You have written your plan in preparation to respond to an incident. Do you…
a. File it away on the server to gather ‘dust’ in the hope that you never need it.
b. Create a training programme to exercise your procedures regularly.
Read on to find out why exercising your plans and procedures is invaluable.
The most common of the Business Continuity Institutes six Professional Practices that are often overlooked are empowering and validation. Both are key to ensuring your processes actually work.
Signing off plans before being put through their paces is an easy mistake to make and a common one too. Walking and talking through the plans with the response team against a realistic scenario will help to highlight any unworkable or ambiguous elements within the documentation.
Exercise styles that can be used to validate your plans
- Tabletop exercise (TTX). This is usually a discussion-based exercise to talk through how the team would react and respond to a particular scenario.
- Simulated Exercise (SIMEX). This offers more activity with the team actively operating within the response rooms and communicating with role players working within a scripted scenario.
- Major Exercise. This adds to the realism by involving outside agencies such as the emergency services, partners and suppliers, plus role players to help understand how each team responds, coordinates and communicates to the different audiences.
Regular exercises offer the opportunity to rehearse roles and responsibilities within the response teams so they can be prepared, capable and confident of managing an actual incident should it occur.
It is important to note that all exercises should be viewed as being a ‘safe space’. It is okay to make mistakes. It is a learning opportunity designed to build confidence with designated steps in line with the organisation’s plans so that the whole team can be prepared to handle any incident.
Exercises, whether they be a short tabletop to lengthier and more sophisticated SIMEXs, should be planned at regular intervals throughout the year and should cover a mix of scenarios. What are the types of scenarios that keep you awake at night or are at the top of your Risk Register? Practice them.
It is always good practice to bring in a third party to facilitate and deliver exercises. This decreases the risk of bias and allows all members of the response team to take part rather than the in-house lead being unavailable to join the team because they are running the exercise. Plus, the third party can look from the outside in and can sometimes identify gaps that you may not be able to see internally. They also have the luxury of seeing many different organisations go through the same process and can offer advice on good and bad practices.
Exercising also helps determine training needs within the response teams. Responding to incidents is not usually someone’s day job, and therefore, it is important to provide support to those enlisted as part of the resilience teams, including the backup teams.
At your next meeting, ask who would have been able to come in to support your organisation if an incident had happened last weekend. The immediate response may be covered by an on-call team, but what about the second shift? It can often be a varied and interesting reaction!
After every exercise, there will always be some elements that require improvement. It is important to make sure these are recorded and included in a Post Exercise Report (PXR), which can then be incorporated into the next version of your plan. Once lessons are identified, an action plan should be drafted so that each element is assigned to an employee to be completed before the next exercise or to a specific deadline. Good practice should also be acknowledged as each team member builds on their previous performance. Positive feedback paired with constructive criticism will enable your group to work better as a team and gain valuable experience.
- Have you validated your emergency response and business continuity plans in the last six months?
- Have you identified the training needs for individuals for their response roles and responsibilities and the team as a whole?
- What level of exercises are you planning, and have you scheduled time into the response team’s diaries over the next 12 months?
- Do you need support to help develop and deliver exercises so that the full response team can participate?
Inverroy can help devise and deliver training and exercises across industry sectors. If you would like to know more, please contact us at email@example.com