When it comes to business continuity management (BCM), the rehearsal of plans in a regulated, orchestrated environment – or simulation testing as it is known, is essential to success. This is the view of Dean Horner, CEO at 42 Consulting, a national BCM services company.
Horner says most decision makers feel that they have covered all bases when an approved, comprehensive business continuity plan (that accurately reflects the needs, technology and structure of the organisation) is in place.
“The reality is that a business continuity plan can only be considered truly effective if the content and components of the plan have been regularly tested,” Horner explains. “It is only by testing the business continuity plan that seemingly trivial issues can be identified and prevented from becoming big problems in a real-life situation.”
According to Horner, it is often the human dimension – or the people issues – that benefits the most from a well-designed recovery exercise.
“What you really need to exercise is the team’s ability to make decisions. Plans are very important but they are implemented by people, who can only become well prepared through training and exercising their decision-making and information management,” says Horner.
Management at 42 Consulting says regular testing ensures that that the key people involved in the business recovery teams know and understand their respective roles and responsibilities, and helps them to interact effectively during a real-life incident.
In order to assist clients to extract the maximum benefit from their BCM simulation, 42 Consulting has devised a list of its top seven pointers.
* Walk before running – it is important that the type of exercise is aligned with an organisation’s level of BCM maturity. Users may not be ready yet for a highly complex disaster simulation, and to roll out this sort of exercise may simply set them up for failure and discourage future testing in the business.
* Invest sufficient time in the planning – creating and facilitating a quality exercise is a major undertaking. A rule of thumb for a successful crisis simulation exercise is that 10 to 18 hours of development time is required for every hour of the actual exercise.
* Ensure the scenario is realistic – select threats or events for the scenario that are highly probable and realistic, or have been identified by executive management as being a concern for the organisation.
* Create a scenario that tests all participants – ensure that there is enough "action" to maintain the interest of all participants and the designated back up team members. The exercise should encourage inter-dependent decisions and the co-operation of all the disciplines in the room.
* Build an exercise that encourages success, not failure – while the exercise should be complex and challenging enough to robustly test the team’s skills and decision-making, it should not be so severe that it creates a no-win scenario for the participants.
A simulation that is designed to make the participants concede that they have "failed" is not a positive learning process, and will discourage future participation in business continuity exercises.
* Use a proven, experienced facilitator – a successful simulation requires an external resource that has a wealth of experience in the development and facilitation of crisis management tests.
* Make it fun for the participants – possibly the most critical success factor of them all. While the simulation should be tough and full of challenges, the participants need to enjoy the experience if the business is going to be assured of their continued support in future exercises.
According to Horner, testing business continuity plans is an underestimated skill and needs to be built on a proven methodology if it is going to deliver on its objectives.
“With executive management and other senior business leaders often participating in the exercise, it simply can’t be seen to be anything less than a valuable investment in management time and resources.
"At the end of the day, a poorly planned and designed exercise will result in disappointed and disillusioned participants who may question their future participation in other exercises, and undermine their sustained support for the business continuity function in general,” he adds.