Running an Exercise - Suffolk Resilience

advertisement
Suffolk Resilience
Business Continuity Forum 16th May 2012
‘Running an Exercise’
Designed & Facilitated by:
Alan Pawsey
Arc Risk & Resilience Ltd
For Suffolk Business Continuity Forum
A few thoughts:
‘No plan survives first contact with the
Enemy’
‘The only thing more difficult than
Business Continuity planning is
trying to explain why you didn’t’
‘It is not whether you get
knocked down, it is whether
you get up’
‘If you haven’t tested your plan – have you really got one?’
Why/So What?
• Enhances Internal
Communication
• Increases Confidence
• Decreases Uncertainty
• Identifies Faults in Planning
• Helps to identify those with
leadership skills
• And….
‘Running an Exercise’
• Scope and Objectives:
– Understanding the Exercise in a Business
Continuity Context
• Types of Exercise
– Some Do’s and Don’ts
– Experience Exercise Planning & Delivery
• Case Study – Hope Ltd
• Business Continuity Update
– Olympics 2012
Types of Business Continuity Exercise
Full Scale
Exercise
Building Excellence
Multi-Team
Simulation
Single Team
Simulation
Time &
Realism
Facilitated
Discussion
Plan
Audit
Embedding
Walk
Through
Resource
Some Do’s and Don’ts:
• Top Management Sponsorship – agree type, objectives, format,
involvement & budget
– You should not attempt to exercise everything – declare what is in
scope and what is not.
• Avoid ‘going large’ for the first exercise
• Avoid ‘we are all going to die’ scenarios - Ensure they are relevant
to the business yet sufficiently challenging
• Form a small team to deliver and market the exercise
• If appropriate – H & S risk assessment
• Ensure the exercise does not cause unintended disruption to
operations
• Create a learning environment.
– Generally exercising the ‘Plan’ not the people
– Allow time for ‘hot’ and more structured debriefs later.
Case Study:
• This case study provides a platform to explore
general exercise design and delivery issues
• Hope Ltd is a fictitious company
• You are a manager employed by Hope Ltd with
responsibility for Business Continuity . You are
simply tasked by the MD to ‘plan and deliver
an exercise’.
Case Study:
• There is sufficient detail for you & your group to:
– Decide Scope, Objectives & Style
– Develop suitable scenario
– Plan how the exercise scenario will unfold and be
responded to by participants
• Prepare a list of time scheduled ‘injects’, their purpose and
expected response (like an agenda)
• Have additional material available if ‘it all gets too easy’
• Be prepared to cut material if time schedule proves
inaccurate
– Outline exercise planning to group
Running an Exercise - Discussion
Scope
Objectives
Style
Scenario
Exercise Plan
Delivery
Next Steps – from
De-brief (Plan Revision)
Exercise Plan
Example of simple Exercise Plan – think of it as an Agenda+ to help you keep on track
Real
Time
Ex Time
Event or Inject
Objective
Comment
9am
9am
Intro to Exercise
-
-
9.10am
8am
Scenario part 1.
Question: [who, what
etc]
Paper Feed
Identify
nature of
Incident &
Impact
[Technical or
notes of detail
for Facilitator]
9.20am
8.30
Open Discussion
Reference to Plan
Broadly speaking, complex exercises (eg Simulations) need more complex
and detailed planning.
On-Line Resources:
• Top tips for fantastic business continuity desktop
exercises
http://www.continuitycentral.com/feature0939.ht
ml
• Developing scenarios
http://www.continuitycentral.com/feature0908.ht
ml
• Put Your Plans to the Test: Buildings
http://www.buildings.com/tabid/3334/ArticleID/57
38/Default.aspx#top
Business Continuity Updates:
Comments from the Business
Continuity Industry…
• ICT and Business Continuity: recovery planning in silos
– Suits & Techies – need to talk to each other more
often…http://www.continuitycentral.com/feature0948.
html
• Horizon Scan for BCI reveals in UK major concerns are:
– Unplanned IT/telecom outage
– Data breach
– Adverse weather
There is variation depending upon sector – Manufacturing
are concerned about the Supply Chain; Public Administrators
are worried about Human Illness.
http://www.bcifiles.com/BCIHorizonScan2012.pdf
Comments from the Business
Continuity Industry…
• Share-point users seem to disregard data security,
copying data off-line onto insecure drives and
USB Sticks – mainly to work from home.
– Similar issues for organisations that permit ‘Bring Your
Own Device’
• PWC points to increase in ‘black-swan’ events.
Current Enterprise Risk Management practices
may need to evolve from box ticking to greater
involvement – especially at Board level.
An Icon in the USA
• Waffle House Restaurants:
• Walt Ehmer described how
recovery is ingrained in the
company. He said the culture
of the company revolves around two words:
‘Show up’.
http://www.emergencymgmt.com/disaster/How-Recovery-Is-Ingrained-in-Waffle-Houses-Culture.html
Download