Tuesday, 17 March 2015

Why testing and exercising are essential for an effective businesscontinuity programme?

Do you like being taken out of your comfort zone? Having some of your professional weaknesses highlighted and reported on? Finding out that your organisation isn’t perhaps as well-prepared for a disruption as you’d hoped? No??...I didn’t think so. I suppose the idea of taking part in an exercise presents all of the above as a possibility. So why ever would you want to put yourself through it?

Because…if done right it can be a positive and valuable learning experience for the business and you!


As part of the Business Continuity Flashblog 2015 many professionals are being asked to contribute their thoughts (under the banner of #testingtimes) on the importance of testing and exercise and by this I don’t mean taking difficult exams and enduring some crazy gym sessions! I’m talking about testing your organisation’s ability to respond to major business disruptions by exercising those staff, plans and procedures. I mean seriously… how ready are they?

Important Reasons to Test and Exercise

Now, I’m sure I could go down the same route as a few others this week and provide readers with the same standard gambit on being ready, having fit for purpose plans and the potential impacts of not testing your procedures etc. So to avoid this, I will start by giving some of the most-used reasons as to why we drag departments kicking and screaming through the process (last year I wrote a blog on the challenges of undertaking exercises off the back of some recent experiences).

Testing & Exercise will:


Validate Procedures - ensuring the response and recovery plans are up to date and fit for purpose by proving that they actually work in practice!


Instil Staff Confidence – ensuring individuals are clear of their responsibility during a disruption, removing any doubts/assumptions of where they’re supposed to be and what they’re supposed to be doing.


Improve Response – bringing a response strategy to life through testing and exercise in real-time presents a great opportunity to look at how we might respond better.

You'll find countless other examples across the blogs of my peers! The bottom line is that testing and exercise is a good thing!

A Valuable Learning Curve

The last few years I've ran under the banner of 'junior professional' but when it comes to running tests and exercises I’d like to consider myself reasonably experienced now. I’ve witnessed more than I can remember either as an observer, facilitator or participant. So I thought I'd contribute to this year’s BCAW theme by giving you a few memorable examples of when the organisations have improved from testing and exercise. 

The Dangerous Assumption

An organisation of 1000 employees operating locally but across multiple satellite units and with a major site based centrally had well established business continuity plans. As it happened, ALL PLANS had made the same reference to this back-up office space on third floor of the central site.


Following a desktop exercise requiring site relocation it quickly became apparent that the business would collectively need about 150 seats at this specifically (and repeatedly) referenced location, complete with desks and network connectivity. Upon later inspection it was realised that the other site only contained 15 spare desks with no connectivity! Plan owners had simply assumed (over a period of years) and without question that the alternative site was much larger than it was and proceeded to document it within their plans as part of their wider strategy. Suffice to say the plans had to be reviewed for the inclusion of any realistic alternatives that actually exist!

Too Many Chefs Spoil the Response

A no-notice incident command exercise was arranged to test the response arrangements of an organisation that operate the widely known Bronze, Silver & Gold approach. The exercise facilitator had asked the business in advance to review their plans to ensure that their Gold, Silver or Bronze representatives were identified and documented. Following a major business disruption these representatives are required to attend a specific meeting location depending on their respective management group. Simple enough right? Wrong!


On the day that this “mock incident” was announced it transpired that more than 3 times the amount of managers and employees turned up to represent at these group meetings. Sometimes multiple managers from the same department, some managers choosing to bring with them 1 or more minute-takers and others attended simply because they followed the crowd. Utter chaos!

The exercise facilitator had already booked out 3 separate meeting rooms to accommodate the circa 12-15 people max per group. Unfortunately over 120 employees across the 3 groups attended. It required the facilitator to urgently set up a mirrored exercise for the “spares” to undertake the same event!

The point is, had this have been a real incident we would have had so many folk turn up to help we would have been utterly useless. I know people will tell me that you just send some people away and that solves the issue but the underlying message was clear. Many people did not understand their responsibility during the response which can drastically limit the organisation’s ability to respond effectively. As you would expect, the business requested that the response plans were reviewed to make it explicit about responsibility.

Fold Under Questioning – Leaders are human to!

An executive management team of a reasonably large organisation (circa 12,000 staff) have had a long standing policy within their incident response plans that the CFO would be responsible for handling the media and lead on being the voice of the organisation in the absence of the CEO. Naturally, one would imagine the confidence and competence of a CFO could quite easily handle the pressure of relentless questioning. This assumption for me was blown out of the water after watching a CFO have a complete meltdown during a court room exercise. We hired a qualified lawyer/tremendous actor as part of a mock-up courtroom session for a fake corporate manslaughter charge. The aim was to familiarise our leadership with the experience should it ever occur.


At the time I remember being quite confused that an executive with years of experience in making seriously big business decisions and often under intense pressure could fold so easily. However, it highlighted to the business that if they’re expecting the CFO to fulfil this crucial role then they really need to ensure the individual has the appropriate media training!

It's much better to realise this in a safe learning environment than send them out to the wolves unprepared! From my perspective this was a great learning experience for me and the CFO.

Summary

I whole-heartedly agree with the benefits of testing. The sheer amount of light bulb moments and positive changes it can lead to in developing an effective response is greater than you can ever imagine! The problem we have as practitioners is deriving value from the learning. Sure we can update our plans and make someone feel that little bit more comfortable about how to respond. However, in my experience once the employee has that training and realises that skillset they will either never have to use it (lucky them) OR simply assume that they always knew how to respond anyway! 

No comments:

Post a Comment