7 Steps to developing a best-practice exercise management program
Since Covid, there’s been increasing focus on developing business continuity capabilities, demonstrated by the skyrocketing numbers of businesses developing business continuity plans.
The set-it-and-forget (or write-it and ignore-it) tendency remains strong, however.
Even those organizations that test their BCPs regularly aren’t always certain they are doing it right. And so, in this article, we offer steps to develop a best-practice business continuity exercise program.
Step 1. Find a best-practice framework.
Where to begin? The best place to start is finding a tried-and-true framework for building and maintaining an exercise management program.
Here, we recommend international standard ISO/DIS 22398.
Why? The standard outlines the procedures necessary for the planning, implementing, managing, evaluating, reporting, and improvement of exercises, as well as the testing designs needed to assess the crisis-readiness of an organization.
Step 2. Conduct a needs analysis.
One of the most important guidelines the standard gives is conduct a needs and gap analysis.
The purpose of such an analysis is to establish just what kind of exercise the organization needs to conduct.
Step 3. Know what kind of exercise types are out there.
There’re more than one? Indeed, there are.
What’s more, too many organizations fall into the trap of conducting generic exercises. Instead, they should acquaint themselves with the full range of exercise types that they can be running based on the results of the needs and gap analysis.
Those types include:
- Alert exercise
- Start exercise
- Staff exercise
- Decision exercise
- Management exercise
- Cooperation exercise
- Crisis management exercise
- Strategic exercise
- Campaign
Step 4. Commit to a regular schedule.
From there, the organization should commit to a regular rhythm of BCP exercises, with the precise schedule depending on the entity and its risk levels.
Organizations should, at least, test their plans annually or after major disruptions. Many, however, test their plans bi-annually.
Step 5. Start with a run through.
As for the test itself, it’s likely to begin with a run through, to ensure participants can perform as planned during the exercise.
The lead evaluator should be a participant, here. And, it’s also important that a similar review occurs with the control team, so that everyone remains on the same page.
Step 6. Launch the exercise.
After the run through, it will be time to launch the exercise.
Some organizations begin with a start-up briefing. This is a simple way to avoid confusion between the simulated and actual event.
From there, business continuity testing involves checking the communications that will be used to launch, (temporarily) stop, and terminate exercises and testing prior to the scheduled launch.
The methods for communicating launch, stop, and terminate exercises and testing should be explained during the run through.
Step 7. Don’t forget the post-exercise briefing.
Irrespective of the type of exercise, it’s important to wrap things up at the end with a post-exercise briefing.
During that debriefing, special attention will be given to the functioning of the exercise program and the exercise planning process.
Beyond that, evaluators of the exercise should have knowledge of the expected performance. They should have prepared observation forms containing the exercise performance objective and allowing for notes.
The real end of the exercise management lifecycle, however, is the publication of the after-action report. This report gives the organization an overview of the exercises and testing performed as well as an assessment of any successes or issues identified, while laying out remediation actions.
Of course, commitment to running a best-practice exercise management program should be communicated in the business continuity policy. To ensure your BC policy is fit for purpose, check out this article from Noggin: What is a Business Continuity Policy?
More on
