I am a Business Continuity Manager ... and I want to select an exercise!
Timothé Graziani
Associate Director @Capresiliencia | BCM, Risk, Crisis, IT, Resilience
There is a diverse range of exercises available for selection in your Business Continuity (BC) program, such as simulations, workshops, exams, technical tests, and more.
According to ISO 22398, exercises serve as crucial management tools designed to identify gaps and areas for improvement, evaluate the effectiveness of response and recovery strategies, assess organizational and personnel competence, and ensure the completeness, relevance, and accuracy of revised plans and program changes.
When choosing an exercise, it is important to first define your objectives. Are you looking to test a technical solution, train your team, enhance a protocol, or evaluate the technical proficiency of a group?
At Adaptive BC, some colleagues utilize small simulations as an initial step into a new area or to assess recovery capabilities during the first meeting. This approach can effectively demonstrate the value of the BC program.
The selection of the appropriate exercise tool depends on your specific goals, so it is essential to align the exercise type with your objectives rather than favoring one over another without consideration for your purpose.
Obtaining approval from your executives is crucial. It is important not to undertake exercises independently, as certain activities may pose risks to the business and require the involvement of key stakeholders. Additionally, your program should establish criteria for success and key performance indicators (KPIs), and exercise oversight should be provided by management.
There are numerous resources available, including books and articles, that discuss various exercise options within this field. While terminology may vary, the core concepts remain consistent. Exercises can be categorized based on their objectives and intended outcomes:
领英推荐
Test: Is it working or not? Yes, or no? Good or bad? Right or wrong? This is the kind of answer you look for in a test. It can be technical (testing if a load balancing is working) or procedural (does the protocol lead to the expectable answer?). It is limited and don’t bring value to people. But it is very useful to make sure a defined solution works.
Tabletop exercise: This exercise can be done in different ways: an interactive workshop with a simulated situation, a lecture or a review of a plan, a real event discussed by a group of employees, a brainstorm regarding a risk. There are no operations or procedures to apply. It should be an exchange of information and comments regarding a given situation or existing document. The target here is to provoke reactions and help people to think of theorical solutions. There are no right or wrong answers.
Simulation: Simulating means pretending or imitating, so we won’t be in real conditions. We can realize a simulation exercise by reproducing a situation. To my opinion, you need to choose your exercise also according to the type of plan. For example, I think a simulation is a great model for crisis management plan.
Parallel exercise: “The primary process doesn’t stop” (ISO 22301 – PECB Training). We could execute a recovery of a service, an IT system, or a process without affecting the main asset in production. We don’t stop it. We do it in parallel. It might mean we can’t finish the recovery process completely as it could affect the service or the system in production. Still, it’s a great exercise as it’s a real recovery without affecting the production.
Total Interruption: We are entering here in the best zone of exercises. It should be your final objective, the ultimate level. You need to do things for real. Your team will have stress, they might live real issues and it might create a real interruption. Yes, it’s risky for the business but it’s the best form ever to test solutions or improve protocol and especially, train people.
In conclusion, select the exercise according to your objective and get the approval of your Execs. There are no limits to train and create awareness. Do it as many times and as deep as you can. I do believe exercising is one of the most important tasks a BCMer should execute in his role, and certainly not a BIA. Focus on creating a capability of recovery. This is what you are here for.
Principal, Kingswell International Ltd. registered in UK. Founder, BCI.Resigned as HonFBCI. Prof. Emeritus BCM, Telfort Business Institute, Shanghai University. Past Expert, IoSCM.Consultant, author.
1 年great, but since the real incident isunlikely to beany scenario you have exercised, a key objective in exercise should be to train participants to react instinctively, logically & aptly to any incident, so even bizarre alien, godzilla or kraken scenarios have a value.
Yes, infact I am hoping that we change and make these terminologies more simpler and lay-manish. Tim, the other dimension that we always tried to excel is HOW to do the exercise. User motivation to participate and engagements levels needs a booster dose, that is why, we introduced BC test automation/ digital exercise. If some of you want to experience how we do those, visit www.simbcm.com or let us know.
Principal, Kingswell International Ltd. registered in UK. Founder, BCI.Resigned as HonFBCI. Prof. Emeritus BCM, Telfort Business Institute, Shanghai University. Past Expert, IoSCM.Consultant, author.
1 年try using a scenario based on one or mre item(s) you identified in your RA... add a few twists & play them through during the exercise to cover cyber, bad press, impact on brand & share value etc...? Good luck with it, & if you want to bounce it off me I will treat it as confidential. N oneed to mention the client, but sector would help. Happy New Year, Andrew
Disaster Recovery Specialist at ELC Online
1 年Hello, Thank you for shining light on one of the most preparedness tools that we have - testing. I've been organizing testing programs for business continuity and disaster recovery for about 27 years. I organize testing in the following buckets: Component Testing - Testing of individual infrastructure and/or applications that are newly implemented and/or or have experienced a technical or procedural change. End to end critical process testing - Testing of an end-to-end critical process - providing more of a horizontal approach. This not only focuses on the infrastructure and application functions but also internal and external dependencies. Switchover and failover testing (data center to data center) - Testing switchover where replication of the database is still connected and databases change their profile (demotion to secondary/promotion to primary) Testing failover where replication of the database is disabled resulting in additional requirements for fallback or normalization of not only the database but the production environment's relationship with the database. Process walkthroughs: data center to data center, incident management/disaster declaration and critical process and procedures review. A.
Asesor estratégico para empresas, en continuidad del negocio, y en reducción del riesgo de emergencias y desastres
1 年Thanks Timothé ?? ?? ??