Follow The Business Continuity Institute

​Shhhhhh... Don’t tell anyone the scenario

Blog post   •   Feb 09, 2017 14:59 GMT

Through working both as a consultant and as a full time organizational business continuity resource, a common theme of exercising keeps becoming apparent. Each year we hope to amaze and terrify our BC exercise participants with our well thought out, taxing and relevant BC exercise scenario by keeping it secret.

We ensure that each scenario has a multifaceted extra dimension to it, so that each representative on the team has ‘something to do’. The surprise caused by the scenario hopefully causing a slight air of uncomfortableness and mild simulation of crisis management.

However are we doing this wrong? Most, if not all, exercises have objectives linked to learning and training for participants, if this is the case why are we keeping the scenario secret? Who would tell a Broadway performance that “we will not give you the script until you turn up for a full dress rehearsal”? We wouldn’t welcome trainees to a training course, but not let them know if it is relevant to their position or that they didn’t have the prerequisites to attend.

I propose that we should start doing things differently and I am aware that this will not be for all organizations. However if you have a mature business continuity programme in place, chances are that there are team members, or coordinators, with varying levels of exposure to business continuity or indeed exercising. So how about doing different exercises at different levels on known scenarios?

Therefore staff could come prepared, taking the 'deer in headlights' element away, but also picking the exercise that they feel will give them the most return on investment. For example a human resources representative choosing to do a pandemic exercise over say a cyber attack.

Now I know some of you will say it is important to do one exercise to evaluate the team as a whole. But given the multi-dimensional workloads that our senior teams have, an actual incident occurring when they are all available is highly unlikely. We all know how hard it is to get all the right people in the same room at the right time. Even when the stars are aligned you always end up exercising with someone who is deputy of a deputy, nominated last week.

If you stated you must attend one per year and here are three exercise dates throughout the year, not even the most elusive of representatives can engineer to be on holiday for every session. This means you can have deputies exercised as well as the first call. Learning and improvements for the incident teams can be constant rather than via an annual review. Engagement between the senior representatives would also be increased, for example “I did the cyber exercise and we struggled with client expectations”, “really that was the best part of our pandemic exercise” etc.

Now I said that the proposed solution wouldn’t work for everyone, but I can’t even think of a good reason that a large scale single exercise again should be a surprise. It would negate the dreaded refusal to exercise, i.e. “that’s a silly scenario it would never happen”. Also as has previously happened to me “we can’t do that scenario as we are currently dealing with it” followed by mild panic of me changing the scenario to fit with the clients expectations and utilising the relevant ‘something to do’s’ from the unused exercise scenario.

I am really struggling with the need for the scenario to be a secret and if you can think of a relevant reason please let me know. Or perhaps you could incorporate this into your 2017 exercise schedule.

Otherwise are we not expecting people to complete the bridge crossing in Monty Python’s Holy Grail? Essentially expecting our exercise participants to fail or even worse, ourselves being thrown into the ‘I don’t know that’ chasm!

I would appreciate your feedback on this matter; will you still be keeping your scenario secret? Or have I convinced you to share it with your participants?

James Halpin MBCI is the UK Business Continuity Coordinator at Cigna.

Comments (2)

    I do not keep the scenario secret; in fact I publish it prior to the exercise. Like you I see not reason not to share, and it gives people time to ponder what may be expected. At times doing this way has helped to broaden the testing and we plug cracks before the dam breaks! This has worked for my organization as our goal in testing is to enhance our capabilities, build confidence that we can maintain business during an event and that the resources we need are available and working. Good article, thank you.

    - Pauline Williams-Banta - Feb 10, 2017 14:28 GMT

    James, I totally agree, back in 2013 I started to invite specific staff and told them at a high level what would be covered, pre-reading was provided along with the recommendation to read their plans and bring them to the exercise. They were informed that all the areas covered related to actually incidents that had occurred in the workplace within the last few years. My exercises now have our critical service providers attending (good way of getting a foot in the door to their exercises and to add to the supplier assurance process) and I get staff ranging from Directors to staff with a years service. This year across the whole of England I will be holding 14 exercises across the country and if its the same as the last few years I will get between 12 and 20 staff attending all of them. So with live testing, desktop exercises, e learning and staff BC briefings I can get a lot of embedment. so much so I was asked recently if the incident reports I ask for can be stopped as BC is BAU....well you know what answer I gave, thank you for the compliment and no don't stop sending me incident reports...I need to know the mitigations that are in place work.....plus where else can I get my scenario ideas from. for the record I am the Operations Directorate Business Continuity Manager for Highways England.

    - Ray George - Feb 14, 2017 14:26 GMT

Add comment

Comment