The recent COVID-19 pandemic has shown that many organizations were not prepared to respond to and manage the impacts caused by the virus.
Business Continuity Plans (BCPs) were either not developed or were out of date. That’s why it’s essential that your BCP remains up-to-date and is regularly validated. In this blog we provide five easy steps on how to validate your BCP through effective tabletop exercises.
Background (what is a BCP?)
During a pandemic, cyber-attack, active shooter, supply chain disruption or the loss of a key asset, you need to ensure your business keeps operating. A Business Continuity Plan recognizes these potential threats and defines what impact they may have on your everyday operations. It then provides the actions that must be taken to support recovery of your business’ critical processes and support continuity. But simply having a plan is not enough. The plan must be validated in an exercise to ensure its validity. Here’s how to go about exercising your plan in five steps.
Step I: Set objectives
The very first step when developing an exercise plan is to establish exactly why you intend to do the tabletop exercise. Creating a set of achievable EXERCISE OBJECTIVES is part of this first step. Imagine that you want to validate the changes you’ve made to your BCP based on the issues that were raised during the pandemic. Here are some examples of objectives you might be looking to validate:
- Validate the updated BCP activation process.
Note: Your update of the activation process was necessary because activation was found to be slow or disjointed during the real event. You’ve therefore made procedural and even some technical changes to the activation process that need to be validated.
- Validate the revised communication protocols to ensure cohesive internal and external messaging.
- Confirm updated Recovery Time Objective (RTO) for (specific) critical operations
Note: For some organizations this might be a separate tabletop exercise.
- Challenge new decision-making matrix.
Note: Assuming one was not in place prior to COVID 19.
- Incorporate key supplier(s) into the exercise to validate plan integration
As part of this first step, you will need to lock in a date, time and place for the exercise and send out the calendar to ensure everyone’s available.
Based on your exercise objectives, you will then be able to proceed to Step II — drafting your scenario.
Step II: Create the scenario and exercise structure
Begin drafting your scenario with an overview, a one- to two-page outline. Have a beginning, middle and an end. Then start to ask questions about how the scenario would play out within your organization. If you’re modeling it around COVID19, writing the scenario should be easier as you’ve probably just been through it or are still in it. I would suggest you add to the scenario some differences from your actual experience in order to help keep the audience more engaged. It might be a case of refining some of the details that will help you focus on achieving the objectives that you’ve created. Also, consider your simulated timeline when creating the scenario.
Here’s a short list of other items that you need to consider at this stage:
- Create visuals to add realism, multi-media, social media and others related to your business and the scenario.
- Prepare a short exercise pre-read document with some of the details about the exercise and what the expectations are of the exercise participants. This should be sent out at least a week before the exercise. Also consider a short video as more people will consume video information versus a document.
Resource – eBook: 5 Steps to Creating Crisis Simulation Tabletop Exercises
Step III. Nail down logistical details.
By now you have your scenario completed, and your team is ready to meet and go through the exercise. Now’s the time to consider logistics.
This third, logistical step in preparing for a Business Continuity Tabletop Exercise cannot be over-emphasized. A technical glitch, for example, could seriously disrupt the exercise, defeating its purpose.
This step may seem easy, but it’s the details that will mean the success or failure of the exercise. Here’s a list of common logistical issues that will help you as you put the final touches on your overall exercise design:
- Ensure Training Location(s) are Fully Equipped and Working
- Finalize the Exercise Pre-Read Document or Video and Distribute
- Confirm that all exercise participants and any other observers know where to be and when
- Ensure breakout rooms (if applicable) are ready with whiteboards and other equipment
- Brief the Control Team (including any role players and evaluators if applicable)
- Make sure you will have enough refreshments, especially if you’re planning for a full-day exercise.
Ask yourself these final questions:
- What issues might there be during the session?
- Do we have everything in place to ensure this will be successful?
Related: Think You Are an Effective Business Continuity Trainer?
Step IV: Deliver the exercise.
How well you deliver the exercise will make or break the experience for the participants. If you want simulation exercises to be a success, getting this step right is a necessity.
Engagement is key during the exercise. Consider organizing breakout groups during the exercise so you can split the team into smaller groups. Having breakout groups helps ensure you get the most out of each leader. Bring the groups back together after each period and have them discuss their responses. Some groups may have different approaches, which can be very beneficial.
At the end of the exercise you want to leave yourself enough time to do a “hotwash” (an abbreviated debrief). During this time, you should highlight the significant issues that were identified during the exercise. These issues will be documented in greater detail in the After Action Report or AAR. Also, during the hotwash you can ask for any final feedback based on the participants’ experiences as well as any issues they may want to raise.
Step V: After Action Report and additional exercises for continuous improvement.
This fifth and final step is essential for continuing the improvement of the business continuity plan.
The period after the exercise is as important as the exercise itself. Issues identified during the exercise should be prioritized to ensure that the most critical problems that were identified during the exercise are rectified first. If you don’t have a system for continual improvement, consider developing a comprehensive remediation plan that will support the need for making the changes.
The post-exercise After Action Report details all the findings from the exercise. It provides a high-level view of the exercise, a record of who attended, as well as the recommended next steps to be taken to improve the BCP.
The most important part of this fifth and final step is to ensure you validate any changes that you make to your BCP as a result of the exercise. If you implanted any procedural, process / planning or capability changes to your crisis program, you should validate that they work. How? Schedule another exercise and ensure these changes are identified within your objectives. The validation process should continue especially after a real event occurs, such as COVID19.
5 Easy Steps in a Nutshell
I. Set objectives for the exercise. Establish date, time, place. Invite participants
II. Create the scenario and exercise structure
III. Nail down logistical details – attention to even mundane details is essential
IV. Deliver the exercise. Organize exercise to keep participants engaged and create ways to elicit their best inputs, e.g., split team into smaller breakout groups
V. Continuous improvement comes with an After Action Report and additional, regular exercises. They are the only way to validate any changes you’ve made as a result of an exercise.
The 5 Easy Steps to Validating a Business Continuity Plan with Tabletop Exercises was created using the knowledge and experience PreparedEx has created throughout its 15 years in the industry. Having designed, delivered and reported on hundreds of tabletop exercises, PreparedEx and its team of experienced simulation exercise practitioners are standing by to support your needs for your next business continuity tabletop exercise.
Resource – Contact PreparedEx for Tabletop Exercise Pricing
I like going back over the comments from older blogs. Some great points made. This blog needs a little update and sharing again.
This is an extremely useful breakdown of the steps which lead to a successful exercise – and my understanding of success, here, is the awakening of people from all sides of the operation to their level of preparedness. Having partnered with Rob in several exercises, one of the most valuable lessons to me was the importance of inviting and involving with outside contacts, i.e. suppliers, contractors and government agencies, when applicable, to participate in the exercise. If they are familiar with the BCP and its stakeholders, they will not be caught off-guard when called to engage in a real crisis situation.
I just noticed i never responded to all the comments here. Thank you so much for the kind words and feedback, it’s really appreciated.
This is excellent quality content which we’ve come to expect from PreparedEx! It also points to something that all organizational leaders should take into consideration: the use of exercises, especially Tabletop exercises, to work through plans, policies, and procedures. With just a little forethought anyone can do a reasonable job at this which will go a long way towards identifying the seams and gaps in your planning. Approximately one in five small businesses don’t survive disasters because they haven’t thought through the most likely scenarios of what could befall them and what they would do about it. Don’t outsource your own safety and security; use planning such as that presented here to ensure health, safety, and economic viability.
Thank you to all the comments I really appreciate them. Some great points highlighted.
What are your plans to address the challenges of a second wave of the pandemic? What are your sequence of phased actions to restart operations once isolation mitigation restrictions are lifted?
No better time to exercise your BCP to find gaps in your plans.
Thank you, Don. Hope all is well.
As an insurance professional seeing the true impact of crisis on so many businesses, this topic is more important than ever. I hope to see more of an emphasis on business continuity in our new normal, and companies leveraging your resources to become more resilient.
We appreciate the kind words, Jen.
Very crisp. As a product manager for Everbridge Crisis Management Product, I have partnered with Rob for almost a year now. It is amazing to watch Rob deliver great crisis exercises for customers.
Thank you, Michael.
Excellent content, Rob. Thank you for leading the charge and bringing your experience to the table.
Three excellent points jump out from this blog:
1. Validate the BCP activation process. I ran an exercise for a client once and received 10 frantic phone calls from department heads who didn’t know how to trigger their plans. We focused so much on what to do once the plan was active, they didn’t know how to activate it.
2. I love the idea of engaging suppliers or external stakeholders where possible.
3. The after-action report is critical. Learn from every exercise you conduct!
One final note: Work hard on your scenario. Try to avoid having the exercise de-railed because there is debate over the plausibility of the scenario.
Thank you, mark.