Presentation on theme: "Suffolk Resilience Business Continuity Forum 16 th May 2012 Running an Exercise Designed & Facilitated by: Alan Pawsey Arc Risk & Resilience Ltd For Suffolk."— Presentation transcript:
Suffolk Resilience Business Continuity Forum 16 th May 2012 Running an Exercise Designed & Facilitated by: Alan Pawsey Arc Risk & Resilience Ltd For Suffolk Business Continuity Forum
A few thoughts: No plan survives first contact with the Enemy The only thing more difficult than Business Continuity planning is trying to explain why you didnt It is not whether you get knocked down, it is whether you get up If you havent tested your plan – have you really got one?
Why/So What? Enhances Internal Communication Increases Confidence Decreases Uncertainty Identifies Faults in Planning Helps to identify those with leadership skills And….
Running an Exercise Scope and Objectives: – Understanding the Exercise in a Business Continuity Context Types of Exercise – Some Dos and Donts – Experience Exercise Planning & Delivery Case Study – Hope Ltd Business Continuity Update – Olympics 2012
Types of Business Continuity Exercise Plan Audit Walk Through Facilitated Discussion Single Team Simulation Multi-Team Simulation Full Scale Exercise Time & Realism Resource Embedding Building Excellence
Some Dos and Donts: Top Management Sponsorship – agree type, objectives, format, involvement & budget – You should not attempt to exercise everything – declare what is in scope and what is not. Avoid going large for the first exercise Avoid we are all going to die scenarios - Ensure they are relevant to the business yet sufficiently challenging Form a small team to deliver and market the exercise If appropriate – H & S risk assessment Ensure the exercise does not cause unintended disruption to operations Create a learning environment. – Generally exercising the Plan not the people – Allow time for hot and more structured debriefs later.
Case Study: This case study provides a platform to explore general exercise design and delivery issues Hope Ltd is a fictitious company You are a manager employed by Hope Ltd with responsibility for Business Continuity. You are simply tasked by the MD to plan and deliver an exercise.
Case Study: There is sufficient detail for you & your group to: – Decide Scope, Objectives & Style – Develop suitable scenario – Plan how the exercise scenario will unfold and be responded to by participants Prepare a list of time scheduled injects, their purpose and expected response (like an agenda) Have additional material available if it all gets too easy Be prepared to cut material if time schedule proves inaccurate – Outline exercise planning to group
Running an Exercise - Discussion Scope Objectives Style Scenario Exercise Plan Delivery Next Steps – from De-brief (Plan Revision)
Exercise Plan Real Time Ex TimeEvent or InjectObjectiveComment 9am Intro to Exercise-- 9.10am8amScenario part 1. Question: [who, what etc] Paper Feed Identify nature of Incident & Impact [Technical or notes of detail for Facilitator] 9.20am8.30Open DiscussionReference to Plan - Example of simple Exercise Plan – think of it as an Agenda+ to help you keep on track Broadly speaking, complex exercises (eg Simulations) need more complex and detailed planning.
On-Line Resources: Top tips for fantastic business continuity desktop exercises http://www.continuitycentral.com/feature0939.ht ml Developing scenarios http://www.continuitycentral.com/feature0908.ht ml Put Your Plans to the Test: Buildings http://www.buildings.com/tabid/3334/ArticleID/57 38/Default.aspx#top
Comments from the Business Continuity Industry… ICT and Business Continuity: recovery planning in silos – Suits & Techies – need to talk to each other more often…http://www.continuitycentral.com/feature0948. htmlhttp://www.continuitycentral.com/feature0948. html Horizon Scan for BCI reveals in UK major concerns are: – Unplanned IT/telecom outage – Data breach – Adverse weather There is variation depending upon sector – Manufacturing areconcerned about the Supply Chain; Public Administrators are worried about Human Illness. http://www.bcifiles.com/BCIHorizonScan2012.pdf
Share-point users seem to disregard data security, copying data off-line onto insecure drives and USB Sticks – mainly to work from home. – Similar issues for organisations that permit Bring Your Own Device PWC points to increase in black-swan events. Current Enterprise Risk Management practices may need to evolve from box ticking to greater involvement – especially at Board level. Comments from the Business Continuity Industry…
An Icon in the USA Waffle House Restaurants: Walt Ehmer described how recovery is ingrained in the company. He said the culture of the company revolves around two words: Show up. http://www.emergencymgmt.com/disaster/How-Recovery-Is-Ingrained-in-Waffle-Houses-Culture.htmlhttp://www.emergencymgmt.com/disaster/How-Recovery-Is-Ingrained-in-Waffle-Houses-Culture.html