Best-Practice Strategies &Digital Tools to Improve Testing& Exercises in Business Continuity& Resilience Management

Longstanding challenges to exercise management persist

If the pandemic has taught us anything, it’s that you can’t just plan for crises. Organizations must also test those plans regularly, preferably under conditions that best approximate the real-world crisis scenario. 

Why’s that? Well, it’s the failure to exercise and update plans that’s often given as a reason for the breakdown of business resilience processes during moments of stress.

The issue predates the pandemic. Already in 2018, the Deloitte study, Stronger, fitter, better: Crisis management for the resilient enterpriseⁱ found that 90 per cent of organizations reported confidence in their crisis management capabilities; only 17 per cent of those organizations, however, had performed simulation exercises. 

The testing of crisis communications capabilities was similarly slipshod. 

A 2016 Nasdaq public relations services study found that a majority of corporate communicators said that their company either lacked a crisis communications playbook (48 per cent) or were unsure of whether they had one (12 per cent)ⁱⁱ. 

Add to that, 60 per cent of organizations didn’t role play or weren’t sure if they did. Fewer than half (48 per cent) were actively using a media monitoring platform. And only 24 per cent of company CEOs and other spokespeople were receiving annual media training. 

Have things changed since the pandemic?

Post-COVID resilience survey evidence from BCI suggests not fast enough. The data there show that exercises (1) aren’t being completed frequently enough, (2) on a sufficient scale, and (3) that exercise management programs are failing to prioritize complex disruption scenarios.

Best-practice framework for performing business continuity and resilience testing and exercises

What then should organizations be doing to improve the quality of those exercise management programs, beyond making “maximum use of the controlled, risk managed environment of exercises and testing”? 

International standard ISO/DIS 22398, for its part, lays out a best-practice framework for performing resilience testing and exercises. 

The standard outlines the procedures that are necessary for the planning, implementing, managing, evaluating, reporting, and improving of exercises, as well as the testing designs needed to assess the crisis-readiness of an organization.

What else?

The standard also instructs organizations to conduct a needs and gap analysis. The purpose of this analysis is to establish the need for exercises and testing in the first place. What questions might organizations ask to get started with this preliminary stage of the testing process?

Common questions include: 

• Does the exercises and testing plan address requirements for exercises and testing? 
• Can this plan promote consensus with interested parties? 
• Does the plan offer an opportunity to reach and interact with its target group(s) and potentially address their interests?
• Does this plan provide an opportunity to address multiple issues in depth?
• Does this plan focus on key issues? 
• Does the plan provide information tailored to the target group(s)? 
• Is this plan practical and relatively easy to implement?
• Does the plan provide for information transfer at relatively low cost?
• Is this plan easy to update? 
• Is the effectiveness of this plan measurable? 
• Is this plan a good vehicle for education? 
• Is this plan creating a constructive and supportive atmosphere?
• Is this plan an effective way to get publicity or increase public awareness? 
• Does the plan conform to the organization’s constraints? 

What’s the purpose of taking the prescribed approach? 

It’s meant, for one, to enable organizations to move away from generic testing and toward a more customized exercise management program – one better suited to addressing their specific business risks. The resultant gap analysis, answering the questions above, then indicates what kind of exercise (out of the many available options) that that program should be deploying. 

Exercise types include:

Sources

i. Peter Dent, Roda Woo, and Rick Cudworth, Deloitte Insight: Stronger, fitter, better: Crisis management for the resilient enterprise.

ii. Seth Arenstein, PR News. PR News/Nasdaq Survey: Nearly Half of Organizations Shun Crisis Preparation. Available at http://www.prnewsonline.com/pr-newsnasdaq-survey-nearly-half-organizations-shun-crisis-preparation/

The stages of business continuity and resilience testing

The standard doesn’t provide a play-by-play for each specific type of scenario, however. But it does give organizations a set of six generic stages through which their exercises should go through. 

The entire process will start with an initial run through, to ensure that all members of the exercise team receive the same initial information. This review should be brief and contain only information that ensures participants can perform as planned during the conduct of the exercise. 

The lead evaluator should be a participant in the run through. And it’s also critical that a similar review occurs with the control team, so that that team remains synchronized with scenario changes, and that the exercise director’s guidance gets implemented as the exercise proceeds.

Subsequent stages include:

• Start-up briefing. The business should organize a start-up briefing, an integral part of the exercise hazard control. If a hazard is identified and cannot be eliminated, the first technique in hazard control is awareness. If the participants are not aware of the hazard, it is difficult to avoid it or “control the hazard” by maintaining the distance from the hazard, minimizing the exposure to the hazard and maintaining a “shield” from the hazard. The organization should clearly communicate the reasons for an exercise intervention (both crisis and non-crisis) to all participants. The start-up briefing should be used to avoid confusion between simulated and actual events. 
• Launch. The organization should check the communications that will be used to launch, stop (temporary), and terminate exercises and testing prior to the scheduled launch. The methods for communicating launch, stop, and terminate exercises and testing should be explained during the start-up briefing. 
• Wrap up. The organization should use the same communications for launching and temporary stop at the end of the exercises and testing. The start-up briefing should be used to ensure clear communication with the intent of avoiding confusion between simulated and actual events. 
• Post-exercise briefing. The business should organize a post exercise briefing in order to gathering information from actual exercises and testing. Critique of actual incidents and near-incidents will provide valuable information concerning the validity of the plan, the resources that were available, how the resources were used, and the transfer of behavior learned in training. Every actual incident should be subjected to a critique and a review by key decisionmakers. The same format for the critique of an exercise or test will be used for an actual incident. During the post-exercise debriefing, special attention should be given to the functioning of the exercise organization and the exercise planning process. 
• Observation. The evaluators of the exercise should have knowledge of the expected performance. They should have prepared observation forms, which should contain the exercise performance objective and allow for notes to be taken during the exercise. 

And once exercises are finished?

As the primary purpose of exercises and testing is to inform stakeholders which business resilience practices are working as planned and which are not, exercises should yield an after-action report. 

Most organizations would have heard of the after-action report, a staple of post-crisis analysis. And the post-testing after-action report is similar, in that it (a) gives organizations an overview of the exercises and testing performed; (b) reports on any successes against performance objectives; (c) elucidates what went well; (d) lays out the issues identified; (e) lists subsequent remediation actions to be taken and by whom.

Digital capabilities to improve exercise management

Of course, best practice, full-lifecycle exercise management processes don’t just implement themselves. Indeed, many organizations flounder putting a program that hews to these best practices together. What can they do?

They should seek out integrated business resilience software. Using the new digital transformation technologies of analytics and workflows, these platforms help businesses to (1) better anticipate and identify trends, (2) prevent situations that may generate an interruption, and (3) respond more efficiently to disruptions that do arise.

They also work to better fuse the planning and exercise management competencies together within the greater business continuity and resilience management program. 

How so? 

Well, the platforms in question function as plans. That means when customers need to develop their continuity and resilience plans, all the data they have previously entered seamlessly comes together. This way continuity and resilience managers don’t have to go sifting through documents to find the data they need, eliminating the risk of someone referencing an out-of-date plan during a crisis.

What’s more, because the plan is in the platform, multiple stakeholders can collaborate on the development and updating of the plan, which enables better engagement. All data associated with building plan is managed centrally, in a controlled way. And data points only need be captured once and updated, which reduces the risk of duplication.

The platform as plan approach leads to more efficient exercise management, as does the platform’s own enhanced exercise management functionality. 

What are they? 

For starters, exercise dashboards navigate users and their teams through each phase of an exercise, ensuring everyone understands what needs to be completed and when. From there, the platform’s automation capabilities ensure the correct teams and/or personnel are invited to participate in the exercise and receive regular updates via automated notifications throughout the exercise.

Once the exercise is activated, all users can easily see what type of exercise is being completed. And based upon the affected assets/activities, the recovery strategies required for the affected assets will automatically be populated for the team.

Built-in communication and collaboration tools, e.g., chat, email, SMS, and voice messages, then, make it easy to collaborate in real time, better coordinate responses, and keep everyone informed.

Finally, the platforms provide the capability to record meetings, minutes, and action items. This is a mirror of the platform’s incident management functionality, designed as such to ensure a consistent user experiment. Which gives practitioners the benefit of familiarity in the event of a crisis.

What does it all mean?

COVID pointed up systemic gaps in exercise management; and post-COVID survey data suggest that those gaps have yet to be closed.

Best-practice exercise management standards, such as ISO 22398, will get companies part of the way there – but not entirely. Developing a best-practice exercise management program for the full lifecycle of business continuity and resilience testing will take purpose-built software, like Noggin. These platforms fuse planning and exercising together, improving the user experience of each, all the while strengthening resilience.