Business Continuity Exercises: Quick Exercises to Validate Your Plan
Business Continuity Exercises:
Quick Exercises to Validate Your Plan
By Charlie Maclean-Bristol
An Unexercised Continuity Plan Could Be More Dangerous Than No Plan At All!
Is exercising your continuity program too time-consuming, costly, or difficult to justify in the face of conflicting organizational priorities or senior management buy-in? What if you could use quick, cost-effective, easy exercises to get valuable results with only a relatively modest commitment?
Whether you’re a seasoned practitioner or just getting started, Charlie Maclean-Bristol provides you with expert guidance, a practical framework, and lots of proven examples, tools, tips, techniques and scenarios to get your business continuity exercise program moving!
You can carry out any of the 18 simple yet effective exercises detailed in this book in less than an hour, regardless of your level of experience. Plus, you will find all the support you will need to produce successful exercises.
Build your teams’ knowledge, experience, confidence and abilities while validating your business continuity program, plans and procedures with these proven resources!
“A great addition to the Business Continuity practitioner’s toolkit! “Charlie’s personality shines through. and his unique approach and many years’ combined experience makes this an easy-to-read, practical guide to running short exercises. Applicable to any organization of any type or size, this book can be used to plan and execute a wide range of exercises for anyone with limited time and budget.
“As we are all being impacted by COVID-19, there is no better time to challenge our assumptions and validate the plans we have. As a profession, we need to reflect on the business continuity arrangements we have in place and ask how effectively they are working. We are faced with the challenge of how we can exercise safely in a socially-distanced work environment, and seeking ways to utilize technology to support this.
“Charlie drives home the importance of continuing to identify lessons from real-life incidents and crises, but more importantly how to learn the lessons and bring them into our plans. Running an exercise, no matter how simple, is always an opportunity to learn.” – Deborah Higgins, Head of Cabinet Office, Emergency Planning College, United Kingdom
“Overall a very interesting & informative, sometimes funny and in-depth publication that will be of great use to a wide audience worldwide I am sure, including me.” – Tim Marjuson, BCM & Crisis Management Consultant and Instructor, Dubai
“Charlie’s new book is a real tour de force of how to exercise Business Continuity Plans and Programs. As a former consultant, I immediately recognized many of the difficulties and pitfalls he has identified. One is the perennial problem of getting buy-in or even interest from senior management. Another is trying to do too much in a single exercise which requires a large number of participants, excessive time commitments from busy managers, complex scenario-building and often difficulty in creating enough challenges to engage non-core attendees. The book neatly deals with many of these issues. I really liked the concept of speed exercising and I can envisage it being both fun and informative.” – Lyndon Bird, Chief Knowledge Officer, DRI International
“Business Continuity Exercising has never received the attention it truly deserves, until now. Charlie’s experience in this area shines through in this volume. Applicable to the novice or the seasoned professional, this book is a welcome addition to the Business Continuity industry. Charlie takes the reader from the basics through to the planning and carrying out of an exercise, which is extremely valuable. Even though I’ve over twenty years’ experience in this area, it helped me to think about areas of Business Continuity I hadn’t considered for some time. The structure of the book, going from planning through to conducting the exercises is well thought out and packed full of useful ideas, with templates and examples throughout the book. It’s a book I would happily recommend for the content, style and detail.” – Gary Hibberd, Professor, Cyberfort Group, UK
“Exercising means many things to many people, and in this context, this book has been written to support the development and delivery of business continuity quick exercises. The book has something to offer everyone, with a range of exercises to suit diverse scenarios and sectors.” – Jacqui Semple, Chair, The Emergency Planning Society, UK
“Charlie Maclean-Bristol captures well the essence of the exercise purpose and process with concise, easy-to-read notes. The challenge, as he rightly points out, is engagement and often the biggest collective corporate block to engagement is complacency.” – James Royds, Independent Consultant: risk, crisis and continuity management, Reading, United Kingdom
“Charlie Maclean-Bristol has provided an excellent guide and toolset for delivering ‘Proof.’ His book Business Continuity Exercises: Quick Exercises to Validate Your Plan provides valuable material across all levels of Business Continuity experience. Simple constructs such as ‘What, So What and Now What’ have a significant power-to-weight ratio: very easy to apply and to deliver significant value to the pursuit of proof. ‘Red-Team-Blue-Team’ is an example of what I call Challenged Collaboration which delivers benefits greater than the sum of the individual participants working the same problem. While the book provides a plethora of clever techniques and scenario suggestions, I was very pleased to see an appropriate focus and depth in the aspects of debriefing and reporting – the realization of the proof and the requirements for improvement. Charlie has added real value to the Business Continuity domain and in doing so, has shown that exercises need not be arduous, drawn out, mysterious or scary.” – Saul Midler, BC+R Executive, Terra Firma Pty Ltd, Melbourne, Australia
Business Continuity Exercises:
Quick Exercises to Validate Your Plan
By Charlie Maclean-Bristol
Business Continuity Exercises: Quick Exercises to Validate Your Plan Will Help You To:
- Understand the process of planning and conducting business exercises efficiently while achieving maximum results.
- Develop the most appropriate strategy framework for conducting and assessing your exercise.
- Overcome obstacles to your business continuity exercise program, whether due to budget restrictions, time constraints, or conflicting priorities.
- Choose the most appropriate and effective exercise scenario, purpose and objectives.
- Plan and conduct your exercise using a straightforward, proven methodology with extensive tools and resources.
- Conduct exercises suitable for responding to all types of business interruptions and emergencies, including cyber incidents and civil disasters.
- Conduct exercises for newcomers to business continuity as well as for experienced practitioners.
- Create a comprehensive post-exercise report to achieve valuable insights, keep management and participants in the loop, and to further your objectives.
Print ISBN – 978-1-944480-68-4
EPUB ISBN – 978-1-944480-69-1
WEB PDF ISBN – 978-1-944480-70-7
Preface by Philip Jan Rothstein, FBCI
Exercising contingency programs of any form, particularly business continuity, is a subject near and dear to me. As the saying goes, ?I wrote the book? on business continuity/disaster recovery exercises ? literally! In 1997 I published the first book ever on this subject, Disaster Recovery Testing: Exercising Your Contingency Plan. Looking back at that book now, I can see that while I had much to learn, the Disaster Recovery industry (as it was then known) was far more focused on developing recovery procedures than exercises.
I believe many practitioners as well as business leaders were motivated by that book and have often considered a new edition over the years. Charlie Maclean-Bristol has now brought us this work to provide, simple, quick exercise materials you can use to kick-start your own business continuity program.
I have long believed that inertia is often the biggest obstacle to getting the exercise process going. Simple, engaging and nonthreatening exercises are often the best way to get the ball rolling. In this book, Charlie Maclean-Bristol provides just the right combination to make this happen.
For over thirty years, I have asserted repeatedly, ?an unexercised contingency plan is worse than no plan at all.? Now, with Charlie?s expert guidance and the benefit of his broad experience, you have no excuse!
Philip Jan Rothstein, FBCI, President
Rothstein Associates Inc.
Publisher, Rothstein Publishing
Brookfield, Connecticut USA
Foreword By James McAlister
I have been a friend and colleague of Charlie for well over a decade. We met at one of the Business Continuity Institute?s annual conference dinners and on first impression I thought ?who is this cocky Scotsman? by the way he was wearing black tie dinner apparel with bright red tartan trews. For those of you who don’t know Charlie, he is a true larger-than-life character, with a booming voice, barrel chest and the energy of a springer spaniel. But if you dig beneath the brawny exterior you find a very different character who is very bright, meticulous and a complex thinker. This cocktail of conflicting internal and external qualities are what make Charlie such a terrific planner, speaker and exercise facilitator.
I think the reason we hit it off as friends and later professional rivals is mostly down to our similar working backgrounds. Charlie is ex-military and I was at the time a career police officer; both of us for many years had experienced the realities of real-world disaster and crisis management. Also in common was our 30+-year history in training and exercise development; both of us working with high-profile, global private and public sector clients on a wide range of diverse resilience projects.
That?s Charlie, but what about his book? It manages to bring together the two worlds of hard-earned incident experience and well-practiced exercise development methodology. The book contains an abundance of very detailed exercise preparation and facilitation guidance to cater to both novice and veteran practitioners? needs. The pages are crammed with truly useful, practical content including tabled information, bullet lists, aides-m?moires, things to think about, questions to ask exercise participants, helpful diagrams and so much more.
The aspect that sets this book apart is Charlie?s concept of running ?quick? exercises. Most response teams nowadays don?t have the time to take part in full-day exercises, so a book that enables facilitators to plan, prepare and conduct effective hour-long tests is game changing.
The only thing that worries me is? has Charlie given away TOO many of his exercise secrets for his own good?
MA DipBCM DipEd FICPEM?Hon FBCI
Crisis Prepared Limited ? Organisational Resilience Consultancy
Burscough, Lancashire, United Kingdom
WHAT YOUR COLLEAGUES ARE SAYING ABOUT BUSINESS CONTINUITY EXERCISES III
DEDICATION AND ACKNOWLEDGEMENTS VI
FOREWORD BY DR CLAIRE MACRAE IX
FOREWORD BY JAMES MCALISTER XIII
THE AIM OF THIS BOOK 1
WHO IS THIS BOOK FOR? 2
WHY CONDUCT EXERCISES 4
TEN REASONS WHY YOU SHOULD CONDUCT SHORT EXERCISES 5
AN EXAMPLE OF A SHORT EXERCISE 8
HOW TO PLAN YOUR EXERCISE 11
TYPES OF SHORT EXERCISES 35
1 THE SIMPLEST OF EXERCISES: THE PLAN WALKTHROUGH 37
1.1 EXERCISE OVERVIEW AND EXERCISE DETAILS 37
1.2 DELIVERY OF THE EXERCISE 39
1.3 REPORTING AND FOLLOW-UP 40
2 THE MOST VERSATILE OF EXERCISES: SPEED EXERCISING 41
2.1 EXERCISE OVERVIEW AND EXERCISE DETAILS 41
2.2 DELIVERY OF THE EXERCISE 43
2.3 REPORTING AND FOLLOW-UP 51
3 SIMPLE TABLETOP EXERCISE 55
3.1 EXERCISE OVERVIEW AND EXERCISE DETAILS 55
3.2 DELIVERY OF THE EXERCISE 60
3.3 REPORTING AND FOLLOW-UP 67
4 FIRE BELL HAS GONE OFF ? ?OUTSIDE NOW? 69
4.1 EXERCISE OVERVIEW AND EXERCISE DETAILS 69
4.2 DELIVERY OF THE EXERCISE 72
4.3 REPORTING AND FOLLOW-UP 80
5 A TEAM AGENDA FOR DYNAMIC INCIDENT TEAM MEETINGS 81
5.1 EXERCISE OVERVIEW AND EXERCISE DETAILS 81
5.2 HOW TO USE THE TEAM AGENDA 84
5.3 DELIVERY OF THE EXERCISE 87
5.3.1 AN OVERALL SCENARIO FOR THE EXERCISE SHOULD BE DEVELOPED 88
5.4 REPORTING AND FOLLOW-UP 93
6 CONCISE BRIEFINGS WITH NO-WAFFLE, THREE-MINUTE BRIEFS 95
6.1 EXERCISE OVERVIEW AND EXERCISE DETAILS 95
6.2 HOW TO CONDUCT THE THREE-MINUTE BRIEF 97
6.3 HOW TO CONDUCT THE EXERCISE 97
6.4 REPORTING AND FOLLOW-UP 100
7 IDENTIFY KEY STAKEHOLDERS BY USING A COMMUNICATIONS MATRIX 101
7.1 EXERCISE OVERVIEW AND EXERCISE DETAILS 101
7.2 HOW TO CONDUCT THE EXERCISE 102
7.3 REPORTING AND FOLLOW-UP 105
8 STAKEHOLDER INFLUENCE MATRIX ? UNDERSTANDING YOUR STAKEHOLDERS? IMPORTANCE 107
8.1 EXERCISE OVERVIEW AND EXERCISE DETAILS 107
8.2 HOW TO USE THE STAKEHOLDER INFLUENCE MATRIX 110
8.3 HOW TO CONDUCT THE EXERCISE 113
8.4 REPORTING AND FOLLOW-UP 115
9 PRECISE INCIDENT REPORTING USING THE METHANE MNEMONIC 117
9.1 EXERCISE OVERVIEW AND EXERCISE DETAILS 117
9.2 HOW TO USE METHANE 119
9.3 HOW TO CONDUCT THE EXERCISE 123
9.4 REPORTING AND FOLLOW-UP 124
10 RESPONDING TO AN INCIDENT BY CONDUCTING A DYNAMIC RISK ASSESSMENT 125
10.1 EXERCISE OVERVIEW AND EXERCISE DETAILS 125
10.2 HOW TO CARRY OUT A DYNAMIC RISK ASSESSMENT 127
10.3 HOW TO CONDUCT THE EXERCISE 128
10.4 REPORTING AND FOLLOW-UP 130
11 ?WHAT, SO WHAT, NOW WHAT? ? ENSURING YOU UNDERSTAND THE WHOLE PICTURE 131
11.1 EXERCISE OVERVIEW AND EXERCISE DETAILS 131
11.2 HOW TO USE WHAT, SO WHAT, NOW WHAT 133
11.3 HOW TO CONDUCT THE EXERCISE 139
11.4 REPORTING AND FOLLOW-UP 141
12 HORIZON SCANNING DURING INCIDENTS, ANTICIPATING WORST CASE 143
12.1 EXERCISE OVERVIEW AND EXERCISE DETAILS 143
12.2 HOW TO USE THE WORST-CASE SCENARIO 145
12.3 HOW TO CONDUCT THE EXERCISE 153
12.4 REPORTING AND FOLLOW-UP 155
13 WAR GAMING: RED TEAM VERSUS BLUE TEAM 157
13.1 EXERCISE OVERVIEW AND EXERCISE DETAILS 157
13.2 HOW TO CONDUCT THE EXERCISE 160
13.3 REPORTING AND FOLLOW-UP 161
14 RANDOMIZE YOUR EXERCISE SCENARIOS WITH A SCENARIO GENERATOR 163
14.1 EXERCISE OVERVIEW AND EXERCISE DETAILS 163
14.2 USING THE SCENARIO GENERATOR 165
14.3 HOW TO CONDUCT THE EXERCISE 168
14.4 REPORTING AND FOLLOW-UP 169
15 ACCESSORIZE YOUR RESPONSE WITH BATTLEBOXES AND GRAB BAGS 171
15.1 EXERCISE OVERVIEW AND EXERCISE DETAILS 171
15.2 HOW TO CARRY OUT THIS DISCUSSION 175
15.3 HOW TO CONDUCT THE DISCUSSION 176
15.4 NEXT ACTIONS 177
15.5 ANNEX A ? CONTENTS OF GRAB BAGS 177
16 KEEP IT SIMPLE: THE HOT DEBRIEF 183
16.1 EXERCISE OVERVIEW AND EXERCISE DETAILS 183
17 DEBRIEF MILITARY STYLE: WITH AN ?AFTER ACTION REVIEW? 187
17.1 EXERCISE OVERVIEW AND EXERCISE DETAILS 187
17.2 HOW TO CARRY OUT AN AAR 189
17.3 HOW TO CONDUCT THE DEBRIEF 191
17.4 REPORTING AND FOLLOW-UP 193
18 DEBRIEF YOUR EXERCISE, INCIDENT OR EVENT USING ?STRUCTURED DEBRIEFING? 195
18.1 EXERCISE OVERVIEW AND EXERCISE DETAILS 195
18.2 HOW TO CARRY OUT A STRUCTURED DEBRIEFING 197
18.3 HOW TO CONDUCT THE EXERCISE 202
18.4 REPORTING AND FOLLOW-UP 206
19 WRITING A POST-EXERCISE AND TRAINING REPORT 207
19.1 POST-EXERCISE REPORTS OVERVIEW 207
19.2 POST-EXERCISE REPORT CONTENT 212
19.3 POST TRAINING REPORTS 214
20 THE ROLE OF THE UMPIRE IN EXERCISES 217
21 A FRAMEWORK FOR ASSESSING THE EXERCISE 223
22 CHOOSING AN EXERCISE SCENARIO 227
23 A SELECTION OF SCENARIO SUGGESTIONS 235
23.1 DENIAL OF ACCESS, LOSS OF THE BUILDING OR IMPACT ON OPERATIONS 235
23.2 REPUTATIONAL SCENARIOS 243
23.3 CYBER SCENARIOS 245
23.4 COMMUNITY SCENARIOS 247
23.5 LOSS OF IT AND/OR TELEPHONY 249
23.6 LOSS OF PEOPLE 251
23.7 LOSS OF A KEY SUPPLIER 254
23.8 RECAP: CHOOSING AN EXERCISE SCENARIO 255
24 A SYLLABUS FOR A FULL DAY?S TRAINING 257
25 SUMMARY AND NEXT STEPS 261
APPENDIX A: DEVELOPING A SIMEX 263
A.1 THE TASK GIVEN 264
A.2 STEP 1 ? WHAT ARE THE PARAMETERS AND REASONS FOR RUNNING YOUR EXERCISE? 265
A.3 STEP 2 ? IDENTIFY THE AUDIENCE FOR THE EXERCISE 267
A.4 STEP 3 ? WHAT ARE YOU TRYING TO ACHIEVE DURING YOUR EXERCISE? 267
A.5 STEP 4 ? CHOOSE THE RIGHT TYPE OF EXERCISE WHICH WILL MEET YOUR OBJECTIVES 269
A.6 STEP 5 ? CHOOSE A SUITABLE SCENARIO 270
A.7 STEP 6 ? DEVELOP THE EXERCISE INSTRUCTION AND ASSIGN TASKS 277
A.8 STEP 7 ? PREPARE THE BRIEFING BEFORE YOU START THE EXERCISE 282
A.9 STEP 8 ? DECIDE HOW YOU WILL ASSESS AND DEBRIEF THE EXERCISE, AND WRITE UP THE FINDINGS 286
APPENDIX B ? EXERCISING WITH TRIBBLES, BY PHILIP JAN ROTHSTEIN, FBCI 291
ABOUT THE AUTHOR 295
Excerpt from the Introduction
The Aim of This Book
he aim of this book is to provide practitioners and those with limited knowledge of running exercises with a series of simple exercises to improve the skills and knowledge of people involved in business continuity, crisis management, information- and cyber-security and community safety within their organization, as well as members of the public.
Most of the exercises require modest planning and resources and can be carried out in less than an hour. All of them are designed to add to the soft or hard skills of those taking part. Some of them, such as the communication matrix and team agenda, teach key tools and techniques which have been used successfully to manage an incident.
I was prompted to write this book on observing the limited exercising of plans, people and responses taking place in many organizations. There are lots of reasons for people not to exercise: they feel they lack the skills to do it, they find it difficult to get the time with those that should be taking part in an exercise, they lack budget, or, even though they may not admit it, they lack the confidence to run an exercise.
I have also seen large complex exercises taking place where the participants run around and problem-solve, ignoring the plan developed for them to respond to. Those participating had not learned very much except that humans are good at problem-solving. At times when I have observed these types of exercises, I feel that the time, effort, and cost has been wasted and the learning benefit minimal.
In writing this book, I have tried to democratize exercises allowing those of you with all levels of skills and experience and different types of audiences to run successful exercises.
I have also tried to describe in detail how to run the exercise so that those who have not run exercises before have the confidence to start. All the exercises in this book have been chosen to help instill in you and your participants key lessons and tools which you can use to successfully manage an incident. By using short exercises, lack of time, budget and availability of staff become less of an issue, and so you have little excuse but to start exercising.
Who is This Book For?
This book is aimed at a wide variety of people having a role in trying to improve the resilience of your organization or community by conducting exercises. You could be involved in business continuity, emergency planning, resilience, cyber security, information security, civil defense, first responders and the emergency services, or improving community resilience. You may be a full time professional, work part-time or serve as a volunteer.
For the less experienced practitioner this book can give you step-by-step advice and simple but effective exercises you can conduct yourself rather than waiting for or paying for a more experienced person to run them for you. Your confidence to run exercises will develop once you have used this book to conduct the first few. Once you have planned and developed the simple exercises within this book you can then go on and run more complex and longer exercises.
If you are an experienced practitioner, there will be exercises in this book which will be unfamiliar, and which can help you add something new to your repertoire of exercises.
For those responsible for raising awareness of the issues associated with business continuity, information security and resilience within their own organization or the wider community, these exercises can be an ideal tool for engaging people and getting them to think about how to respond to an incident.
Another way of carrying out business continuity awareness training is through eLearning. eLearning is used in many organizations as a way to carry out awareness of other disciplines such as information security and for compliance training such as anti-slavery and money laundering. Within some organizations there is eLearning fatigue and people try to get through the training as quickly as possible without really engaging with the training or learning from the content. The exercises in this book take a similar time to conduct as eLearning but can provide a more effective way to engage with the audience and convey the required messages.
Cyber and IT professionals can use these exercises to prepare their response to an incident. Most of the exercises can be used to practice the response to a wide range of information security or cyber scenarios.
Community groups, people involved in civil defense, emergency services and those promoting community resilience will also find exercises in the book which capture the imagination of those whose resilience you are trying to improve. They will enjoy the exercises but at the same time develop skills and knowledge to be able to react if an incident occurs.
The audience for these exercises can be anyone within an organization who needs to have knowledge of business continuity or the ability to manage incidents. This could be those with roles within incident management teams, or business continuity coordinators whose role it is to develop business continuity plans for their own part of the organization. Awareness should also be provided to general staff who could be affected by an incident and have to work from a different location or have to work in a different way in response to an incident.
Why Conduct Exercises
?An organization?s continuity capability cannot be considered reliable or effective until it has been exercised.?
The Business Continuity Institute (BCI) Good Practice Guidelines 2018
Most resilience practitioners recognize the importance of exercising in validating their plans and as a tool to help those with a role in the plan to understand how they should respond to an incident. As humans we love problem-solving and trying to win against the odds. Exercises are a great way to challenge individuals, communities and groups to overcome the obstacles of a scenario and to learn valuable lessons which you can use in a real incident. By exercising we get those responding to learn the basic lessons of managing an incident ? they make the mistakes in exercises and learn from them, rather than learn them at a cost during the response to a real incident.
In my experience very few people would challenge the idea of exercising and the benefit it gives those whose role it is to respond to an incident. The difficulty many people have with large-scale exercises is that they can take considerable time and effort to prepare. Often, they have to be organized months in advance to ensure that the right people are available, and many participants lack the skills to plan and execute a major exercise. They can also be seen as expensive due to the lack of internal skills, so external experts may be brought in to plan and then run the exercise.
On the other hand, short exercises can solve many of these issues as they can be run at short notice, with minimum experience and have many of the learning benefits of longer and more complex exercises.
Ten Reasons Why You Should Conduct Short Exercises
- To organize a complex tabletop, live or SIMEX (simulation)0F exercise usually takes months of planning and preparation. A short exercise can be organized with thirty minutes notice.
- Major exercises are usually carried out once a year and may only consist of three hours actual exercising. Short exercises can be run more often, giving you a greater total time exercising and keeping your skills up to date rather than forgetting what?s been learned in between annual exercises.
- In my experience most senior managers have a limited amount of time they are prepared to spend on preparing for incidents. Trying to get the required 3 to 4 hours to take part in the exercise needs to be diarized months in advance to ensure that all are available at the same time. A short exercise of an hour or even thirty minutes can be added before or after an existing meeting. Carrying out short exercises often can have a greater training benefit than one annual exercise. Keep in mind that longer SIMEX or complex tabletop exercises are necessary periodically as well as short exercises.
- Carrying out shorter exercises more often allows a wide range of different scenarios to be chosen. In longer exercises there is the requirement to focus on one likely scenario. If you run a less-likely scenario you could run into issues if the scenario is being questioned, bringing the credibility of the exercise into question and losing much of the benefit from the exercise.
- If you are just starting to implement a business continuity or resilience program, it can be a long time before it seems like anything is happening, as the activity typically involves a small number of project staff. A risk assessment needs to be developed, plans need to be written, and only then can those in the program be trained or take part in an exercise. Carrying out a short exercise or two at the beginning of the program will help to provide those responding with some knowledge of how to respond to an incident, which can be valuable if an incident occurred while the program is being rolled out.
- For some, business continuity can seem to be a dry subject and staff members may not engage with the training they are receiving. By getting them on their feet and coming up with their own solutions during a short exercise, you can engage with them and gain their interest in the training you are delivering.
- Some of the exercises presented here such as, ?What, so what, now what? and ?Horizon scanning during incidents, anticipating worst case,? can be used as tools to look at how the organization can prepare for a known future event, such as a transport strike or a protest taking part in the vicinity of one of your office buildings.
- The outputs of many of these exercises can be used to develop response plans to different scenarios. Speed Exercising is a good means of developing the risk, issues, impacts, and actions associated with a particular incident. A large number of different people looking at the same scenario can be a lot more productive than a small group sitting together trying to develop the response and actions needed.
- Short exercises are a good opportunity for less experienced practitioners to develop their skills and confidence in running exercises. The exercises in this book are simple to plan and run so you do not need to be a skilled practitioner to execute them.
- Designated business continuity champions are those who have a business continuity role but are part-time and often do not conduct their own exercises. In this role you may feel that you don?t have the required skills or knowledge and wait for the Business Continuity Manager to exercise the plans. By following this simple step-by-step methodology, you can exercise your own plans without internal or external help.
Foreword by Dr Claire MacRae
I was delighted to be asked to write this foreword to support my colleague in his fantastic endeavour in writing this book which contributes formally to the fields of crisis management and business continuity.
When I was writing this foreword, the Covid-19 global crisis was prevalent and so the timing and publication of this book has never been more relevant. This crisis has exposed organisations to unprecedented challenges and risks, giving rise to new ways of working and the ?new normal.? In recovering from crises such as the Covid-19 pandemic, this book is a useful toolkit in preparing for future events to validate business continuity plans and to continue with ?business as usual.?
This book takes a proactive approach focusing on building resilience within organisations to mitigate the negative impact of an event. It focuses on prevention of, rather than reaction to, crises as they occur by building resilience to mitigate the impact of crises. It is a must-have for both the experienced practitioner when training colleagues, or those with little or no experience in business continuity. The book is applicable to all industry sectors, public and private due to the diverse exercises provided.
The style of the book provides a simple but effective guide for those with little or no experience in business continuity but with a need to develop their skills and knowledge. It outlines a holistic approach to business continuity considering the critical elements of team meetings, briefings which are focused, identification of key stakeholders and reporting linked to the analysis of risk.
The use of practical examples creates a narrative to engage others in planning exercises supported by an extensive variety of short exercise examples pertinent to all types of organisation ? whether small, medium or large, public or private. The innovative use of techniques, for example ?war gaming? in chapter 13, provides an exciting approach to business continuity and crisis management which will unquestionably engage individuals and overcome inertia.
Charlie?s forward-thinking contributions to innovative practice in business continuity, crisis management and resilience should make practice and learning dynamic and motivating.
Charlie leads an independent resilience consultancy, PlanB Consulting, which has a long-standing relationship with our University, Glasgow Caledonian University (GCU), in particular our MSc and Undergraduate Risk Management degree programs. Since the 1980s, Risk Management has been taught at GCU and business continuity planning is an integral part of our degree programmes. Charlie supports the academic team at GCU teaching business continuity, crises and resilience within organisations. His diverse background in managing business continuity and contingency planning ? including in the Army, large organisations and other consultancies ? is a commendation to his extensive leadership skills and capabilities in this area.
As a Senior Lecturer in Risk at GCU and a published commentator and contributor to the area of risk I welcome the underpinning of the approaches in this book, in building resilience to a crisis alongside management and recovery. The role of risk, and its analysis, is a crucial part of this process and this book is a long-awaited opportunity supporting theory as well as the current integration of risk and resilience proactively in my MSc module, Risk and Organisational Resilience.
This book will feature as essential reading for students studying modules in organisational risk, resilience, and business continuity management. Charlie?s extensive knowledge and expertise, both academic and real-life, are highly valued by myself in shaping graduates by providing them with real-life industry experiences.
??Dr Claire MacRae
Senior Lecturer in Risk, Glasgow Caledonian University, Glasgow School for Business and Society, Glasgow, Scotland, United Kingdom
Former Programme Leader, MSc Risk Management and BA (Hons) Risk Management
Currently Programme Leader for the Doctorate of Business Administration (DBA) and Senior Postgraduate Research Tutor
WHAT YOUR COLLEAGUES ARE SAYING ABOUT BUSINESS CONTINUITY EXERCISES
?A great addition to the Business Continuity practitioner?s toolkit! ?Charlie?s personality shines through. and his unique approach and many years? combined experience makes this an easy-to-read, practical guide to running short exercises. Applicable to any organization of any type? or size, this book can be used to plan and execute a wide range of exercises for anyone with limited time and budget.
?As we are all being impacted by COVID-19, there is no better time to challenge our assumptions and validate the plans we have. As a profession, we need to reflect on the business continuity arrangements we have in place and ask how effectively they are working. We are faced with the challenge of how we can exercise safely in a socially-distanced work environment, and seeking ways to utilize technology to support this.
“Charlie drives home the importance of continuing to identify lessons from real-life incidents and crises, but more importantly how to learn the lessons and bring them into our plans. Running an exercise, no matter how simple, is always an opportunity to learn.?
Head of Cabinet Office, Emergency Planning College, United Kingdom
?Overall a very interesting & informative, sometimes funny and in-depth publication that will be of great use to a wide audience worldwide I am sure, including me.?
BCM & Crisis Management Consultant and Instructor, Dubai
?Charlie?s new book is a real tour de force of how to exercise Business Continuity Plans and Programs. As a former consultant, I immediately recognized many of the difficulties and pitfalls he has identified. One is the perennial problem of getting buy-in or even interest from senior management. Another is trying to do too much in a single exercise which requires a large number of participants, excessive time commitments from busy managers, complex scenario-building and often difficulty in creating enough challenges to engage non-core attendees. The book neatly deals with many of these issues. I really liked the concept of speed exercising and I can envisage it being both fun and informative.?
Chief Knowledge Officer, DRI International
?Business Continuity Exercising has never received the attention it truly deserves, until now. Charlie?s experience in this area shines through in this volume. Applicable to the novice or the seasoned professional, this book is a welcome addition to the Business Continuity industry.
?Charlie takes the reader from the basics through to the planning and carrying out of an exercise, which is extremely valuable. Even though I?ve over twenty years? experience in this area, it helped me to think about areas of Business Continuity I hadn?t considered for some time.
?The structure of the book, going from planning through to conducting the exercises is well thought out and packed full of useful ideas, with templates and examples throughout the book. It’s a book I would happily recommend for the content, style and detail.?
Professor, Cyberfort Group, UK
?Exercising means many things to many people, and in this context, this book has been written to support the development and delivery of business continuity quick exercises. The book has something to offer everyone, with a range of exercises to suit diverse scenarios and sectors.?
Chair, The Emergency Planning Society, UK
?Charlie Maclean-Bristol captures well the essence of the exercise purpose and process with concise, easy-to-read notes. The challenge, as he rightly points out, is engagement and often the biggest collective corporate block to engagement is complacency.?
Independent Consultant: risk, crisis and continuity management
Reading, United Kingdom
?Charlie Maclean-Bristol has provided an excellent guide and toolset for delivering ?Proof.? His book Business Continuity Exercises: Quick Exercises to Validate Your Plan provides valuable material across all levels of Business Continuity experience. Simple constructs such as ?What, So What and Now What? have a significant power-to-weight ratio: very easy to apply and to deliver significant value to the pursuit of proof. ?Red-Team-Blue-Team? is an example of what I call Challenged Collaboration which delivers benefits greater than the sum of the individual participants working the same problem.
?While the book provides a plethora of clever techniques and scenario suggestions, I was very pleased to see an appropriate focus and depth in the aspects of debriefing and reporting ? the realization of the proof and the requirements for improvement. Charlie has added real value to the Business Continuity domain and in doing so, has shown that exercises need not be arduous, drawn out, mysterious or scary.?
BC+R Executive, Terra Firma Pty Ltd, Melbourne, Australia