DRJ's Fall 2018

Conference & Exhibit

Attend The #1 BC/DR Event!

Summer Journal

Volume 31, Issue 2

Full Contents Now Available!

Many of my colleagues have expressed anxiety over exercising their business continuity and emergency preparedness plans. According to a 2009 report titled, “International Business Continuity Program Management Benchmarking Report -- An Exclusive Board Review” only 33 percent of companies with mature business continuity programs conduct regular exercises to test their plans.

Over the last nine years, I have been involved in countless drills, tabletop, functional, and full-scale exercises. I have played all the roles of an exercise: designer, observer, evaluator, participant, and facilitator. After all of this, I’ve learned the secret to exercising business continuity plans is to “keep it simple” and “keep doing it.”

At John Deere, we have implemented business continuity plans at more than 110 business units around the globe. These units conduct annual exercises to test their plans using the simple design and delivery methodology described in this article.

Eight simple steps to exercise design and delivery:

  1. Identify the section(s) of your plan to test (exercise) and the exercise participants
  2. Identify the exercise planning team
  3. Identify the exercise objectives
  4. Create the exercise scenario and progressive exercise events
  5. Create an evaluation checklist
  6. Select staff to fulfill exercise roles (participants, observer, evaluator, facilitator)
  7. Schedule a pre-exercise orientation meeting
  8. Perform a post-exercise review

Identify the section(s) of your plan to test (exercise) and the exercise participants

If this is your first test of the business continuity plan, don’t attempt to test the entire plan in one exercise. Instead, identify one or two sections of your plan and create the exercise to test these areas. You may find more value in conducting a series of exercises over time, rather than one huge exercise with either too few or too many participants.

Once you have identified the sections of your plan to test, decide who should serve as exercise participants. Exercise participants are usually the people responsible for executing a particular portion of a plan. Participants may also be management staff members who are responsible for being familiar with a particular portion of a plan.

The advantage to pre-identifying the exercise participants and the section(s) of the plan to test is in knowing your audience and limiting the scope. As your organization becomes more comfortable with the practice of exercise testing, you may begin to design complex exercises that cover your entire plan and organization.

IMPORTANT: You are testing the plan, not the people. This means that you are training others on the plan, involving them in identifying gaps and solving for these gaps. It is important that you communicate this openly to your exercise participants ahead of time and reiterate it during the exercise; otherwise, participants may become frustrated and avoid the experience in the future.

Identify the exercise planning team

Don’t do it alone! Assemble a small group of people who understand the area of the business or process that is being tested but who are not necessarily responsible for execution. This is a key step, because you don’t want any of the exercise participants to serve as members of your planning team. I also recommend having at least one key member of management to serve on the planning team to increase the credibility of your efforts.

Identify the exercise objectives

First, have everyone on your planning team review the section(s) of the plan that will be tested. Again, if you or your organization is new to exercise testing, do not attempt to create more than three to five objectives for the exercise. Remember, keep it simple! It is important these objectives be measureable or observable during the exercise.

Some examples of exercise objectives might include:

  • Validating the sequence of tasks in a workaround procedure
  • Ensuring a communications plan is valid and up-to-date
  • Familiarizing management with their roles and responsibilities
  • Testing employee awareness
  • Validate recovery time objectives

Larger, more complex exercises can be designed to test the entire plan and may include a set of core goals and objectives which are validated by the successful completion of measureable tasks and activities.

deere.jpgCreate the exercise scenario and progressive exercise events

An exercise scenario can be simple or it can be complex. It can involve a long narrative or a very short description. The scenario might simply be a building fire or a series of events following a severe weather event. In any case, the scenario should make it possible to test the section of the plan you’ve identified and achieve the objectives developed by the exercise planning team.

Think about the following criteria when creating the scenario: Is the scenario credible? Are participants likely to believe it to be possible? Is it achievable? Is it possible to achieve a positive outcome? Is it simple? Does it include any confusing technical jargon that your audience won’t understand? Will it challenge the participants’ knowledge and the plan? Is the solution too simple? Are the participants the proper audience for this scenario?

Consider using a past event that either interrupted your business or had the potential to cause an interruption. As a global enterprise with business units located in more than 30 countries, John Deere business units experience a variety of threats that have the potential to impact operations and cause business interruptions. We encourage our units to share lessons learned and create exercises for other units to test against based on these real scenarios.

Another suggestion is to review your risk analysis and choose one of the most probable and likely events to impact your business. In this case, it is important that your risk analysis have rankings and that those rankings are agreeable to everyone involved. Another option would be to create a scenario that will highlight a known deficiency. The strategy here is to lead others to the point where they realize the deficiency on their own.

When developing the scenario, it is a good idea to use actual locations that participants will recognize, and use the name of the local media or fire department and/or city. This will help with the credibility of the scenario.

After the scenario is created, you will need to give exercise participants additional information during the exercise to drive the discussion and further test the plan. These should be timed well and intermittently provided to exercise participants throughout the exercise and lead to a logical conclusion.

10:05 a.m. The building fire alarm was activated.

10:15 a.m. The fire emergency response team reports a fire in the server room.

10:20 a.m. A department manager reports that one of their team members has not been accounted for and may still be in the building.

These exercise discussion points can be delivered to participants in a variety of methods. For instance, you may require everyone to bring their computers to the exercise and deliver discussion points via one or more of the participants’ e-mail addresses. You may have a member of the planning team deliver a fax containing an exercise discussion point. Or, the facilitator may just verbally add these points to the discussion. Whatever you choose, make it fit your audience, and if possible, make it fun!

Create an evaluation checklist

Okay, so far you’ve identified a section of your plan to test, and you’ve identified some viable objectives to be measured during the exercise. In order to ensure these objectives are measured properly, a checklist can be developed and used during the exercise to track and report whether objectives were achieved or not achieved.

The checklist should include the name of the person evaluating the exercise, the objective they are evaluating, the performance criteria, and a section for evaluator comments and notes. A good evaluation can help your organization:

  • Determine whether plans include necessary steps for successful execution
  • Highlight gaps
  • Identify deficiencies in training and awareness
  • Identify equipment shortfalls
  • Stress the need for executive support and/or input
  • Underline the need for continued maintenance and exercising

Select staff to fulfill exercise roles

There are four basic roles during an exercise: participant, observer, evaluator, and facilitator. Each role is important and requires some pre-planning, education, and training.

Participant: typically are responsible for execution of a particular section of the plan. They are not required to participate in the development of the exercise plan. In fact, I recommend against it.

Observer: can be anyone in the organization with a basic understanding of the business, process, or plan. This person is responsible for staying engaged during the exercise and offering very constructive criticism on any part of the exercise.

Evaluator: responsible for evaluating the exercise and using the evaluator checklist provided. They may be responsible for observing whether one or more objectives are achieved during the exercise.

Facilitator: responsible for managing the exercise, communicating to exercise participants, providing additional information to keep the discussion moving forward progressively, conducting the post exercise review, and completing the final exercise report.

Schedule a pre-exercise orientation meeting

During the pre-exercise orientation meeting, explain the roles of the exercise participants, observers, and evaluators and give them an opportunity to ask questions. Provide everyone with the exercise agenda, location, and any additional instructions.

Most importantly, explain the exercise ground rules. Exercise ground rules:

  • We are testing the plan, not you
  • Reference the plan and think of the exercise as training
  • Keep an open dialogue
  • Respect others
  • No finger pointing
  • Do not expect resolution of all problems
  • Have fun!

Of course, you may add to this list, but these should help to ease some anxiety in your exercise participants.

Perform a post-exercise review

The post exercise review is one of the most important steps when delivering an exercise. It is at this meeting where you will document and discuss the observed strengths, weaknesses, and priorities for improvements. This meeting can either occur directly following the exercise, but I recommend scheduling it a day or two after the exercise. This will give everyone time to record and polish their feedback.

At the conclusion of the exercise, it is a good idea to provide exercise participants, observers, and evaluators with a feedback form to document (1) what they thought went well or was a positive strength of the plan or exercise, (2) what they considered a weakness of either the plan or the exercise, and then lastly (3) to document their recommendation for solving any gaps or weaknesses.

By allowing exercise participants a day or two to reflect on the exercise, you are likely to obtain more quality feedback. Consider inviting management to observe the post exercise review. This will raise their awareness and offer them an opportunity to champion improvements. After the discussion, request a copy of their feedback form and use the notes from the discussion along with their documented feedback to create a post-exercise report.

The post-exercise report summarizes the strengths and weaknesses discovered during the exercise and prioritizes recommendations for improvement. I have seen some post-exercise reports which actually contain a list of tasks, along with the person assigned the task and the target date for completion.

If done properly and in the right environment, the post exercise report can lead to improved executive support and additional resources to support business continuity and emergency preparedness at your organization.

Additional tips for the exercise

  • At first, keep exercises brief (no more than four hours) then increase the complexity and duration of exercises as your organization’s comfort level improves
  • Prepare the room in advance of the exercise
  • Provide refreshments and plenty of breaks
  • Capture the moment (take pictures and write an article for the company newsletter)
  • Keep the pace of the exercise (crawl, walk, run)
  • Keep track of time and stay on schedule
  • Allow participants to guide the direction of the discussion, but don’t let them get off track
  • Flag key points made by exercise participants
  • Make it fun!

C.J. Howard, CBCP, CEM, has more than nine years of industry experience. He currently serves as the business continuity team leader for John Deere, located in Moline, Ill.