service and product providers have never practiced how they would manage through an emergency of considerable magnitude. To attain business excellence and reliability, continuity and recovery plans must be thoroughly exercised and tested.
When I teach business continuity (BC) I often hear, “Exercising is good in theory but we don’t understand where to start, what constitutes a good exercise and, worst of all, exercises require a lot of effort.”
The plan is in place but we get to the point where we run out of steam – not just as individuals but also as organizations. There is no desire to go further and that is the precise point at which we falter.
Exercising the business continuity plan is essentially a three-step process: planning, managing and evaluating. The secret to an effective exercise program is to start with the most simple practices and build your technique, skill and ability with subsequently more complex scenarios.
Prepare a 12-month exercise program. Start with a simple plan review session and build to a small simulation using command and control concepts as well as the emergency operations centre environment. The following guidelines are for a tabletop exercise:
· Who will be involved: design team, plan holders, employees, senior management, vendors, others?
· What are the objectives and scope of the exercise: validate plans, EOC, crisis communications, command and control, recovery capability, learning opportunity?
· When will the exercise occur: avoid busy periods in the business cycle; target a maximum of two hours for your first tabletop exercise.
· Where will the exercise take place: on your premises or at a recovery site?
· How will the exercise be managed and evaluated?
Included in the planning activity is a requirement to ‘design’ the exercise by preparing a disaster scenario that will be accepted as realistic but will challenge the participants to resolve problems in the context of the BC plans. Tacked on to the scenario are issues and events that arise during the exercise timeline. These fictitious events called ‘problem sets’ or ‘injects’ are designed to challenge the participants for a resolution based on their knowledge of the business function and the contents of the BC plan.
· Conduct a short briefing session to familiarize participants with the objective and scope of this exercise. Issue any documents required, including, if appropriate, copies of BC plans.
· The exercise controller issues the scenario and permits a few minutes for review and questions.
· The exercise starts with the issuance of ‘injects’ or problems to be solved by the participants.
· The participants ‘play’ as if the event were real.
· Evaluators verify actions against a set of objectives and pre-established solutions. Participants are never evaluated – only procedures and processes.
· An immediate post exercise de-briefing session collects feedback from control teams and participants.
· The design team meets in the following days to evaluate the design and conduct of the exercise, and the BC plan.
· A report is created detailing the results and providing recommendations.
While the complete exercise process has been simplified for this article, it is possible to apply the principles to a tabletop exercise by taking each segment and adding content that is specific to your organization.
Exercising business continuity plans is serious business. However, the effectiveness of the outcomes may depend on ensuring the participants will enjoy the experience and depart the practice session with a desire to continue learning.
Brian Miller, CBCP, is president of Vanguard EMC, an Ottawa consultancy providing public and private sector clients with best practice guidance for business continuity and emergency management. Brian teaches business continuity for Disaster Recovery Institute International (DRII), DRI Canada and the Canada School of Public Service. He is immediate past chair of the Canadian Centre for Emergency Preparedness and current president of DRI Canada (email@example.com or visit www.vanguardemergency.com).