Good question. Keep in mind that we are discussing crisis management team exercises, which are very different from the full-blown IT/disaster recovery exercises that, as an industry standard, usually occur annually or semi-annually. For crisis management exercises, the goal is for executive management to be ready to spring into action. Conducting a crisis management team exercise on a quarterly basis would be ideal, but realistically, it could be conducted semi-annually.
As a dry run for this article, I presented a draft of this information during the May meeting of the Southeastern Continuity Planners Association (www.scpa.us) in Atlanta. A lively discussion followed and by the end of the session, we walked away with a refined document that listed great tips in preparing for and conducting a successful exercise. As a result, you are being presented with a vast amount of experience within these checklists.
Although these checklists are tailored for crisis management issues the majority of these tips would apply for most any tabletop exercise.
To plan a successful exercise, you must have the correct “players.” Checklist No. 1 outlines the participants that could be on your crisis management team. Obviously depending on the size of your organization, some of the roles may be combined with others, or may not even exist. From this list of participants, a leader must be chosen. This will depend upon your organization’s structure and culture. The team leader could be the president, vice president, etc.
NOTE: In most cases, “C” level management is kept informed of the situation, but usually not directly involved with the crisis management team. Again, this depends upon your organization’s structure.
Checklist No. 1
IT (data security, network, telecommunications)
Business continuity/disaster recovery coordinator
Other: Vendors, key suppliers, customers/users, field personnel, internal auditor, emergency management personnel, etc.
Checklist No. 2 lists the various items you need during the exercise. You definitely want copies of the plan brought to the exercise. Ideally, the participants should bring their copy, but there are always a group of folks who “forget.” You want to ensure the plan is referenced throughout the exercise to ensure it is current and/or maybe in need of revisions.
Most of my exercise scenarios are compiled in PowerPoint. Therefore, I bring my laptop with an LCD projector. In addition, I have learned to bring a backup of the presentation on a separate medium. A laser pointer is also very useful. Depending on the size of your presentation screen, you might be increasing your exercise regiment for the day.
Ensure your exercise is conducted from either the primary or alternate command center. This allows you the opportunity to test the teleconference lines, phones with multiple functions, extra LAN lines, etc. It’s better now than during a true crisis event.
All other items on the checklist should be self-explanatory.
Checklist No. 2
Crisis management plan (bring extras)
Presentation on alternate media (CD, diskette, thumb drive, 3x5 cards, etc.)
Teleconference lines (pre-established with sufficient number of ports)
Multiple phones with speakerphone and multi-lines
S ufficient power ports, LAN connections, etc.
pdated emergency contact cards
and-outs (organizational charts/responsibilities, etc.)
ame tents (name/title/team) and/or name badges
Large Post-It pad and/or white board
Props (i.e., envelopes or a box containing numerical hours/days that can be picked randomly to indicate the recovery of equipment, arrival of personnel, etc.)
Forms: problems/issues forms, post-exercise critique forms, etc.
Prior to the Exercise
You may want to revise the order of various items listed within checklist No. 3. These are only suggestions. Some of the items to address are the development/approval of the scope and objectives for the exercise. Also, it would be a good idea to partner with the various executive secretaries to determine an available date/time of the executives for the exercise. Another important item is to determine whether the exercise will be announced or unannounced. As explained earlier, your first few exercises should be announced.
One thing I have learned over the years is that food is an important factor for a successful exercise. If the exercise is a half-day session, you may want to start off with a continental breakfast with coffee, tea, juice, etc. You may want to end it with an informal box lunch. Providing this type of setting allows the team members to discuss the exercise in a de-stressed manner. As a result, more information might be revealed.
Checklist No. 3
One Month ‘Plus’ Prior:
Define scope and objective
Obtain management commitment
Determine a date/time, location, participants, and budget
NOTE: Best to conduct exercise off-site (ie, avoid interruptions, answering e-mails and/or voicemails during breaks, etc.)
Reserve location of exercise site
Schedule with “other” participants (i.e., customers, vendors, etc.)
If appropriate and approved, order participant gifts
Distribute the crisis management plan for updates
Announced vs. unannounced
Send announcement, if appropriate
Two Weeks Prior:
Confirm scenarios with management liaison and/or team leader
Request everyone update their contact information
Finalize and distributed updated crisis management plan
One Week Prior:
Coaching session with team leader
Send a reminder to all participants
If they unexpectedly are unable to make it to the exercise, request that they send their alternate
Verify the set-up of the exercise room
Ensure all equipment (LCD, LAN connections, speaker phone, videoconference, etc.) is available and in working condition
Ask communications to publish an article regarding the exercise
Make arrangements for food and beverages (continental breakfast; lunch if between the 11 a.m. and 2 p.m. timeframe; and/or snacks/beverages for an afternoon session)
NOTE: Remember the vegetarians and/or other specialty requirements
Confirm all equipment is available and working (including markers)
Send a reminder to all participants.
Once again, if they unexpectedly are unable to make it to the exercise, request they send their alternate.
Create name tents and/or name badges, as well as print all handouts
Arrive at least one hour in advance to test equipment, re-arrange room (if necessary), set up names tents, notepads, pencils, hand-out packets, etc.
Replenish supplies and keep in a bag/box in a locked area.
Building a Scenario
Checklist No. 4 is my personal favorite and the most time consuming. You will want to ensure that the scenario could realistically happen within your environment. If your scenario has men landing from Mars, you will most likely lose the participants’ interest for the remainder of the exercise.
Review past disaster (or near disaster) events that have impacted your industry (i.e., financial, medical, utility, etc.). Then customize the scenario to your site. Incorporate visual aids such as maps, photos, audio clipart, etc. One item I incorporate into my exercise scenarios is a large “I” or “A” in the upper right corner of each page. This indicates to the participants whether the information they are about to hear is either “informational” or “action” on their part is about to happen.
Checklist No. 4
Building a Scenario:
Develop similar to a movie script (make it as realistic as possible)
Research the Internet, news, product recall incidents; consider local versus regional disasters, interview local emergency management personnel, etc.
Make the scenario industry specific
Involve a major upcoming event
Incorporate field personnel via phone
Photos/maps/audio clipart (i.e., telephone with ringer, stopwatch with ticking sound, counter with dollar amount that keeps escalating throughout the exercise reflecting the current monetary loss, etc.)
May want to incorporate local emergency management personnel into the exercise (they would love the opportunity)
Ensure all business areas are affected
Timeline the scenario to meet real-time reactions (four-day scenario played in four hours)
Employees’ injuries, deaths, communication issues, hardware/software issues, shifts, food, expose known and unknown vulnerabilities, etc.
Conducting an Exercise/Post-Exercise
Prior to presenting the scenario, you will want to address housekeeping issues and ground rules as indicated within checklist No. 5. One key item to highlight for the participants is to “accept the scenario.” Lots of time and frustration will be saved as a result.
Throughout the session, you will want to use the whiteboard to record action items identified during the exercise. This strategy will provide you with an efficient re-cap at the end, as well as provide an opportunity to identify owners for the various action items.
As outlined in checklist No. 6, explain to the participants they will receive the minutes as well as a bi-weekly action item report until the action items are resolved.
Then distribute a souvenir to commemorate the exercise. Take time to ensure the souvenir is unique. As a conversation piece, it can promote future participation from existing and potential team members. In addition, you may want to post an article and/or photos of the exercise on the organization’s Intranet site. This is a great strategy to provide awareness of the business continuity program.
And finally, revise the plan to reflect any changes resulting from the exercise.
Checklist No. 5
Conducting an Exercise:
Review evacuation route/assembly points for facility
Remind to silence cell phones/pagers
Review the objective/scope
Exercise vs. test; learning experience in “safe” environment/interact with all participants
Accept the scenario(s)
Time limit (scenario, response, etc.)
Team leader to act as “umpire,” if necessary
Identify owners/deadlines for action items
Checklist No. 6
Review and compile the surveys
Compile and distribute minutes
Report on progress of action items on bi-weekly basis until resolved
Revise crisis management plan accordingly
Post related photos/an article on the Intranet site
Participant gift suggestions: plaques, certificates, caps, pens, movie tickets, T-shirts, mugs, cards, mini-flashlights … all with a “preparedness” theme
As stated at the beginning of this article, many experienced practitioners reviewed and contributed to these various checklists. However, we are in an industry that constantly seeks to improve. If you have any items you would like to add and/or to provide comments, please feel free to contact me. Hopefully, you found this information useful.
Roberta “Robbie” L. Atabaigi, CBCP, is a senior associate in the risk advisory services practice of KPMG LLP. She has more than 18 years of experience in developing and evaluating enterprise risk management, including emergency preparedness and response, crisis management, disaster recovery, and business continuity for prominent international companies. Atabaigi is member of the DRJ Editorial Advisory Board and a certified member of the Community Emergency Response Team in Cobb County, Ga.