What’s at Stake?

“Plans are nothing…planning is everything”
—– Dwight D. Eisenhower

In today’s highly competitive marketplace, businesses must be prepared to keep pace against a variety of challenges such as downturns in the economy, ever-increasing competition, fragile customer loyalty, and a host of other difficulties that make it tough to sustain profitability and remain viable. While these challenges are indeed difficult, businesses by and large expect they will be faced in a normal operating environment, where people, systems, facilities and records remain intact.

But a question that must be asked is “Would your business be prepared to face these challenges under abnormal circumstances, such as after a disaster strikes? Has your team prepared for such conditions? Are you personally ready?”

Along with routine operational challenges, each day organizations are exposed to a wide variety of threats including natural disasters, technological disasters, biological disasters and human threats. These issues bring about additional challenges that could adversely affect corporate objectives. Remember, regardless of the operating environment, someone very important assumes you have this covered (i.e., customers, shareholders, regulators, board members).

The best defense against these threats is to develop a comprehensive testing process that exercises all elements of the global business continuity program. A proven process at the core of the testing program is the conduct of a tabletop exercise.

Setting the Stage

“Strong convictions precede great actions”
—– James Freeman Clarke

Getting your team fully involved in the process of planning and testing crisis management and incident response actions requires support from the highest levels of the organization. Absent buy-in and support from executive management, team members may not fully embrace the concept of globally preparing their business unit (and the organization as a whole) to respond to an emergency. These tabletop exercise sessions provide an opportunity to identify and address weaknesses in the program in advance of need.

Making sure all of the organization’s business units are represented at the exercise broadens the scope of the session and best assures that key aspects of the current program are adequately examined. Again, having management sponsorship ensures that the session is appropriately prioritized and given due consideration by all of the participants.

As the concept of a tabletop exercise is introduced to the business continuity team members, it is best presented as a team building session that allows for problem solving in a relaxed environment. The goal is to lessen anxiety and set the expectation that the environment is non-threatening.

Some specific points of understanding that should be shared with the participants in advance of the exercise may include:

• The session is a “no fault” environment; varying viewpoints, even disagreements are expected.
• There are no wrong answers…everyone’s opinion will be considered.
• The session will focus on problem solving. Real value will be found in suggestions and recommended actions that support continued growth of the program
• This is a great opportunity to understand the plans of other teams in response to a simulated event.

Setting the stage in advance better prepares the participants to fully engage in the session.

Building Your Strategy

“Success is simple. Do what’s right, the right way, at the right time”
—– Andrew H Glasgow

After the stage is set with the participants and management, the focus shifts to actually designing and building the exercise strategy. As you address this step, consider the following key issues:

• Which high value systems/applications/processes should be included in the exercise?
• What criteria will be used when selecting areas for testing (e.g., loss of people, facility access, IT infrastructure, critical records, etc.)
• Should the event include outside support entities such as vendors/emergency services personnel/board members/etc?
• How do we balance exercise complexity with audience competency?
• Should the exercise be held on site or off site?
• How long will the exercise last?
• With whom should we share the results?

Establishing the core components of the exercise brings a structured process to the actual development of the exercise scenario. Using the strategy as a roadmap, the facilitator can focus on developing a simulated incident that benefits the learning environment and maximizes the time investment of everyone involved in the exercise.

Developing the Scenario

“Fiction reveals truths that reality obscures.”
—– Jessamyn West

Now that the stage has been set and the strategy developed, attentions turn to developing the actual exercise scenario. In doing so, keep the following key points in mind:

1. Use a realistic scenario

While some may be tempted to use their creative imaginations, it is always best to use a scenario that is realistic and relevant to the current operating environment. The participants will buy-in more fully if the scenario is believable and represents an event that could actually affect their area of responsibility.

2. Use a scenario that includes changing circumstances over various points in time

In an actual disaster, events can and will change over the course of the recovery, often without warning. The value of the exercise will grow if the scenario also includes simulated changing events that closely mirror this type of fluid environment. For instance:

• What would happen if a member of the team provided a statement to the press that was not approved by management nor verified for accuracy?
• What if the scenario involved a regional event that affected some staff members’ ability to report to work? How will this compound the effects of the disaster event?
• What if the event was a weather-related emergency and a second occurrence of a similar event was forecasted to occur before recovery from the initial event was complete?

3. Avoid overpopulating the scenario with unsolvable problems

In all but a few cases, it would be a mistake to start the presentation with a scenario that involves the complete and simultaneous loss of all key assets (people, records, facilities, IT infrastructure). The audience can become frustrated and may not be inclined to fully participate in the session discussions, especially if they haven’t previously participated in other simulated events of this type. What works best is a progressive testing strategy that challenges the participants with increasingly complex scenarios as the program evolves over time.

The ultimate goal of the exercise is to raise awareness of exposures and plan for business unit recovery by working through a simulated live disaster event. Through this effort, management will be able to gauge the level of preparedness among the teams and the organization as a whole.

Conducting the Exercise

“Chance favors the prepared mind.”
—– Louis Pasteur

1. Establish Objectives

Once you have gathered the team together to conduct the exercise, it is important to establish the objectives for the session. In other words, tell the participants what the session intends to accomplish. Some key focus areas include:

• Improving the understanding of requisite business recovery responses during a crisis event.

• Identifying opportunities for improvement of preparedness efforts among the teams/team plans.

• Identifying interdependencies among the business units and 3rd party service providers (critical work inflows and work outflows).

• Increasing awareness of business impacts resulting from uncontrollable events inside or outside the organization.

The goal is to better familiarize team leaders with emergency response actions and the recovery processes documented in each of their respective plans. Short of responding to an actual emergency, there is no better way of reaching this level of understanding.

2. Set the Ground Rules

To maximize the effectiveness of the session, establish some simple ground rules for the participants such as:

• Silence cell phones and other mobile devices during the session.
• Accept that the circumstances surrounding the event are real.
• Inform the participants that portions of the scenario may be adjusted during the session to adapt to the needs of exercise.
• Some issues may be tabled for further discussion later if they cannot be settled within a reasonable amount of time during the exercise.

Be sure that everyone is aware of these rules before the session begins. This will limit distractions and enhance the quality of the session.

3. Conducting the Session

• As the participants arrive for the session, they should sign an attendance roster. This provides both internal (management) and external (regulators/board members) stakeholders with a means of knowing which business units are represented at the session
• Provide an opportunity for interactive dialogue as the scenario unfolds. Having the presenter pose some leading questions is a good way of getting this dialogue started.
• Make sure that someone is assigned to take notes throughout the session. The information exchange is extremely valuable and is a good source of input for the next maintenance of the plans/program.
• If the session is expected to last more than 1 hour make sure time is built in for a break.
• After the session and before the participants depart, have them complete a post exercise questionnaire to capture their thoughts regarding the quality of the session and any suggestions they have for improving the program. Some topics include:
• Plan/program strengths
• Opportunities for improvement
• Their opinion of the quality of the session
• Suggestions for future exercise scenarios

Issues captured on these surveys can also be used as input for the next maintenance of the plan/program.

Follow up and Issue Assignment

“The only source of knowledge is experience”
—– Albert Einstein

Concluding the Tabletop Exercise

1. After the Exercise

• Review notes taken during the exercise and the surveys completed after the exercise. Categorize issues and assign them to the appropriate issue manager.
• Set dates for completion and/or reporting on resolution progress.
• Make sure findings are shared with all of the teams.

2. Follow up, Follow up, Follow up

• Follow up with issue managers at agreed upon dates/times.
• Where issues cannot or will not be resolved, include them in a report to executive management. This will ensure that top executives are aware of any unmitigated risks and can determine if the issues are within corporate risk tolerance levels.

3. Summary

Our experience has taught us:

• Tabletop exercises, as with any other successful business continuity initiative, yield the most value if sponsored by executive management.
• When properly executed, tabletop exercises can lead to significant improvements in the global program.
• Organizations are best prepared to respond to an actual emergency if they regularly exercise their plans.
• Through the conduct of tabletop exercises, even the most seasoned organizations uncover previously unforeseen weaknesses.

Mr. Myers can be reached at:

smyers@paradigmsi.com
Office: 814-943-4007 X305
Fax: 814-946-5173
www.paradigmsi.com

Back To White Papers