The Manager’s Guide to Business Continuity Exercises: Testing Your Plan
()
About this ebook
You designed your Business Continuity Plan to keep your business in business regardless of the forces of man and nature. But how do you know that the plan really works? Few companies can afford the recommended full-scale exercises several times a year. In The Manager’s Guide to Business Continuity Exercises, Jim Burtles, an internationally known expert, details the options for conducting a range of tests and exercises to keep your plan effective and up to date.
Your challenge is to maintain a good and effective plan in the face of changing circumstances and limited budgets. If your situation is like that in most companies, you really cannot depend on the results of last year’s test or exercise of the plan. People tend to forget, lose confidence, lose interest, or even be replaced by other people who were not involved in your original planning. Jim Burtles explains:
“You cannot have any real confidence in your plans and procedures until they have been fully tested…Exercises are the only way we can be sure that the people will be able to interpret the plans and procedures correctly within the requisite timeframe under difficult circumstances.”
As you do your job in this constantly shifting context, Jim Burtles helps you to: • Differentiate between an “exercise” and a “test” – and see the value of each in your BC program. • Understand the different types of plans and identify the people who need to be involved in exercises and tests for each. • Use the “Five-Stage Growth Path” – from desktop to walkthrough to full-scale exercise -- to conduct gradual testing, educate personnel, foster capability, and build confidence. • Create a variety of unusual scenario plot-lines that will keep up everyone’s interest. • Identify the eight main elements in developing and delivering a successful BC exercise. • Select and prepare a “delivery team” and a “response team” for your exercise. • Make sure everyone understands the “rules of engagement.” • Use the lessons learned from exercises and tests to audit, update, and maintain the plan.
You are well aware that a host of problems may crop up in any kind of company-wide project. These problems can range from basic logistics like time and place, to non-support from executives and managers, to absenteeism, to the weather, to participants forgetting their lines. Throughout the book, Burtles uses his decades of experience working with companies like yours to give you useful examples, case studies, and down-to-earth advice to help you handle the unexpected and work toward the results you are looking for.
Jim Burtles, KLJ, MMLJ, Hon FBCI
Jim Burtles KLJ, MMLJ, Hon FBCIis a well-known and respected leader within the business continuity profession. Now semi-retired and living in West London, he can look back and reflect upon the lessons learned from a wealth of experience gained in some 40 years of practice, spread across 4 continents and 24 countries. He was granted Freedom of the City of London in 1992, received a Lifetime Achievement Award in 2001, and was awarded an Honorary Fellowship by the Business Continuity Institute (BCI) in 2010. In 2005, he was granted the rank of a Knight of Grace in the Military and Hospitaller Order of St. Lazarus of Jerusalem, an ancient and charitable order which cares for those afflicted with leprosy and similar debilitating diseases. Working as an IBM field engineer, in the mid-70s he took on the role of a rescue engineer, helping customers recover their damaged systems in the wake of fires, floods, and bombings. This type of work was the beginning of what later became known as disaster recovery. During the 80s, he became an early pioneer of what was then the emerging business continuity profession. In 1994 he helped to found the Business Continuity Institute (BCI) and now serves on its Global Membership Council, representing the interests of the worldwide membership. His practical experience includes hands-on recovery work with victims of traumatic events such as explosions, earthquakes, storms, and fires. This includes technical assistance and support in 90-odd disasters, as well as advice and guidance for clients in over 200 emergency situations. Over the past 40 years, Jim Burtles has introduced more than 3,500 people into the business continuity profession through formal training programs and has provided specialist training for another 800 or so through workshops covering specific subjects or skill areas. For several years he was a regular visiting lecturer at Coventry University. Recent published works include Coping with a Crisis: A Counselor’s Guide to the Restabilization Process, 2011, Emergency Evacuation Planning for Your Workplace: From Chaos to Life-Saving Solutions, Rothstein Publishing 2014, and Principles and Practice of Business Continuity: Tools and Techniques, 2nd Edition, Rothstein Publishing, 2016.
Related to The Manager’s Guide to Business Continuity Exercises
Related ebooks
Business Continuity Exercises: Quick Exercises to Validate Your Plan Rating: 0 out of 5 stars0 ratingsThe Business Continuity Management Desk Reference Rating: 0 out of 5 stars0 ratingsISO 22301: 2019 - An introduction to a business continuity management system (BCMS) Rating: 4 out of 5 stars4/5Everything you want to know about Business Continuity Rating: 0 out of 5 stars0 ratingsInformation Security Breaches: Avoidance and Treatment based on ISO27001 Rating: 0 out of 5 stars0 ratingsBusiness Continuity Planning: Increasing Workplace Resilience to Disasters Rating: 0 out of 5 stars0 ratingsThe Manager’s Guide to Simple, Strategic, Service-Oriented Business Continuity Rating: 0 out of 5 stars0 ratingsISO22301: A Pocket Guide Rating: 4 out of 5 stars4/5Incident Management A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsValidating Your Business Continuity Plan: Ensuring your BCP actually works Rating: 0 out of 5 stars0 ratingsBusiness Continuity from Preparedness to Recovery: A Standards-Based Approach Rating: 0 out of 5 stars0 ratingsRisk Assessment for Asset Owners Rating: 4 out of 5 stars4/5Workplace Security Essentials: A Guide for Helping Organizations Create Safe Work Environments Rating: 0 out of 5 stars0 ratingsThe Risk Free SME Rating: 3 out of 5 stars3/5Security Leader Insights for Business Continuity: Lessons and Strategies from Leading Security Professionals Rating: 0 out of 5 stars0 ratingsThe Manager’s Guide to Quick Crisis Response: Effective Action in an Emergency Rating: 0 out of 5 stars0 ratingsSecurity Risk Management Body of Knowledge Rating: 0 out of 5 stars0 ratingsBusiness Continuity Management Systems: Implementation and certification to ISO 22301 Rating: 0 out of 5 stars0 ratingsAdaptive Business Continuity: A New Approach Rating: 0 out of 5 stars0 ratingsBusiness Continuity Planning BCP A Complete Guide - 2019 Edition Rating: 0 out of 5 stars0 ratingsSecurity Leader Insights for Risk Management: Lessons and Strategies from Leading Security Professionals Rating: 0 out of 5 stars0 ratingsBusiness Continuity Planning BCP A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsThe Manager’s Guide to Enterprise Security Risk Management: Essentials of Risk-Based Security Rating: 0 out of 5 stars0 ratingsExecuting Crisis: A C-Suite Crisis Leadership Survival Guide Rating: 0 out of 5 stars0 ratingsDisaster Recovery and Business Continuity: A quick guide for organisations and business managers Rating: 0 out of 5 stars0 ratingsBusiness Continuity Management A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsCyber Crisis Management: Overcoming the Challenges in Cyberspace Rating: 1 out of 5 stars1/5Information Security Auditor: Careers in information security Rating: 0 out of 5 stars0 ratings
Management For You
Extreme Ownership: How U.S. Navy SEALs Lead and Win | Summary & Key Takeaways Rating: 4 out of 5 stars4/5Emotional Intelligence Habits Rating: 5 out of 5 stars5/5Malcolm Gladwell's Blink The Power of Thinking Without Thinking Summary Rating: 4 out of 5 stars4/5Good to Great: Why Some Companies Make the Leap...And Others Don't Rating: 4 out of 5 stars4/5Principles: Life and Work Rating: 4 out of 5 stars4/5The New One Minute Manager Rating: 5 out of 5 stars5/5Company Rules: Or Everything I Know About Business I Learned from the CIA Rating: 4 out of 5 stars4/5The 12 Week Year: Get More Done in 12 Weeks than Others Do in 12 Months Rating: 4 out of 5 stars4/5Summary of The Laws of Human Nature: by Robert Greene - A Comprehensive Summary Rating: 4 out of 5 stars4/5The 7 Habits of Highly Effective People: 30th Anniversary Edition Rating: 5 out of 5 stars5/5The Five Dysfunctions of a Team: A Leadership Fable, 20th Anniversary Edition Rating: 4 out of 5 stars4/5The 5 Languages of Appreciation in the Workplace: Empowering Organizations by Encouraging People Rating: 4 out of 5 stars4/5Multipliers, Revised and Updated: How the Best Leaders Make Everyone Smarter Rating: 4 out of 5 stars4/5The 360 Degree Leader Workbook: Developing Your Influence from Anywhere in the Organization Rating: 4 out of 5 stars4/5The 4 Disciplines of Execution: Revised and Updated: Achieving Your Wildly Important Goals Rating: 4 out of 5 stars4/5The Coaching Habit: Say Less, Ask More & Change the Way You Lead Forever Rating: 4 out of 5 stars4/5The Hard Thing About Hard Things: Building a Business When There Are No Easy Answers Rating: 4 out of 5 stars4/5Summary of The Five Dysfunctions of a Team: by Patrick Lencioni | Includes Analysis Rating: 4 out of 5 stars4/5HBR Guide to Buying a Small Business (HBR Guide Series) Rating: 5 out of 5 stars5/5Great Ceos Are Lazy: How Exceptional Ceos Do More in Less Time Rating: 4 out of 5 stars4/5Crucial Conversations: Tools for Talking When Stakes are High, Third Edition Rating: 4 out of 5 stars4/5How to Get Ideas Rating: 5 out of 5 stars5/5Managing Oneself: The Key to Success Rating: 4 out of 5 stars4/5Spark: How to Lead Yourself and Others to Greater Success Rating: 5 out of 5 stars5/5The 12 Week Year (Review and Analysis of Moran and Lennington's Book) Rating: 5 out of 5 stars5/5Quiet Leadership: Six Steps to Transforming Performance at Work Rating: 4 out of 5 stars4/5The Ideal Team Player: How to Recognize and Cultivate The Three Essential Virtues Rating: 4 out of 5 stars4/52600 Phrases for Effective Performance Reviews: Ready-to-Use Words and Phrases That Really Get Results Rating: 3 out of 5 stars3/5
Reviews for The Manager’s Guide to Business Continuity Exercises
0 ratings0 reviews
Book preview
The Manager’s Guide to Business Continuity Exercises - Jim Burtles, KLJ, MMLJ, Hon FBCI
The Manager’s Guide to Business Continuity Exercises:
Testing Your Plan
A Rothstein Publishing Collection eBook
Jim Burtles
KLJ, MMLJ, Hon FBCI
Kristen Noakes-Fry, abci, Editor
ISBN 978-1-944480-33-2 (PDF)
ISBN 978-1-944480-32-5 (EPUB)
smalllogo203.740.7400 • 203.740.7401 fax
info@rothstein.com
www.rothstein.com
Parts of this book appeared originally in: Jim Burtles, Principles and Practice of Business Continuity: Tools and Techniques, 2nd Edition, Brookfield, CT: Rothstein Publishing, 2016; and Jim Burtles, Emergency Evacuation Planning for Your Workplace: From Chaos to Life-Saving Solutions, Brookfield, CT: Rothstein Publishing, 2014.
For more information, go to: www.rothstein.com.
Keep informed about Rothstein Publishing:
smalltwitter smallfb smallinkedin
COPYRIGHT ©2016, Rothstein Associates Inc.
All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means, electronic, mechanical, photocopying, recording or otherwise, without express, prior permission of the Publisher
No responsibility is assumed by the Publisher or Authors for any injury and/or damage to persons or property as a matter of product liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein
Local laws, standards, regulations, and building codes should always be consulted first before considering any advice offered in this book
ISBN 978-1-944480-33-2 (PDF)
ISBN 978-1-944480-32-5 (EPUB)
smalllogo203.740.7400 • 203.740.7401 fax
info@rothstein.com
www.rothsteinpublishing.com
Table of Contents
Cover
Title page
Copyright
Preface
Introduction
0.1 Definitions
0.2 Element Testing
0.3 Exercising
0.4 A Delivery and Service Regime
0.4.1 Distribution
0.5 Conducting Tests and Exercises
0.5.1 Testing
Chapter 1: Plans and Their Purposes
1.1 Areas of Responsibility
1.1.1 Plan Types and Responsibilities
1.2 The Plan Development Process
1.2.1 Design and Structure
1.2.1.1 Relation of Plan Type to Area of Responsibility
1.2.1.2 Purposes of the Plan Types
Chapter 2: Getting Started with Testing Your Plans
2.1 Capability and Confidence: Educating Personnel
2.2 The Five-Stage Growth Path
2.2.1 Desktop Exercise
2.2.2 Walkthrough
2.2.3 Active Testing
2.2.4 Command Post Exercise
2.2.5 Full-Scale Exercise
2.2.6 Frequency of Testing
2.3 Testing Plans and Procedures
2.3.1 Disaster Recovery Testing
2.3.2 Systems Recovery Checklist
2.4 Elements of Exercise Development
2.5 Background: Objectives and Purpose
2.5.1 Stating the Purpose
2.6 Buildup
2.7 Developing the Script for the Exercise
2.7.1 The Script Process Deliverables
2.7.1.1 Script Content
2.7.1.2 Interrupts
2.8 Quality
2.8.1 Realism
2.8.1.1 Methods for Achieving Realism
2.8.2 Scope
Chapter 3: Delivering a Successful Exercise
3.1 Exercise Coordination and Control
3.1.1 Potential Problems
3.1.2 Preparation and Practice
3.2 Safety: Isolation and Security
3.2.1 Creating Isolation
3.2.2 Setting Up Security
3.3 The Ideal Scene
3.4 Lessons: The Feedback Stage
3.4.1 Exercise Debrief
3.4.2 The Exercise Report
3.4.3 The Exercise Review
3.4.4 Full Sequence of Feedback
3.5 Tracking the History
3.5.1 Records and Reports
3.5.1.1 Records
3.5.1.2 Reports
3.5.2 Recording
3.6 Kick-Off
3.6.1 Announcement and Notice
3.6.2 Cautions
3.6.3 Rules of Engagement
3.6.4 Keeping It Going
3.7 Advanced Techniques
3.7.1 The Command and Control Exercise Scale
3.7.2 Cabaret Exercising
3.7.3 The Bang and Echo Program
Chapter 4: Auditing and Maintaining the Plan
4.1 Steps in Review Process
4.1.1 Facilities
4.1.1.1 Facilities Testing
4.1.2 Resources
4.1.2.1 Resources Testing
4.1.2.2 Reviewing Dynamic and Stable Plan Content
4.1.3 Output Phase
4.1.3.1 Status Reports and Activity Reports
4.1.4 After the Reports
4.2 Auditing
4.2.1 The Audit Process
4.2.2 Rules of Audit
4.2.3 Policy
4.2.4 Compliance
4.2.5 Finance
4.2.6 Investment
4.2.7 Expenditure
4.2.8 Prudence
4.2.9 Purposes
4.2.10 Achievement
4.2.11 Claims
4.2.12 Concerns
4.3 Completing the Audit
4.3.1 Audit Checklists
4.3.2 Checklist Construction
4.3.3 Audit Reports
main-11Preface
The importance of exercising your BC plans and testing the associated arrangements and resources cannot be overstated. This is the most important aspect of preparing to deal with the inevitable disruptive incident which will eventually occur. If you and your organization are properly prepared the incident may pass by almost unnoticed, simply because your people knew what to do and how to do it.
On the other hand, without any previous practice, a relatively minor interruption can easily escalate to dramatic proportions with disastrous consequences – simply because they didn’t perform very well. The old saying practice makes perfect
has a lot of truth in it, especially when confronting the unusual or the unexpected.
You and your organization will gain more benefit from exercising and testing than from any other aspect of your BC program. It is the only element in the whole program which can directly affect people’s reactions and unconscious behaviors.
In fact, it could be said that exercising and testing is the only part of the BC suite of disciplines that is essential. One might cope quite well without any plans or other preparations – providing that one could safely rely upon the effective competence of the individuals concerned. However, such a level of competence can come only from the experience gained in regular exercises and tests.
In this book, we will be looking at how you can make this all happen smoothly and effectively, using tools and techniques which have been derived from many years of practical experience. Read on, dear reader, read on.
Jim Burtles
London, United Kingdom
October, 2016
main-11Introduction
The Basics of Testing and Exercising
No plan of action has any value until it has been proven. Even then, it has precious little value until all of the actors have practiced their performance. There is no question that Shakespeare wrote good plays, but I can’t imagine that any drama company would want to stage one of them without a few rehearsals. Remember, our actors are not accomplished professionals and perhaps we should not put too much faith in a plot that has not yet stood the test of time.
Seriously, we must test our plans to see how well they work. We must also challenge the assumptions about timings. Once we are reasonably confident that the plans should work, we must carry out a dress rehearsal to make sure everyone knows what to do and how to do it. Over time people will either have forgotten, lost confidence, lost interest, or been replaced. Thus, we should practice on a fairly regular basis; otherwise, our plans could cause chaos rather than save lives, the latter being, after all, the whole point of the program.
0.1 Definitions
You cannot have any real confidence in your plans and procedures until they have been fully tested. A test will verify their usefulness. While a test is an important step, it still doesn’t prove that everybody will reach safety successfully. Exercises are the only way we can be sure that the people will be able to interpret the plans and procedures correctly within the requisite timeframes under difficult circumstances.
A test establishes, or measures, facts and figures; an exercise develops or demonstrates attitudes and understanding.
I’d like to take a moment to clarify the terms being used in this section; otherwise the whole idea of whether a certain set of activities is testing
or exercising
can become hopelessly confused. In older literature in the field, you will see that 20 years ago, any efforts to determine if a plan would work under real-world conditions were referred to as tests
of the plan; however, the whole industry has grown up
since then, has become more sophisticated and, along with it, our use of language. Current terminology in emergency management, disaster recovery, and business continuity includes these terms:
Test: A test is a procedure which determines whether something works or is fit for purpose, and it produces a specific answer. Successive testing does not lead to improvement; like an audit, it merely reflects the current status. For example, testing can determine if certain aspects of the plan are still accurate and if anything has changed, such as names of people and companies, contact phone numbers, building layout, vendors of services, etc. These are all aspects of a plan that need to be tested for accuracy before any kind of real-life exercise takes place.
For example, I weigh myself to find out if I’ve lost weight, but I exercise to make the change happen.
Exercise: An exercise is a procedure, routine, or drill which is carried out for training, learning, and improvement. Capability should improve through exercising. Capability tends to diminish without exercise; regular exercising helps to sustain capability. A full-blown fire drill is an exercise in which, under the most realistic conditions possible, people act upon the instructions to practice carrying out the tasks and routines that would be expected of them in a real emergency. The hoped-for result of an exercise is overall improvement.
For example, I exercise to keep fit and lose weight. It is an ongoing process.
Thus, a test establishes, or measures, facts and figures; an exercise develops or demonstrates aptitudes and understanding.
0.2 Element Testing
Each of the key elements within the evacuation procedure can, and should, be checked out separately before embarking on a full scale end-to-end test. In fact, if all of the elements follow a logical sequence then it may not actually be necessary to carry out a complete test; you could move straight on to the exercise program which will prove that the complete procedure is effective.
In most instances, I recommend that your first full-length exercises be regarded as your final end-to-end test. Once, you have proved that all of the individual elements of the evacuation process are valid by conducting the series of recommended tests detailed above, the only remaining question is whether people can follow the instructions and complete the full procedure without exposing themselves to danger or getting lost.
In most instances, I recommend that your first full-length exercises be regarded as your final end-to-end test.
0.3 Exercising
Exercising in this context has two main purposes:
• A demonstration which confirms that the procedures do work.
• An education which teaches people what to do and how to do it.
Success in following procedures will develop their competence, which will, in turn, give the people confidence that they will be able to reach safety if it should ever be necessary. Confidence and competence will thus ensure their survival capability.
Because an exercise is largely an education process, it is best to move forward one successful step