TUG Buzz! for Monday August 19, 2019

IN THIS ISSUE:

1. Resilience - article by Garth Tucker
2. Stay Connected - Confirm your subscription to TUG Buzz

[article] Resilience
Exercise? I Thought You Said Extra Fries…

Sadly, the title of this article is reasonably accurate in many organizations. There are parts of resilience programs that are sometimes overlooked or poorly developed, but in my experience, none to the extent of the exercise component. There are likely a few reasons for this, from organizational fatigue after an intensive program development process, to loss of interest – "We have a plan, what else do we need?" – to lack of actual crisis experience on the practitioner's side of the process. None of these are acceptable reasons and we must do better.

According to DRI's Professional Practice Eight, you should "Establish an exercise/test program" as part of your resilience program and PP8 gives very detailed activities to accomplish that objective. I'm not going to copy and paste PP8, but keep in mind that you must establish an exercise/test program with detailed timeline of exercises/test that follows a structured approach and develops scenarios that start simple, add complexity, and build on mastery to build an industry accepted program.

Before we can begin to discuss this step however, we will identify the types of exercises and what constitutes an exercise:

1. The most basic type is a Discussion exercise. This is where relevant stakeholders sit and walk through sections of the program/plan and look for pitfalls/dark corners/career enders. It's a pretty easy exercise to organize and conduct and it's the bare minimum you can do and not have me give you a hard time.
2. After Discussion/walk-through exercises, Tabletop exercises (TTEs) are the next easiest to conduct and typically involve subject matter experts and/or front-line staff who would be affected by an event. This can be a very good way to identify weaknesses or processes overlooked during the BIA process. I like TTEs, especially for organizations with remote locations, which would entail significant cost to the business, because they can be developed and conducted very successfully via Skype or other such modern, interweb technologies. Your IT likely has something like this at your disposal, help them with the ROI
3. Though not as in-depth as a full-scale exercise, a Functional exercise gives business unit staff the opportunity to "test drive" response plans in a controlled environment, where they perform business functions and see what effects the event has and how their resilience plans perform. This is probably as far as 80% of organizations are willing to go with exercises and that's not a bad thing, any exercise/test efforts will pay you back tenfold. If all – or at least most – business units have performed a Functional exercise by month 24 after signoff, you get a gold star and are top of your class.
4. The Gold Standard, if you will, of exercises is the Full-scale exercise. This involves the entire (or at least majority) of the organization and should include external stakeholders as well and will give you the best feedback on the program and how it will react to a crisis event. As you can imagine, this is the most difficult to organize, most costly and lengthy of the exercise family and requires significant buy-in from senior leadership. If you think you can plan and conduct a productive Full-scale exercise in under 18 months, think again, anything less for a large or medium sized organization is just virtue signaling. Plan for 18 – 36 months for development, plus 3 – 6 months to perform the exercise and develop your outcomes documentation. This will require a healthy budget, both financial and FTEs, and will be a pain to schedule as you will have many calendars to coordinate.

Now that we're all experts in the types of exercises we have at our disposal, let's start with defining a reasonable timeline for exercises.

My personal methodology is as follows: I like to get a Discussion exercise completed within 1 month of signoff of the Business Resumption Plans (BRPs), before everyone involved forgets what they discussed and/or the training they received, this helps reinforce the steps developed for the plan. Outcomes/lessons learned may lead to some changes in the Business Impact Analysis (BIA) data and updates to the BRPs, possibly even a review of the Risk Assessment (RA).
 
Within 6 months, I like to develop and conduct a TTE with each business unit, some individually and those that have significant operational overlap, together. I tie the scenario of the TTE to one of the top 3 threats to the business unit identified during the RA and in some cases, 2 or more threat outcomes. i.e. A fire in the warehouse – Drives a building evacuation, possible relocation, interruption to shipping/receiving, etc. Get as much bang for your buck as possible when you're running exercises, it'll pay off later.

By 18 months, it's great if many of the business units have performed a Functional exercise, but don't be disappointed if it takes up to 36 months. You should budget for 3 days for the actual business unit exercise and at least 3 months to plan it well.

If you never perform a Full-scale exercise, don't think of your program as a failure, getting approval and budget to plan and run this type of exercise is difficult, even in the most dedicated organizations. If you do get the approval required, get a project manager involved early and set up a steering committee to help develop and execute. Under no circumstances should you try this as a one-person show, you will fail miserably. If you've never built and performed a Full-scale exercise, bring in outside expertise who can provide references for their experience in this type of exercise. It's not for the faint of heart

Let's see that timeline in a chart, screamed the crowd:

Once we have achieved a goal of a completed Functional exercise, or at least a TTE, we should have a significant amount of actionable data on the performance of the Resilience Program and we have verified data to provide for auditing purposes, then we can begin the process over again. resilience is not a "one off" process, it's a living, breathing function that must be monitored and kept in tip-top shape, this includes staff who have key functions in the response. It will drive updates to the RA, the BIA and communication processes and these updates reset the clock on our exercise program.

For an excellent deep dive into how to manage data extracted from your program, refer to Martin Gierczak's 4-part essay

1. Continuity Analytics - Bridging Microsoft PowerBI and existing BCP Data
2. Improving your Crisis Management response by process mapping and applying Lean Six Sigma
3. How to increase your organization's situational awareness during a crisis event using TweetDeck
4. Introduction to Agile Resiliency Project Management (ARPM)

It is important to your program, that during the exercise/test processes, you establish and test your Crisis Communications (Professional Practice 9 for those of you keeping score.) Communications, both internal and external, with stakeholders, including senior management, prior to, during, and following an exercise/test - i.e. scope, objectives, results, etc.

Those following closely will have noticed that I have not mentioned IT Disaster Recovery (DR) tests, Life-safety or other such Emergency Management type tests. These are very important to the resilience program and the developer(s) of the various exercises should endeavor to include the folks responsible for those areas in the planning and conducting of exercises to ensure you're all – yes, I was very tempted to use y'all - are singing from the same hymnbook. This will allow any "hooks" that must be included in your response/recovery processes to be identified and mitigated before it bites you on the big toe in a real crisis.

I mentioned previously that exercises are the most overlooked part of any resilience program, well, the most overlooked type of exercise is the return to business as usual and/or return to building. Not unexpectedly, but this is also the least developed plan/process within many programs, but it's something I've identified in gap analyses time and time again across all industries. It's as if everyone has a mental block about the crisis (party?) ending.

As a closing pointy stick in the eye to many organizations, the most often heard takeaway from almost every exercise I've been involved with has been, "Communications were an issue." I'll bet most of you have heard that takeaway after many exercises within organizations as well. Not sure why this is, but may be related to the fact that many practitioners don't deal with the communications folks as a separate business unit, but see them more as a partner in the program development process and consequently they don't get the benefit of a complete RA, BIA and fully developed BRPs. Whatever the reason, stop being one of my bad jokes during program and exercise development.

As always, thanks to those who peer reviewed and offered input and edits to help me appear smarter than I am.

Garth Tucker, CBCP, CORP
Resilience Professional

Email: garthtuckercbcp@gmail.com
Skype: garthatucker

Garth is the Principal of Green Apple Resilience Planning (greenapplebcp.com), a member of the DRI Canada (dri.ca) Board of Directors, and a Certified Business Continuity Professional (CBCP). His career focus is on the development and management of holistic resiliency programs as well as effective management of crisis events.   The path to his current position began with software development, project and program management, and as an IT technology educator worldwide for IBM in the late 1990s and early 2000s. He transitioned to disaster recovery, business continuity, and crisis management beginning in 2002. Significant formal, and self-education throughout his career has ensured he remains relevant and effective.

Back To Top

Stay Connected with TUG

The Toronto Users Group is committed to providing you with communications that are timely, relevant, and insightful. Canada's Anti-Spam Legislation (CAS) requires that we receive your permission to continue sending you emails.

You may have already given us your consent. If you haven't done so yet, or if you're not sure, please click on the following link to indicate that you would like to continue receiving electronic communications from TUG.

Should you change your mind, you can unsubscribe at any time, by clicking on "manage your subscription" at the bottom of our messages.

Back To Top

Browse our
Articles & Downloads archives
Browse our
TUG Buzz! archives

Browse our
eZine archives