Planning and conducting business continuity (BC) plan exercises is one of the most important activities in a business...
Conducting one or more exercises annually is a key component of a business continuity management system (BCMS). Exercises should be scheduled and integrated with other BCMS activities, such as plan updating, emergency team training, policy reviews and audits, business impact analyses (BIAs), risk assessments, and awareness programs.
When planning a BC exercise, make these your priorities:
First, decide specifically what you plan to exercise, e.g., the entire plan or parts of the plan such as the incident response procedures or evacuation plan.
Second, secure a location to conduct the test that is away from any possible interruptions and encourage exercise participants to turn off their mobile devices if possible so they can concentrate on the exercise. If it's possible, conduct the exercise outside the participants' offices and in a less conspicuous location. If this is not possible, it may make sense to schedule the exercise outside of normal work hours or perhaps over a weekend.
Third, consider inviting participants other than the exercise developer(s) and representatives of the department(s) or activity being exercised, such as staff from IT, operations, risk management, human resources, legal, quality assurance and internal audit, but this is not mandatory. A corollary to this is to have the "right" participants in the exercise. Invite people who have a true stake in protecting their department, as well as the company. Inviting senior management to an exercise is often avoided because the fear is that a senior manager may get too involved (e.g., try to take over the exercise) and other exercise participants may reduce their level of participation in deference to the executive.
Fourth, it's not necessary to complete a "successful" exercise. Completing a successful exercise doesn't necessarily mean that the plan ran perfectly, the emergency team is fully prepared, nor that employees are ready to respond. It's far better to identify flaws in the exercise logic and supporting activities now, rather than later (i.e., during an incident), when the flaws could result in serious consequences.
You should also assign someone as a timekeeper and scribe, so that a record of the exercise can be produced. This is particularly important from an audit perspective and for regulated organizations like banks or firms that are scrutinized by government agencies, such pharmaceutical companies and the U.S. Food and Drug Administration (FDA). In fact, that's a good practice for all exercises.
While not usually a priority, consider launching a surprise exercise in addition to scheduled exercises. This is perhaps the best way to determine if your emergency teams are really prepared to respond to a business-threatening incident. Some advance planning (e.g., warning) is advised, especially if your exercise impacts other departments, such as IT or facilities. Also, if other departments, such as IT, have scheduled exercises the same time as your surprise event, it may be prudent to reschedule. Of course, in real-life, there will be no advance warnings or courtesy calls alerting you and others of an impending disaster.
Well-planned and conducted business continuity exercises are important investments in a company's long-term success and survival. Knowledge of regularly scheduled exercises can also enhance the firm's reputation and competitive position, especially since more organizations today require data about a prospective vendor/partner's business continuity and disaster recovery activities.