There are five basic types of exercises that can be undertaken to properly assess the effectiveness of the Business Continuity Plan:
- Desk check
- Tabletop exercise
- Functional exercise
- Full-scale exercise
An un-timed exercise to review all of the elements of the plan in a stress-free environment. The participants are management and response team members who gather across the table to ensure that all are familiar with the plan; questions are asked and answered; changes are made to the plan if problems are discovered. This exercise is usually facilitated by the plan developer or business continuity plan co-ordinator.
TABLETOP EXERCISE OR WALK-THROUGH
A tabletop exercise simulates an incident in an informal, stress-free environment. The participants who are usually the responsible managers and the response teams gather around a table to discuss general problems and procedures in the context of an incident scenario. The focus is on training and familiarisation with roles, procedures, or responsibilities.
The tabletop is largely a structured walk-through guided by a facilitator. Its purpose is to solve problems as a group. A scenario is developed in advance but there are no attempts to arrange elaborate facilities or communications. One or two evaluators may be selected to observe proceedings and progress toward the objectives.
The success of a tabletop exercise is determined by feedback from participants and the impact this feedback has on the evaluation and revision of policies, plans, and procedures.
This type of exercise involves a predefined scenario, which is developed prior to the event. It is unannounced and once started it is timed from beginning to end. The exercise addresses the scenario using only the plan. It is used to determine the state of readiness and awareness of the plan’s response teams.
It incorporates all plans and tests the accuracy of all plan procedures including Contact lists.
The functional exercise simulates an emergency in the most realistic manner possible, short of moving real people and equipment to the Recovery Sites. As the name suggests, its goal is to test or evaluate the capability of one or more functions in the context of an adverse or emergency event.
- It involves controller(s), players, simulators, and evaluators.
- The atmosphere is stressful and tense because of real-time action and the realism of the problems.
- Exercise is lengthy and complex; requires careful scripting, careful planning, and attention to detail.
- Geared for policy, co-ordination, and operations personnel (the players).
- Players’ practice their response to an incident by responding in a realistic way to carefully planned and sequenced messages given to them by simulators.
- Messages reflect a series of ongoing events and problems.
- All decisions and actions by players occur in real time and generate real responses and consequences from other players.
- Guiding principle: imitate reality.
FULL PLAN EXERCISE
A full-scale exercise is as close to the real thing as possible. It is a lengthy exercise that takes place on location including the Emergency Control Centre and Alternative Work Site, using the equipment and personnel that would be called upon in a real event.
In a sense, a full-scale exercise combines the interactivity of the functional exercise with a field element.
Eventually, every incident response organisation must hold a full-scale exercise because it is necessary at some point to test capabilities in an environment as near to the real one as possible.
THE TWO MAIN BENEFITS OF AN EXERCISE PROGRAMME:
- Individual training: exercising enables people to practice their roles and gain experience in those roles.
- System improvement: exercising improves the organisation’s system for managing incidents and emergencies.
These benefits arise not just from exercising, but from evaluating the exercise, evaluating problems, and acting upon the recommendations.
Management should be clear that exercises are NOT tests. The intent is not to establish a pass or fail. An exercise should be viewed as the normal work required to refine and to tune Business Continuity Plan. An exercise has value only when it leads to improvement.
Exercises should be conducted periodically. The period of the exercises should at least be yearly, or, if business is rapidly, changing twice a year.
ONE LAST THOUGHT
Exercising of Business Continuity Plans and verification of their accuracy and efficiency are fundamental to achieving the objective of a responsive and recoverable organisation.
This information is brought to you by CIA Insurance in conjunction with the LMI Group.