Recently I was having a discus- sion with a fellow crisis manage- ment and business continuity profes- sional regarding the challenges that organizations face with respect to testing plans. Testing BC/DR, crisis management or any response plan, and personnel is often low down on the list of "things to do." However, with recent crises such as the Mexican Gulf oil disas- ter, will we see a shift in the way that corpo- rations test their plans? Here are the details of my discussion with Jonathan Bernstein of Bernstein Crisis Management.
Bernstein: In my experience, a lot of organizations create crisis and business continuity plans of various types but then never test them. Why is that?
Burton: It really varies from one industry to the next but generally an orga- nization believes that if they have a plan, they are prepared for a crisis and that the "box" has been checked. We initially observed this problem with the maritime sector after 9/11 when vessels, ports and port facilities were required to develop security plans to comply with a new mari- time security federal regulation. Upon approval by the USCG certain vessels, port facilities, and ports were required to conduct an annual exercise, but the owners of the plans (the ports and termi-nal operators) didn't believe that it was a real necessity even though the regulation required it. This was mainly due to poor training and a lack of ownership from most terminal operators. It was a few years before they really started to conduct these tests. The marine industry in my opinion is still very short of best practice in terms of really testing their ability to respond to crises.
So, where an industry is required (regulated or publicly traded companies) to have a response plan (be it a BC/DR, crisis, emergency, or security) it is easy for the entity to hire a consultant or write the plan internally and place it on the shelf to gather dust. The plan is never complete without testing it from a number of direc- tions to ensure it is put "through the mill," and even then these programs should con- tinue to mature. Maturity comes with reg- ular testing, and it is extremely important as an environment may change, a proce- dure or plan may get updated, or personnel may get replaced. Continually assessing risk is essential.
I will finish this question with the word "ownership." Organizations that evaluate their employees BC/DR or crisis respon- sibilities on their annual report cards will see better results in all areas of the pre- paredness process. As an employee, if I'm taking on the important role (ownership) of a BC/DR or crisis management process, then I would like to be credited for it. It also works both ways if something goes wrong. The system has failed and some- one might be fired. Where organizations have dedicated teams for preparedness, this not the case. However, for many other organizations it's often a role that is given to employees as an add-on to their existing responsibilities.
Bernstein: If you have a multi- location business, how can you engage all the members of your crisis response teams in a simulation exercise without incurring a huge expense?
Burton: It can be difficult because you use the word "engage." Do we really engage during a conference call or an online power point preparation that some would classify as a table-top exercise? I will let your readers answer that one the next time they are sat twiddling their thumbs during such events. So, to get buy-in and be successful for these types of events you first need an interactive Internet tool that is secure, scalable, and easy to use. Multiple locations may also mean testing partners and other stakehold- ers to ensure they are prepared to meet the needs during the time of a crisis. Take BP for example. They are now offering employee bonuses based on safety results. In our opinion there are five main compo- nents that an evaluation tool must have:
- Communications and collaboration – During the exercise design, the delivery, and after the exercise it is critical that teams can easily communicate and collaborate. A good communication tool should always be backed up by a second, and where possible, a third. These tools should give the participants a few options to be able to collaborate so IM chat, video conferencing, and e-mail are all good to have. We find that keeping people engaged by video conferencing is something that works extremely well and with today's technology is cost effective and easily achievable.
- Situation awareness – During an exercise it's important that the tool provides a synopsis of current exercise activities which is what we call the situation awareness dashboard. This should be easily accessible and provide a 1,000-foot view of what's happened and what the current state of play is. This is very important especially for regulators, senior management, board members, and any other observers who only have a few minutes to check in and see how the exercise is progressing. GANTT charts and widgets provide real time information on critical activities such as facility, data center, and other key recovery activities.
- Easy to use and easy to follow – The tool has to be easy to use at the front end (much like a simple website) or you will run the risk of losing your constituents before the exercise even starts. Once a team has coordinated a response to a scenario, the tool should aggregate the content and accept various types of data and media including audio, video, and various documents. The gathering of responses in these various formats allows for better record keeping and evaluation, which leads to continual improvement.
- Immediate results – The tool should enable an organization to get immediate feedback from the exercise. This can be done in a number of ways depending on the evaluation criteria and scoring methodology. Immediate results support plausible deniability when an organization is faced with identifying to a regulator or internal management that a team is prepared for an incident. This is also good for preparing for those last-minute operations where a team needs to get a quick evaluation of its readiness.
- Training – It's vital that teams are provided with the basic information regarding the plan and their roles. Having access to training on a regular basis can only be achieved cost effectively in an eLearning format, especially when it comes to organizations that are dispersed across a city, region, or the globe. Having a training component built into a crisis management and business continuity evaluation tool provides standardized training that can be easily modified, updated and shared with the local, regional and global teams and partners.
Bernstein: I think a lot of C-suite executives are somewhat technophobic. Do you know any tricks for getting them comfortable with using any of the web- based tools for crisis management?
Burton: We are seeing a shift due to easy-to-use social media sites such as LinkedIn, Facebook, and Twitter and also the fact that younger executives are now entering the C-suite. Easy to use is key. Will an organization purchase a tool that is difficult to use and time consuming due to technical training requirements? So, easy- to-use and no technical training but with all the bells and whistles is what you want.
Bernstein: How often does an organization need to run simulations in order to truly be ready for a breaking crisis?
Burton: It depends on a number of specifics, but the general rule of thumb is that the plan should be tested when a key procedure or other major part of the plan changes, when personnel that might be impacted by the plan change, when new personnel join a team, when a regulatory body requires it, when an incident has occurred that may have require changes, and as often as it's determined in the organization's policies and procedures. A policy for exercise regularity should be written based on an assessment of the pro- gram. Generally an organization should conduct more exercises in the first three years of a new plan to ensure all the kinks are ironed out and then reduce the amount after that point. If an organization is con- tinually responding to incidents, then the plan will be indirectly tested which may reduce the requirement to run regular exercises.
Bernstein: What do you say to organizations that do horribly on their first exercise?
Burton: "Rome wasn't built in a day." No, seriously, testing a plan for the first time always has the potential for something to go wrong. However, what I will say is that if you have built up to the first simulation exercise with training personnel on their roles and run through a number of potential scenarios in meet- ings, then you should be at least prepared to respond in a coordinated and efficient manner. Working through a problem for the first time with new plans and personnel will be a learning experience for all and ultimately lead to more successful exer- cises in the future. Organizations should focus on an exercise program where they have a goal to conduct a certain amount over a period of time to ensure any gaps are filled.
Jonathan L. Bernstein, president of Bernstein Crisis Management, Inc. has more than 25 years of experience meeting clients' needs in all aspects of crisis man- agement – crisis response, vulnerability assessment, planning, training, and simulations.
Robert A. Burton is a principal of Blue Water Partners Global, where he special- izes in crisis and security management and business continuity. Burton assists all sizes of organizations in assessing risk, plan development, training program design, the testing of plans and personnel and integrated software solutions.