What are the benefits of business continuity exercises?

How to prepare your organisation for the unexpected.

Even the most prepared organisations can hit unexpected problems big enough to cause potentially serious disruption. Resilience and business continuity planning are designed to create a blueprint for preparedness should something unexpected actually happen. It aims to be wise before the event, not after it.

In an ideal world, businesses would operate smoothly, day in day out, fully aligned with their strategy. However, life isn't always like that. Natural disasters, civil protests, physical attack and pandemics are examples.

It may not be possible to head off these events - by their very nature, they tend to come out of the blue - but it should be possible to map out a strategy to deal with them. Good and well thought-out resilience or business continuity planning can prove to be a lifesaver when turmoil erupts and it should form part of every organisation’s operating model.

Business continuity planning — preparing for the unexpected

Teams within organisations need to think ahead intelligently, consider what unseen events may occur and assess what their impacts might be. An obvious example is payroll. If you are suddenly denied access to your building or finance systems, how are you going to pay people? Do you have an alternative plan in place to make sure they continue to receive their salaries?

Other examples are legion. What might the impact be if a terrorist attack takes place near to you? How do you keep operating if there is a fire or flood on your premises? Might your business be a target for a protest demonstration and if so, how will you deal with that? Have you thought about the energy crisis and what you might do during ongoing power outages? 

There are people risks too. Although noone likes to think about it, what would you do if a senior - and perhaps critical - member of the leadership team were to suddenly die or become incapacitated or even kidnapped? These things do happen. With that person gone, do you have the processes in place to be able to continue to function?

Testing and exercising — essential for effective business continuity

It’s important not just to have a business continuity plan in place, but to test it. This may be most simply done through running a desk-top exercise; in other words, testing the theory of an event occurring and how the response would be actioned.

The scenario chosen for the exercise should be as realistic as possible. To maximise the benefits of the exercise, those involved should not be given details beforehand of the unexpected event they will be modelling. It is far better to make them think on their feet. The test scenario should also be played out in real time (or as close to real time as possible), with twists and turns of the storyline being fed in as it progresses, thereby stress testing the team’s response. 

"The test scenario should also be played out in real time (or as close to real time as possible), with twists and turns of the storyline being fed in as it progresses, thereby stress testing the team’s response."

The mock event can be as creative as you want it to be, although obviously it should be something which might actually happen to your organisation. By adding local landmarks, names of people from your organisation or previous experiences, the scenario can be brought to life.

Lessons learned — updating your business continuity plan

It is also important to note down the results of, and recommendations from, the exercise immediately after it has concluded and when it is still fresh in everyone’s minds; a hot debrief, as it is called. As time passes, the memory of those involved may start to drift or become imprecise, so you need to capture thoughts and findings as early as possible. And of course there should be a full post-event debrief should a crisis actually occur.

This needs to be followed by a fuller, formal board level or risk committee discussion which can evaluate the outcome of the exercise and if, and where, company strategy should be reappraised as a result.

During the exercise you should expect two things to happen. Firstly, you will be able to determine just how well-prepared (or not) your organisation is to deal with unexpected but plausible events; the known unknowns. 

Secondly - and arguably even more importantly - you should expect the testing itself to reveal other risks you had never thought of, thereby giving you the opportunity to identify, evaluate and frame a response to these.

". . . you should expect the testing itself to reveal other risks you had never thought of, thereby giving you the opportunity to identify, evaluate and frame a response to these."

You should also be aware that you are testing not just processes and systems, but also people. Modelling crisis outcomes is not something that suits everyone. Some staff, perhaps for personal reasons, have entirely reasonable stress and mental health issues when asked to confront the reality of challenging scenarios - some possibly involving loss of life.

If this is the case, stand people down straight away, with understanding and sympathy. It is far better to discover their unsuitability during a test than an actual crisis. It also helps ensure that the remaining team members work effectively and bond together, building a rapport and understanding their own capabilities, strengths and weaknesses. If a modelled event plays out for real, this kind of cohesion will be vital.

How often should these exercises be conducted?

It depends on the organisation and the sector, but the rule should be at least yearly. Twice yearly, or even every three or four months, may be more appropriate. To an extent, it depends on the business in question and the available resource. It also depends on the types of risks an organisation feels it needs to prepare for. 

It also makes sense to carry out a re-evaluation if one or a number of members of the core team swap out. This ensures that the replacements are trained and so will be able to fully contribute should a real crisis happen.  

Most businesses should regard a properly tested business continuity plan as part of their core operational strategy. It brings real understanding, focus and comfort. 

The unexpected will always remain unexpected, but if it happens, then being forearmed could mean the difference between a company’s failure and survival. The stakes really don’t come bigger than that.

If you would like to talk about this topic, we can help. Visit our website here. You can also get in touch with your usual Barnett Waddingham contact. Alternatively, please contact me below.