COMING OCTOBER 2020
Business Continuity Exercises:
Quick Exercises to Validate Your Plan
By Charlie Maclean-Bristol
Print ISBN – 978-1-944480-68-4
EPUB ISBN – 978-1-944480-69-1
WEB PDF ISBN – 978-1-944480-70-7
Print ISBN – 978-1-944480-68-4
EPUB ISBN – 978-1-944480-69-1
WEB PDF ISBN – 978-1-944480-70-7
Charlie Maclean-Bristol is a Business Continuity and Crisis Management consultant. He has founded two successful companies; an independent resilience consultancy, PlanB Consulting, with his wife Kim, and a certified training services provider, Business Continuity Training (BCT), with his bother Lauchlan.
His first experience of contingency planning, training and incident management was as a Captain in the Kings Own Scottish Borders where he spent 3 years implementing patrols and anti-terrorist operations on active service in Northern Ireland. After leaving the Army he joined Anglian Water as their first Emergency Planning Manager followed by Scottish Power as their Business Continuity Manager. He then worked for a short time for two consultancies before setting up PlanB Consulting in 2007.
Charlie is a former Business Continuity Institute (BCI) board member and one of the very few Fellows of both the Emergency Planning Society and the Business Continuity Institute. In 2011, he was awarded Business Continuity Consultant of the year at the CIR awards and in 2018 he was BCI European Awards – Personality of the Year. He has been a finalist in nine other awards varying from ‘Lifetime Achievement’ to ‘Consultant of the Year’.
He has a PgD in “Emergency Planning and Disaster Management” from the University of Hertfordshire. He is also a visiting lecturer and teaches Resilience, Continuity, and Crises Management as a Module Leader at Glasgow Caledonian University to MSc and MBA students in South Africa and London.
Although now senior in the profession he has a very hands-on approach to business continuity and as a BCI approved trainer regularly delivers training as part of BCTs public business continuity training courses including the CBCI course. In his role at PlanB Consulting he has delivered consultancy in six different continents, and to a diverse list of public and public organisations.
Charlie has contributed to the profession by being involved in the writing of the last three editions of the BCI “Good Practice Guidelines,” developing a number of BCI public training courses, and a cyber incident management course which is certified by GCHQ. He is a regular speaker at conferences, writes a weekly blog on all things business continuity, and has appeared on TV and radio a number of times. He has had several papers published in business continuity and emergency planning journals.
Charlie was brought up on the Isle of Coll, a small island of the West coast of Scotland, in a 14th century castle and now lives in Houston, Renfrewshire with his wife and two children.
Exercising contingency programs of any form, particularly business continuity, is a subject near and dear to me. As the saying goes, “I wrote the book” on business continuity/disaster recovery exercises – literally! In 1997 I published the first book ever on this subject, Disaster Recovery Testing: Exercising Your Contingency Plan. Looking back at that book now, I can see that while I had much to learn, the Disaster Recovery industry (as it was then known) was far more focused on developing recovery procedures than exercises.
I believe many practitioners as well as business leaders were motivated by that book and have often considered a new edition over the years. Charlie Maclean-Bristol has now brought us this work to provide, simple, quick exercise materials you can use to kick-start your own business continuity program.
I have long believed that inertia is often the biggest obstacle to getting the exercise process going. Simple, engaging and nonthreatening exercises are often the best way to get the ball rolling. In this book, Charlie Maclean-Bristol provides just the right combination to make this happen.
For over thirty years, I have asserted repeatedly, “an unexercised contingency plan is worse than no plan at all.” Now, with Charlie’s expert guidance and the benefit of his broad experience, you have no excuse!
Philip Jan Rothstein, FBCI, President
Rothstein Associates Inc.
Publisher, Rothstein Publishing
Brookfield, Connecticut USA
I have been a friend and colleague of Charlie for well over a decade. We met at one of the Business Continuity Institute’s annual conference dinners and on first impression I thought “who is this cocky Scotsman” by the way he was wearing black tie dinner apparel with bright red tartan trews. For those of you who don’t know Charlie, he is a true larger-than-life character, with a booming voice, barrel chest and the energy of a springer spaniel. But if you dig beneath the brawny exterior you find a very different character who is very bright, meticulous and a complex thinker. This cocktail of conflicting internal and external qualities are what make Charlie such a terrific planner, speaker and exercise facilitator.
I think the reason we hit it off as friends and later professional rivals is mostly down to our similar working backgrounds. Charlie is ex-military and I was at the time a career police officer; both of us for many years had experienced the realities of real-world disaster and crisis management. Also in common was our 30+-year history in training and exercise development; both of us working with high-profile, global private and public sector clients on a wide range of diverse resilience projects.
That’s Charlie, but what about his book? It manages to bring together the two worlds of hard-earned incident experience and well-practiced exercise development methodology. The book contains an abundance of very detailed exercise preparation and facilitation guidance to cater to both novice and veteran practitioners’ needs. The pages are crammed with truly useful, practical content including tabled information, bullet lists, aides-mémoires, things to think about, questions to ask exercise participants, helpful diagrams and so much more.
The aspect that sets this book apart is Charlie’s concept of running “quick” exercises. Most response teams nowadays don’t have the time to take part in full-day exercises, so a book that enables facilitators to plan, prepare and conduct effective hour-long tests is game changing.
The only thing that worries me is… has Charlie given away TOO many of his exercise secrets for his own good?
MA DipBCM DipEd FICPEM Hon FBCI
Crisis Prepared Limited – Organisational Resilience Consultancy
Burscough, Lancashire, United Kingdom
WHAT PEOPLE ARE SAYING ABOUT BUSINESS CONTINUITY EXERCISES III
THE AIM OF THIS BOOK 1
WHO IS THIS BOOK FOR? 2
WHY CONDUCT EXERCISES 4
TEN REASONS WHY YOU SHOULD CONDUCT SHORT EXERCISES 5
HOW TO PLAN YOUR EXERCISE 11
TYPES OF SHORT EXERCISES 35
1 THE SIMPLEST OF EXERCISES: THE PLAN WALKTHROUGH 37
2 THE MOST VERSATILE OF EXERCISES: SPEED EXERCISING 41
3 SIMPLE TABLETOP EXERCISE 53
4 FIRE BELL HAS GONE OFF “OUTSIDE NOW” 67
5. A TEAM AGENDA FOR DYNAMIC INCIDENT TEAM MEETINGS 79
5.3.1 AN OVERALL SCENARIO FOR THE EXERCISE SHOULD BE DEVELOPED 85
6. CONCISE BRIEFINGS WITH NO-WAFFLE, THREE-MINUTE BRIEFS 91
7. IDENTIFY KEY STAKEHOLDERS BY USING A COMMUNICATIONS MATRIX 97
8. STAKEHOLDER INFLUENCE MATRIX – UNDERSTANDING YOUR STAKEHOLDERS’ IMPORTANCE 103
9. PRECISE INCIDENT REPORTING USING THE MNEMONIC METHANE 111
10. RESPONDING TO AN INCIDENT BY CONDUCTING A DYNAMIC RISK ASSESSMENT 119
11 “WHAT, SO WHAT, NOW WHAT” – ENSURING YOU UNDERSTAND THE WHOLE PICTURE 125
12 HORIZON SCANNING DURING INCIDENTS, ANTICIPATING WORST CASE 135
10. WAR GAMING: RED TEAM VERSUS BLUE TEAM 147
11. RANDOMIZE YOUR EXERCISE SCENARIOS WITH A SCENARIO GENERATOR 153
12. ACCESSORIZE YOUR RESPONSE WITH BATTLEBOXES AND GRAB BAGS 159
16 KEEP IT SIMPLE: THE HOT DEBRIEF 169
17 DEBRIEF MILITARY STYLE: WITH AN “AFTER ACTION REVIEW” 173
13. DEBRIEF YOUR EXERCISE, INCIDENT OR EVENT USING “STRUCTURED DEBRIEFING” 179
19 WRITING A POST-EXERCISE AND TRAINING REPORT 191
20 THE ROLE OF THE UMPIRE IN EXERCISES 201
21 A FRAMEWORK FOR ASSESSING THE EXERCISE 207
22 CHOOSING AN EXERCISE SCENARIO 211
23 A SELECTION OF SCENARIO SUGGESTIONS 219
23.9 A SYLLABUS FOR A FULL DAY’S TRAINING 238
24 SUMMARY AND NEXT STEPS 243
APPENDIX A: DEVELOPING A SIMEX 245
APPENDIX A – EXERCISING WITH TRIBBLES, BY PHILIP JAN ROTHSTEIN, FBCI 273
ABOUT THE AUTHOR 276
he aim of this book is to provide practitioners and those with limited knowledge of running exercises with a series of simple exercises to improve the skills and knowledge of people involved in business continuity, crisis management, information- and cyber-security and community safety within their organization, as well as members of the public.
Most of the exercises require modest planning and resources and can be carried out in less than an hour. All of them are designed to add to the soft or hard skills of those taking part. Some of them, such as the communication matrix and team agenda, teach key tools and techniques which have been used successfully to manage an incident.
I was prompted to write this book on observing the limited exercising of plans, people and responses taking place in many organizations. There are lots of reasons for people not to exercise: they feel they lack the skills to do it, they find it difficult to get the time with those that should be taking part in an exercise, they lack budget, or, even though they may not admit it, they lack the confidence to run an exercise.
I have also seen large complex exercises taking place where the participants run around and problem-solve, ignoring the plan developed for them to respond to. Those participating had not learned very much except that humans are good at problem-solving. At times when I have observed these types of exercises, I feel that the time, effort, and cost has been wasted and the learning benefit minimal.
In writing this book, I have tried to democratize exercises allowing those of you with all levels of skills and experience and different types of audiences to run successful exercises.
I have also tried to describe in detail how to run the exercise so that those who have not run exercises before have the confidence to start. All the exercises in this book have been chosen to help instill in you and your participants key lessons and tools which you can use to successfully manage an incident. By using short exercises, lack of time, budget and availability of staff become less of an issue, and so you have little excuse but to start exercising.
This book is aimed at a wide variety of people having a role in trying to improve the resilience of your organization or community by conducting exercises. You could be involved in business continuity, emergency planning, resilience, cyber security, information security, civil defense, first responders and the emergency services, or improving community resilience. You may be a full time professional, work part-time or serve as a volunteer.
For the less experienced practitioner this book can give you step-by-step advice and simple but effective exercises you can conduct yourself rather than waiting for or paying for a more experienced person to run them for you. Your confidence to run exercises will develop once you have used this book to conduct the first few. Once you have planned and developed the simple exercises within this book you can then go on and run more complex and longer exercises.
If you are an experienced practitioner, there will be exercises in this book which will be unfamiliar, and which can help you add something new to your repertoire of exercises.
For those responsible for raising awareness of the issues associated with business continuity, information security and resilience within their own organization or the wider community, these exercises can be an ideal tool for engaging people and getting them to think about how to respond to an incident.
Another way of carrying out business continuity awareness training is through eLearning. eLearning is used in many organizations as a way to carry out awareness of other disciplines such as information security and for compliance training such as anti-slavery and money laundering. Within some organizations there is eLearning fatigue and people try to get through the training as quickly as possible without really engaging with the training or learning from the content. The exercises in this book take a similar time to conduct as eLearning but can provide a more effective way to engage with the audience and convey the required messages.
Cyber and IT professionals can use these exercises to prepare their response to an incident. Most of the exercises can be used to practice the response to a wide range of information security or cyber scenarios.
Community groups, people involved in civil defense, emergency services and those promoting community resilience will also find exercises in the book which capture the imagination of those whose resilience you are trying to improve. They will enjoy the exercises but at the same time develop skills and knowledge to be able to react if an incident occurs.
The audience for these exercises can be anyone within an organization who needs to have knowledge of business continuity or the ability to manage incidents. This could be those with roles within incident management teams, or business continuity coordinators whose role it is to develop business continuity plans for their own part of the organization. Awareness should also be provided to general staff who could be affected by an incident and have to work from a different location or have to work in a different way in response to an incident.
“An organization’s continuity capability cannot be considered reliable or effective until it has been exercised.”
The Business Continuity Institute (BCI) Good Practice Guidelines 2018
Most resilience practitioners recognize the importance of exercising in validating their plans and as a tool to help those with a role in the plan to understand how they should respond to an incident. As humans we love problem-solving and trying to win against the odds. Exercises are a great way to challenge individuals, communities and groups to overcome the obstacles of a scenario and to learn valuable lessons which you can use in a real incident. By exercising we get those responding to learn the basic lessons of managing an incident – they make the mistakes in exercises and learn from them, rather than learn them at a cost during the response to a real incident.
In my experience very few people would challenge the idea of exercising and the benefit it gives those whose role it is to respond to an incident. The difficulty many people have with large-scale exercises is that they can take considerable time and effort to prepare. Often, they have to be organized months in advance to ensure that the right people are available, and many participants lack the skills to plan and execute a major exercise. They can also be seen as expensive due to the lack of internal skills, so external experts may be brought in to plan and then run the exercise.
On the other hand, short exercises can solve many of these issues as they can be run at short notice, with minimum experience and have many of the learning benefits of longer and more complex exercises.