Through working both as a consultant and as a full time organizational business continuity resource, a common theme of exercising keeps becoming apparent. Each year we hope to amaze and terrify our BC exercise participants with our well thought out, taxing and relevant BC exercise scenario by keeping it secret.
We ensure that each scenario has a multifaceted extra dimension to it, so that each representative on the team has ‘something to do’. The surprise caused by the scenario hopefully causing a slight air of uncomfortableness and mild simulation of crisis management.
However are we doing this wrong? Most, if not all, exercises have objectives linked to learning and training for participants, if this is the case why are we keeping the scenario secret? Who would tell a Broadway performance that “we will not give you the script until you turn up for a full dress rehearsal”? We wouldn’t welcome trainees to a training course, but not let them know if it is relevant to their position or that they didn’t have the prerequisites to attend.
I propose that we should start doing things differently and I am aware that this will not be for all organizations. However if you have a mature business continuity programme in place, chances are that there are team members, or coordinators, with varying levels of exposure to business continuity or indeed exercising. So how about doing different exercises at different levels on known scenarios?
Therefore staff could come prepared, taking the 'deer in headlights' element away, but also picking the exercise that they feel will give them the most return on investment. For example a human resources representative choosing to do a pandemic exercise over say a cyber attack.
Now I know some of you will say it is important to do one exercise to evaluate the team as a whole. But given the multi-dimensional workloads that our senior teams have, an actual incident occurring when they are all available is highly unlikely. We all know how hard it is to get all the right people in the same room at the right time. Even when the stars are aligned you always end up exercising with someone who is deputy of a deputy, nominated last week.
If you stated you must attend one per year and here are three exercise dates throughout the year, not even the most elusive of representatives can engineer to be on holiday for every session. This means you can have deputies exercised as well as the first call. Learning and improvements for the incident teams can be constant rather than via an annual review. Engagement between the senior representatives would also be increased, for example “I did the cyber exercise and we struggled with client expectations”, “really that was the best part of our pandemic exercise” etc.
Now I said that the proposed solution wouldn’t work for everyone, but I can’t even think of a good reason that a large scale single exercise again should be a surprise. It would negate the dreaded refusal to exercise, i.e. “that’s a silly scenario it would never happen”. Also as has previously happened to me “we can’t do that scenario as we are currently dealing with it” followed by mild panic of me changing the scenario to fit with the clients expectations and utilising the relevant ‘something to do’s’ from the unused exercise scenario.
I am really struggling with the need for the scenario to be a secret and if you can think of a relevant reason please let me know. Or perhaps you could incorporate this into your 2017 exercise schedule.
Otherwise are we not expecting people to complete the bridge crossing in Monty Python’s Holy Grail? Essentially expecting our exercise participants to fail or even worse, ourselves being thrown into the ‘I don’t know that’ chasm!
I would appreciate your feedback on this matter; will you still be keeping your scenario secret? Or have I convinced you to share it with your participants?
James Halpin MBCI is the UK Business Continuity Coordinator at Cigna.