For many organisations, a business continuity exercise is seen as a necessary evil rather than something that is regularly embraced as a way of improving your team’s capabilities. Here, Andy Osborne offers three tips for improving your BC exercising strategy.
Practice makes permanent
Most people are familiar with the phrase ‘practice makes perfect’.
Practice (which in a business continuity context largely means exercising, rehearsing or testing) embeds activities and eventually, through repeated practice, makes them second nature. With sufficient practice we can reach a point where, in response to the appropriate trigger, we’ll automatically carry out the activity, exactly as we learned it, without having to think too much about it.
Imagine a golfer who spends hours on the driving range practising his tee shots, so that when he gets out on the course he can execute the shot consistently, without having to think about every aspect of it. So far so good.
However, the phrase ‘practice makes perfect’ is misleading. Because it isn’t strictly true.
Practice doesn’t necessarily make perfect – what it does make is permanent. Which means that if we practise the wrong things they can also become embedded. The result is the same in one respect – we become able to consistently carry out the activity without thinking about it. The trouble is that we can consistently do it wrong!
Back to our golfer. Now imagine that he isn’t actually very good and has a tendency to slice his drives (the bane of many a high handicapper). Unless he takes some professional advice to correct the problem, the only thing that all of that practice is likely to achieve is the ability to consistently slice the ball, time after time. Not exactly the desired result!
So make sure you practise regularly, but do make sure you practise the right things. Because if people are rehearsing the wrong responses or embedding incorrect assumptions, that practice might actually be doing more harm than good.
All in good time?
These days, most organisations that ‘do’ business continuity understand the importance of exercising and testing. Many have comprehensive exercising and testing programmes, which include crisis/incident management exercises, IT recovery tests and user relocation tests, among others.
It’s not unusual for IT recovery testing to be done out of hours, in order to minimise any risk or impact to the business. The same is sometimes true of user relocation testing. But crisis or incident management exercises are almost always conducted during office hours.
The main reason is that exercising during office hours is more convenient, both for the participants and the facilitators, and there’s usually (although not always) more chance of getting the key players to attend.
But exercising during the working day also has some distinct disadvantages. It doesn’t, for instance, simulate in any meaningful way a situation where those key players have to deal with a major issue when they’re already tired after a busy day’s work. It doesn’t test out-of-hours access to facilities or people. And out of hours is precisely when small incidents have a nasty habit of turning into bigger incidents, usually exacerbated by the fact that the right people aren’t around to nip them in the bud.
Organisations with a mature crisis/incident management exercising programme should give serious consideration to carrying out the occasional out-of-hours exercise. This may be a little unpopular at first, until participants get the point, so rather than going the whole hog and starting your next exercise at 2am on a Sunday, perhaps a 7pm start on a weekday would be slightly more palatable.
There may be some moans and groans at first, but these are likely to be far outweighed by the resulting improvements to your crisis/incident management capability.
An exercise is an exercise is an exercise – isn’t it?
Many organisations exercise their crisis/incident management and business continuity teams and their associated plans by conducting scenario-based exercises. Which is a very good thing to do. Scenario-based exercises can help to clarify roles and responsibilities, provide a means of rehearsing activities, exercise participants, challenge and validate assumptions and test processes and plans, among other things. In short, they help to develop the participants’ capability. What’s more, they help to tick a box for an auditor or regulator.
But not all exercises are the same. In fact, there are many ways to conduct a scenario-based exercise. At one end of the scale there’s the humble tabletop exercise, which is usually fairly low key and generally involves a discussion of the issues and associated activities that might arise. At the other end there’s the all-singing, all-dancing, highly realistic, high-pressure, full-on role play, with actors and journalists and news reports and goodness knows what else. And between the two extremes there’s a raft of facilitation methods to suit all tastes and budgets.
All of them have value, if they’re if done effectively and at the appropriate times vis-à-vis the maturity of the business continuity programme and the team(s) involved.
But let’s not kid ourselves that sitting around a table having a nice cosy chat about the issues is going to fully prepare the crisis or incident management team in the way that a full-blown rehearsal will. And let’s not kid ourselves that conducting an exercise (whichever end of the spectrum it falls on), that lasts an hour or two, once every couple of years, and which half of the team members are unable to attend, is going to hone the teams’ capability to razor sharpness.
If all we want is a tick in a box, then a nice easy exercise every now and then will probably achieve that. But a tick in a box is not the same as a capability. If it’s a capability that we’re after, we need to develop an ongoing programme that a) involves all of the key players and b) raises the bar with each subsequent exercise.
To misquote George Orwell, ‘all exercises are equal – but some are more equal than others’.