Welcome to Rothstein Publishing!

Business Continuity Exercises: Quick Exercises to Validate Your Plan

COMING OCTOBER 2020

Business Continuity Exercises:

Quick Exercises to Validate Your Plan

By Charlie Maclean-Bristol

 

Category: Product ID: 25407

Description

COMING OCTOBER 2020

Business Continuity Exercises:

Quick Exercises to Validate Your Plan

By Charlie Maclean-Bristol

 

Print ISBN – 978-1-944480-68-4

EPUB ISBN – 978-1-944480-69-1

WEB PDF ISBN – 978-1-944480-70-7

Charlie Maclean-Bristol MA (Hons), PgD, FBCI, FEPS, CBCIcharlie-maclean-bristol-rothstein-publishing

Charlie Maclean-Bristol is a Business Continuity and Crisis Management consultant. He has founded two successful companies; an independent resilience consultancy, PlanB Consulting, with his wife Kim, and a certified training services provider, Business Continuity Training (BCT), with his bother Lauchlan.

His first experience of contingency planning, training and incident management was as a Captain in the Kings Own Scottish Borders where he spent 3 years implementing patrols and anti-terrorist operations on active service in Northern Ireland. After leaving the Army he joined Anglian Water as their first Emergency Planning Manager followed by Scottish Power as their Business Continuity Manager. He then worked for a short time for two consultancies before setting up PlanB Consulting in 2007.

Charlie is a former Business Continuity Institute (BCI) board member and one of the very few Fellows of both the Emergency Planning Society and the Business Continuity Institute. In 2011, he was awarded Business Continuity Consultant of the year at the CIR awards and in 2018 he was BCI European Awards – Personality of the Year. He has been a finalist in nine other awards varying from ‘Lifetime Achievement’ to ‘Consultant of the Year’.

He has a PgD in “Emergency Planning and Disaster Management” from the University of Hertfordshire. He is also a visiting lecturer and teaches Resilience, Continuity, and Crises Management as a Module Leader at Glasgow Caledonian University to MSc and MBA students in South Africa and London.

Although now senior in the profession he has a very hands-on approach to business continuity and as a BCI approved trainer regularly delivers training as part of BCTs public business continuity training courses including the CBCI course. In his role at PlanB Consulting he has delivered consultancy in six different continents, and to a diverse list of public and public organisations.

Charlie has contributed to the profession by being involved in the writing of the last three editions of the BCI “Good Practice Guidelines,” developing a number of BCI public training courses, and a cyber incident management course which is certified by GCHQ. He is a regular speaker at conferences, writes a weekly blog on all things business continuity, and has appeared on TV and radio a number of times. He has had several papers published in business continuity and emergency planning journals.

Charlie was brought up on the Isle of Coll, a small island of the West coast of Scotland, in a 14th century castle and now lives in Houston, Renfrewshire with his wife and two children.

For qualified college/university course adoptions: to obtain an eBook or print copy for course evaluation, click here and submit the simple request form.

Exercising contingency programs of any form, particularly business continuity, is a subject near and dear to me. As the saying goes, “I wrote the book” on business continuity/disaster recovery exercises – literally! In 1997 I published the first book ever on this subject, Disaster Recovery Testing: Exercising Your Contingency Plan. Looking back at that book now, I can see that while I had much to learn, the Disaster Recovery industry (as it was then known) was far more focused on developing recovery procedures than exercises.
I believe many practitioners as well as business leaders were motivated by that book and have often considered a new edition over the years. Charlie Maclean-Bristol has now brought us this work to provide, simple, quick exercise materials you can use to kick-start your own business continuity program.

I have long believed that inertia is often the biggest obstacle to getting the exercise process going. Simple, engaging and nonthreatening exercises are often the best way to get the ball rolling. In this book, Charlie Maclean-Bristol provides just the right combination to make this happen.

For over thirty years, I have asserted repeatedly, “an unexercised contingency plan is worse than no plan at all.” Now, with Charlie’s expert guidance and the benefit of his broad experience, you have no excuse!

Philip Jan Rothstein, FBCI, President
Rothstein Associates Inc.
Publisher, Rothstein Publishing
Brookfield, Connecticut USA
September, 2020

I have been a friend and colleague of Charlie for well over a decade. We met at one of the Business Continuity Institute’s annual conference dinners and on first impression I thought “who is this cocky Scotsman” by the way he was wearing black tie dinner apparel with bright red tartan trews. For those of you who don’t know Charlie, he is a true larger-than-life character, with a booming voice, barrel chest and the energy of a springer spaniel. But if you dig beneath the brawny exterior you find a very different character who is very bright, meticulous and a complex thinker. This cocktail of conflicting internal and external qualities are what make Charlie such a terrific planner, speaker and exercise facilitator.

I think the reason we hit it off as friends and later professional rivals is mostly down to our similar working backgrounds. Charlie is ex-military and I was at the time a career police officer; both of us for many years had experienced the realities of real-world disaster and crisis management. Also in common was our 30+-year history in training and exercise development; both of us working with high-profile, global private and public sector clients on a wide range of diverse resilience projects.

That’s Charlie, but what about his book? It manages to bring together the two worlds of hard-earned incident experience and well-practiced exercise development methodology. The book contains an abundance of very detailed exercise preparation and facilitation guidance to cater to both novice and veteran practitioners’ needs. The pages are crammed with truly useful, practical content including tabled information, bullet lists, aides-mémoires, things to think about, questions to ask exercise participants, helpful diagrams and so much more.

The aspect that sets this book apart is Charlie’s concept of running “quick” exercises. Most response teams nowadays don’t have the time to take part in full-day exercises, so a book that enables facilitators to plan, prepare and conduct effective hour-long tests is game changing.

The only thing that worries me is… has Charlie given away TOO many of his exercise secrets for his own good?

James McAlister

MA DipBCM DipEd FICPEM Hon FBCI

Crisis Prepared Limited – Organisational Resilience Consultancy

Burscough, Lancashire, United Kingdom

WHAT PEOPLE ARE SAYING ABOUT BUSINESS CONTINUITY EXERCISES III
PREFACE VII
FOREWORD XI
INTRODUCTION 1
THE AIM OF THIS BOOK 1
WHO IS THIS BOOK FOR? 2
WHY CONDUCT EXERCISES 4
TEN REASONS WHY YOU SHOULD CONDUCT SHORT EXERCISES 5
HOW TO PLAN YOUR EXERCISE 11
TYPES OF SHORT EXERCISES 35
1 THE SIMPLEST OF EXERCISES: THE PLAN WALKTHROUGH 37
2 THE MOST VERSATILE OF EXERCISES: SPEED EXERCISING 41
3 SIMPLE TABLETOP EXERCISE 53
4 FIRE BELL HAS GONE OFF “OUTSIDE NOW” 67
5. A TEAM AGENDA FOR DYNAMIC INCIDENT TEAM MEETINGS 79
5.3.1 AN OVERALL SCENARIO FOR THE EXERCISE SHOULD BE DEVELOPED 85
6. CONCISE BRIEFINGS WITH NO-WAFFLE, THREE-MINUTE BRIEFS 91
7. IDENTIFY KEY STAKEHOLDERS BY USING A COMMUNICATIONS MATRIX 97
8. STAKEHOLDER INFLUENCE MATRIX – UNDERSTANDING YOUR STAKEHOLDERS’ IMPORTANCE 103
9. PRECISE INCIDENT REPORTING USING THE MNEMONIC METHANE 111
10. RESPONDING TO AN INCIDENT BY CONDUCTING A DYNAMIC RISK ASSESSMENT 119
125
11 “WHAT, SO WHAT, NOW WHAT” – ENSURING YOU UNDERSTAND THE WHOLE PICTURE 125
12 HORIZON SCANNING DURING INCIDENTS, ANTICIPATING WORST CASE 135
10. WAR GAMING: RED TEAM VERSUS BLUE TEAM 147
11. RANDOMIZE YOUR EXERCISE SCENARIOS WITH A SCENARIO GENERATOR 153
159
12. ACCESSORIZE YOUR RESPONSE WITH BATTLEBOXES AND GRAB BAGS 159
169
16 KEEP IT SIMPLE: THE HOT DEBRIEF 169
173
17 DEBRIEF MILITARY STYLE: WITH AN “AFTER ACTION REVIEW” 173
179
13. DEBRIEF YOUR EXERCISE, INCIDENT OR EVENT USING “STRUCTURED DEBRIEFING” 179
191
19 WRITING A POST-EXERCISE AND TRAINING REPORT 191
20 THE ROLE OF THE UMPIRE IN EXERCISES 201
207
21 A FRAMEWORK FOR ASSESSING THE EXERCISE 207
211
22 CHOOSING AN EXERCISE SCENARIO 211
219
23 A SELECTION OF SCENARIO SUGGESTIONS 219
23.9 A SYLLABUS FOR A FULL DAY’S TRAINING 238
243
24 SUMMARY AND NEXT STEPS 243
245
APPENDIX A: DEVELOPING A SIMEX 245
273
APPENDIX A – EXERCISING WITH TRIBBLES, BY PHILIP JAN ROTHSTEIN, FBCI 273
ABOUT THE AUTHOR 276

The Aim of This Book

he aim of this book is to provide practitioners and those with limited knowledge of running exercises with a series of simple exercises to improve the skills and knowledge of people involved in business continuity, crisis management, information- and cyber-security and community safety within their organization, as well as members of the public.

Most of the exercises require modest planning and resources and can be carried out in less than an hour. All of them are designed to add to the soft or hard skills of those taking part. Some of them, such as the communication matrix and team agenda, teach key tools and techniques which have been used successfully to manage an incident.

I was prompted to write this book on observing the limited exercising of plans, people and responses taking place in many organizations. There are lots of reasons for people not to exercise: they feel they lack the skills to do it, they find it difficult to get the time with those that should be taking part in an exercise, they lack budget, or, even though they may not admit it, they lack the confidence to run an exercise.
I have also seen large complex exercises taking place where the participants run around and problem-solve, ignoring the plan developed for them to respond to. Those participating had not learned very much except that humans are good at problem-solving. At times when I have observed these types of exercises, I feel that the time, effort, and cost has been wasted and the learning benefit minimal.

In writing this book, I have tried to democratize exercises allowing those of you with all levels of skills and experience and different types of audiences to run successful exercises.

I have also tried to describe in detail how to run the exercise so that those who have not run exercises before have the confidence to start. All the exercises in this book have been chosen to help instill in you and your participants key lessons and tools which you can use to successfully manage an incident. By using short exercises, lack of time, budget and availability of staff become less of an issue, and so you have little excuse but to start exercising.

Who is This Book For?

This book is aimed at a wide variety of people having a role in trying to improve the resilience of your organization or community by conducting exercises. You could be involved in business continuity, emergency planning, resilience, cyber security, information security, civil defense, first responders and the emergency services, or improving community resilience. You may be a full time professional, work part-time or serve as a volunteer.

For the less experienced practitioner this book can give you step-by-step advice and simple but effective exercises you can conduct yourself rather than waiting for or paying for a more experienced person to run them for you. Your confidence to run exercises will develop once you have used this book to conduct the first few. Once you have planned and developed the simple exercises within this book you can then go on and run more complex and longer exercises.

If you are an experienced practitioner, there will be exercises in this book which will be unfamiliar, and which can help you add something new to your repertoire of exercises.

For those responsible for raising awareness of the issues associated with business continuity, information security and resilience within their own organization or the wider community, these exercises can be an ideal tool for engaging people and getting them to think about how to respond to an incident.

Another way of carrying out business continuity awareness training is through eLearning. eLearning is used in many organizations as a way to carry out awareness of other disciplines such as information security and for compliance training such as anti-slavery and money laundering. Within some organizations there is eLearning fatigue and people try to get through the training as quickly as possible without really engaging with the training or learning from the content. The exercises in this book take a similar time to conduct as eLearning but can provide a more effective way to engage with the audience and convey the required messages.

Cyber and IT professionals can use these exercises to prepare their response to an incident. Most of the exercises can be used to practice the response to a wide range of information security or cyber scenarios.

Community groups, people involved in civil defense, emergency services and those promoting community resilience will also find exercises in the book which capture the imagination of those whose resilience you are trying to improve. They will enjoy the exercises but at the same time develop skills and knowledge to be able to react if an incident occurs.

The audience for these exercises can be anyone within an organization who needs to have knowledge of business continuity or the ability to manage incidents. This could be those with roles within incident management teams, or business continuity coordinators whose role it is to develop business continuity plans for their own part of the organization. Awareness should also be provided to general staff who could be affected by an incident and have to work from a different location or have to work in a different way in response to an incident.

Why Conduct Exercises

“An organization’s continuity capability cannot be considered reliable or effective until it has been exercised.”
The Business Continuity Institute (BCI) Good Practice Guidelines 2018

Most resilience practitioners recognize the importance of exercising in validating their plans and as a tool to help those with a role in the plan to understand how they should respond to an incident. As humans we love problem-solving and trying to win against the odds. Exercises are a great way to challenge individuals, communities and groups to overcome the obstacles of a scenario and to learn valuable lessons which you can use in a real incident. By exercising we get those responding to learn the basic lessons of managing an incident – they make the mistakes in exercises and learn from them, rather than learn them at a cost during the response to a real incident.

In my experience very few people would challenge the idea of exercising and the benefit it gives those whose role it is to respond to an incident. The difficulty many people have with large-scale exercises is that they can take considerable time and effort to prepare. Often, they have to be organized months in advance to ensure that the right people are available, and many participants lack the skills to plan and execute a major exercise. They can also be seen as expensive due to the lack of internal skills, so external experts may be brought in to plan and then run the exercise.

On the other hand, short exercises can solve many of these issues as they can be run at short notice, with minimum experience and have many of the learning benefits of longer and more complex exercises.

Ten Reasons Why You Should Conduct Short Exercises

  1. To organize a complex tabletop, live or SIMEX (simulation)0F exercise usually takes months of planning and preparation. A short exercise can be organized with thirty minutes notice.
  2. Major exercises are usually carried out once a year and may only consist of three hours actual exercising. Short exercises can be run more often, giving you a greater total time exercising and keeping your skills up to date rather than forgetting what’s been learned in between annual exercises.
  3. In my experience most senior managers have a limited amount of time they are prepared to spend on preparing for incidents. Trying to get the required 3 to 4 hours to take part in the exercise needs to be diarized months in advance to ensure that all are available at the same time. A short exercise of an hour or even thirty minutes can be added before or after an existing meeting. Carrying out short exercises often can have a greater training benefit than one annual exercise. Keep in mind that longer SIMEX or complex tabletop exercises are necessary periodically as well as short exercises.
  4. Carrying out shorter exercises more often allows a wide range of different scenarios to be chosen. In longer exercises there is the requirement to focus on one likely scenario. If you run a less-likely scenario you could run into issues if the scenario is being questioned, bringing the credibility of the exercise into question and losing much of the benefit from the exercise.
  5. If you are just starting to implement a business continuity or resilience program, it can be a long time before it seems like anything is happening, as the activity typically involves a small number of project staff. A risk assessment needs to be developed, plans need to be written, and only then can those in the program be trained or take part in an exercise. Carrying out a short exercise or two at the beginning of the program will help to provide those responding with some knowledge of how to respond to an incident, which can be valuable if an incident occurred while the program is being rolled out.
  6. For some, business continuity can seem to be a dry subject and staff members may not engage with the training they are receiving. By getting them on their feet and coming up with their own solutions during a short exercise, you can engage with them and gain their interest in the training you are delivering.
  7. Some of the exercises presented here such as, “What, so what, now what” and “Horizon scanning during incidents, anticipating worst case,” can be used as tools to look at how the organization can prepare for a known future event, such as a transport strike or a protest taking part in the vicinity of one of your office buildings.
  8. The outputs of many of these exercises can be used to develop response plans to different scenarios. Speed Exercising is a good means of developing the risk, issues, impacts, and actions associated with a particular incident. A large number of different people looking at the same scenario can be a lot more productive than a small group sitting together trying to develop the response and actions needed.
  9. Short exercises are a good opportunity for less experienced practitioners to develop their skills and confidence in running exercises. The exercises in this book are simple to plan and run so you do not need to be a skilled practitioner to execute them.
  10. Designated business continuity champions are those who have a business continuity role but are part-time and often do not conduct their own exercises. In this role you may feel that you don’t have the required skills or knowledge and wait for the Business Continuity Manager to exercise the plans. By following this simple step-by-step methodology, you can exercise your own plans without internal or external help.