The recent COVID-19 pandemic has shown that many organizations were not prepared to respond to and manage the impacts caused by the virus.
Business Continuity Plans (BCPs) were either not developed or were out of date. That’s why it’s essential that your BCP remains up-to-date and is regularly validated. In this blog we provide five easy steps on how to validate your BCP through effective tabletop exercises.
During a pandemic, cyber-attack, active shooter, supply chain disruption or the loss of a key asset, you need to ensure your business keeps operating. A Business Continuity Plan recognizes these potential threats and defines what impact they may have on your everyday operations. It then provides the actions that must be taken to support recovery of your business’ critical processes and support continuity. But simply having a plan is not enough. The plan must be validated in an exercise to ensure its validity. Here’s how to go about exercising your plan in five steps.
Step I: Set objectives
The very first step when developing an exercise plan is to establish exactly why you intend to do the tabletop exercise. Creating a set of achievable EXERCISE OBJECTIVES is part of this first step. Imagine that you want to validate the changes you’ve made to your BCP based on the issues that were raised during the pandemic. Here are some examples of objectives you might be looking to validate:
- Validate the updated BCP activation process.
Note: Your update of the activation process was necessary because activation was found to be slow or disjointed during the real event. You’ve therefore made procedural and even some technical changes to the activation process that need to be validated.
- Validate the revised communication protocols to ensure cohesive internal and external messaging.
- Confirm updated Recovery Time Objective (RTO) for (specific) critical operations
Note: For some organizations this might be a separate tabletop exercise.
- Challenge new decision-making matrix.
Note: Assuming one was not in place prior to COVID 19.
- Incorporate key supplier(s) into the exercise to validate plan integration
As part of this first step, you will need to lock in a date, time and place for the exercise and send out the calendar to ensure everyone’s available.
Based on your exercise objectives, you will then be able to proceed to Step II — drafting your scenario.
Step II: Create the scenario and exercise structure
Begin drafting your scenario with an overview, a one- to two-page outline. Have a beginning, middle and an end. Then start to ask questions about how the scenario would play out within your organization. If you’re modeling it around COVID19, writing the scenario should be easier as you’ve probably just been through it or are still in it. I would suggest you add to the scenario some differences from your actual experience in order to help keep the audience more engaged. It might be a case of refining some of the details that will help you focus on achieving the objectives that you’ve created. Also, consider your simulated timeline when creating the scenario.
Here’s a short list of other items that you need to consider at this stage:
- Create visuals to add realism, multi-media, social media and others related to your business and the scenario.
- Prepare a short exercise pre-read document with some of the details about the exercise and what the expectations are of the exercise participants. This should be sent out at least a week before the exercise. Also consider a short video as more people will consume video information versus a document.
Step III. Nail down logistical details.
By now you have your scenario completed, and your team is ready to meet and go through the exercise. Now’s the time to consider logistics.
This third, logistical step in preparing for a Business Continuity Tabletop Exercise cannot be over-emphasized. A technical glitch, for example, could seriously disrupt the exercise, defeating its purpose.
This step may seem easy, but it’s the details that will mean the success or failure of the exercise. Here’s a list of common logistical issues that will help you as you put the final touches on your overall exercise design:
- Ensure Training Location(s) are Fully Equipped and Working
- Finalize the Exercise Pre-Read Document or Video and Distribute
- Confirm that all exercise participants and any other observers know where to be and when
- Ensure breakout rooms (if applicable) are ready with whiteboards and other equipment
- Brief the Control Team (including any role players and evaluators if applicable)
- Make sure you will have enough refreshments, especially if you’re planning for a full-day exercise.
Ask yourself these final questions:
- What issues might there be during the session?
- Do we have everything in place to ensure this will be successful?
Step IV: Deliver the exercise.
How well you deliver the exercise will make or break the experience for the participants. If you want simulation exercises to be a success, getting this step right is a necessity.
Engagement is key during the exercise. Consider organizing breakout groups during the exercise so you can split the team into smaller groups. Having breakout groups helps ensure you get the most out of each leader. Bring the groups back together after each period and have them discuss their responses. Some groups may have different approaches, which can be very beneficial.
At the end of the exercise you want to leave yourself enough time to do a “hotwash” (an abbreviated debrief). During this time, you should highlight the significant issues that were identified during the exercise. These issues will be documented in greater detail in the After Action Report or AAR. Also, during the hotwash you can ask for any final feedback based on the participants’ experiences as well as any issues they may want to raise.
Step V: After Action Report and additional exercises for continuous improvement.
This fifth and final step is essential for continuing the improvement of the business continuity plan.
The period after the exercise is as important as the exercise itself. Issues identified during the exercise should be prioritized to ensure that the most critical problems that were identified during the exercise are rectified first. If you don’t have a system for continual improvement, consider developing a comprehensive remediation plan that will support the need for making the changes.
The post-exercise After Action Report details all the findings from the exercise. It provides a high-level view of the exercise, a record of who attended, as well as the recommended next steps to be taken to improve the BCP.
The most important part of this fifth and final step is to ensure you validate any changes that you make to your BCP as a result of the exercise. If you implanted any procedural, process / planning or capability changes to your crisis program, you should validate that they work. How? Schedule another exercise and ensure these changes are identified within your objectives. The validation process should continue especially after a real event occurs, such as COVID19.
5 Easy Steps in a Nutshell
I. Set objectives for the exercise. Establish date, time, place. Invite participants
II. Create the scenario and exercise structure
III. Nail down logistical details – attention to even mundane details is essential
IV. Deliver the exercise. Organize exercise to keep participants engaged and create ways to elicit their best inputs, e.g., split team into smaller breakout groups
V. Continuous improvement comes with an After Action Report and additional, regular exercises. They are the only way to validate any changes you’ve made as a result of an exercise.
The 5 Easy Steps to Validating a Business Continuity Plan with Tabletop Exercises was created using the knowledge and experience PreparedEx has created throughout its 15 years in the industry. Having designed, delivered and reported on hundreds of tabletop exercises, PreparedEx and its team of experienced simulation exercise practitioners are standing by to support your needs for your next business continuity tabletop exercise.