Gartner Research

Implement an Exercise Management Strategy to Strengthen the Effectiveness of Recovery Plans

Published: 30 March 2017

ID: G00322862

Analyst(s): Roberta Witty

Summary

Security and risk management leaders must assess the strengths and weaknesses of recovery plans to ensure the organization's ability to survive disruptions. An exercise management strategy provides a comprehensive approach to assessing the effectiveness of recovery plans.

Overview

Key Challenges
  • BCM leaders often fail to conduct comprehensive exercising of recovery plans, thereby limiting the organization's knowledge of their ability to respond, recover and restore operations after a disruption.

  • Insufficient exercising exposes the organization to larger consequences from disruption, including greater negative impacts on reputation, loss of customer confidence and higher financial costs.

  • Business and IT personnel necessary to perform adequate exercising are unable or reluctant to commit to exercising operations due to primary job functions taking priority.

  • Demanding compliance requirements make it difficult for companies to conduct the necessary exercising of all recovery plans.

Recommendations

Security and risk management leaders who are focused on building a world-class business continuity management program must:

  • Create an annual exercise schedule for all recovery plans in order to provide consistent reporting and exercise evaluation.

  • Review exercise methods and exercise types to determine the most suitable options for the organization's BCM program and set of recovery plans.

  • Communicate exercise results to organizational leaders and BCM program stakeholders, and update recovery plans based on exercise findings.

  • Use BCMP or crisis/emergency management platform solutions for recovery plan management and exercise management.

Introduction

Making the Business Case for Recovery Plan Exercising

The overall objective of business continuity management (BCM) programs is to ensure that organizational processes can continue during a time of crisis so as to protect the organization's brand and reputation and to minimize financial losses, loss of life/safety and operational decision-making disruption. In addition, customers, citizens and other stakeholders will value the organization's ability to maintain operational service levels.

BCM leaders may be very deliberate in designing and implementing their required recovery plans — a complex web of plan types and views that an organization must manage (see Figure 1) and that allow the organization to respond, recover and restore operations after a crisis. However, they often fail to conduct comprehensive exercising of recovery plans (see Note 1), thereby limiting the organization's knowledge of the leaders' ability to respond, recover and restore business and IT functionality in the event of a disruption.

The Complexity of BCM Program Recovery Plans

In addition, insufficient exercising exposes the organization to larger consequences from disruption, including greater negative impacts on reputation, loss of consumer confidence and, potentially, higher costs. In fact, comprehensive exercise management planning may prevent internal and external stakeholders from even knowing a disruption has occurred at all.

Results from the Gartner BCM maturity self-assessment tool — ITScore for Business Continuity Management — show that BCM programs that have more mature exercise management practices achieve a higher level of success when they actually have to recover from a disaster (see Figure 2).

Maturity of BCM Exercising Compared to Disaster Recovery Success

The data in the table show:

  • The more mature an organization is in its exercise management practices, the greater its success recovering from a disaster. Organizations with mature exercise management practices (Levels 3 and 4) — as indicated by their score for the ITScore dimension "Awareness, Training & Exercising " — have at least an eight times better success rate of recovery as measured using the question option "All mission-critical business processes were recovered according to expected RTOs and RPOs."

  • The less mature an organization is in its exercise management practices, the more likely it had significant recovery problems. Organizations with less mature exercise management practices (Levels 1 and 2) have at least a 58% chance of having significant problems when recovering from their last disaster.

  • Those organizations with low maturity in their exercise management practices were also less likely to have declared a disaster. Organizations at maturity levels 1 and 2 did not declare a disaster at a rate of 69% and 57% respectively — even if they should have. One reason might be that they had an informal or undocumented crisis management process to follow when declaring a disaster. Alternatively, it could be that until an organization has a disaster, it does not yet see the value in advancing its exercise management program maturity level. In either interpretation, advancing the exercise management maturity level is always advantageous to the business.

Gartner recommends that BCM leaders use the following best practice life cycle (shown in Figure 3) to implement an exercise management strategy appropriate to the needs of their organization.

Exercise Management Life Cycle

Analysis

Understand the Goals and Benefits of Recovery Plan Exercising
The Goals of Recovery Plan Exercising

The primary goal of an exercise management strategy is to assess the BCM program's recovery capabilities to identify and remediate gaps and potential issues. It is always better to uncover gaps in a controlled environment, rather than finding and attempting to address these issues as they arise during an actual crisis. The results and experiences of all participants and the performance of all resources in an exercise offer crucial evidence to business and IT managers regarding areas for improvement and the capacity of all organizational resources to survive a crisis event. This evidence can inform BCM leaders and senior management where to focus ongoing efforts, including the needed investments in recovery resources to bring the BCM program to the level of maturity required for their business and to improve the overall resilience of the organization. Additional goals include:

  • Validate that the organization has the appropriate business and IT recovery roles and responsibilities defined across the organization.

  • Identify gaps in the organization's capability to meet recovery requirements, including maximum allowed downtime (MAD), recovery time objectives (RTOs) and recovery point objectives (RPOs).

  • Determine whether the organization has adequate resources to perform response, recovery and restoration activities.

  • Assess the capability of participating recovery team members in executing their responsibilities.

  • Validate the adequacy of business and IT recovery procedures and associated resources needed for recovery purposes, their sufficiency to meet recovery requirements, and where improvements need to be made.

  • Validate that crisis communication procedures are appropriate and timely within and across all recovery teams, suppliers and stakeholders.

  • Promote team building and cross-organizational collaboration and communications for effective recovery.

  • Provide feedback to the BCM program office and line of business (LOB) business continuity coordinators for improvement in the organization's response, recovery and restoration practices.

The Benefits of Recovery Plan Exercising

An exercise management strategy has many beneficial outcomes that contribute to the BCM program's overall objectives. Exercise participants — which should include senior management — will improve their knowledge as follows:

  • They will better understand their role in the organization's BCM program.

  • They will obtain a working knowledge of the recovery plans they will need to execute during a real crisis.

  • They will gain wider awareness of the organization's overall BCM program — especially regarding crisis management procedures.

  • They will understand how the organization can fulfill their legal, regulatory and compliance requirements during a crisis.

  • They will identify gaps in their recovery plans and update their plans accordingly.

  • They will validate the organization's recovery time capability (RTC) to perform according to target time frames so that they can be assured their recovery plans will work during a crisis.

A well-conceived and well-orchestrated exercise management strategy is a fundamental part of a BCM program. But there are challenges, including:

  • Lack of knowledge of BCM leaders as to how to develop such a strategy

  • Unavailability or reluctance of business and IT personnel necessary to perform adequate exercising, due to the priority of primary job functions

  • Stringent compliance requirements in some industries (e.g., financial services, healthcare, telecommunications) that make it difficult to conduct the necessary exercising of all recovery plans

Therefore, developing an exercise management strategy requires a comprehensive and continuous effort on the part of BCM leaders. They must work with their internal and external business and IT partners to identify every change in business process, workforce component, facility, supplier and technology (IT and operational) initiative in order to ensure that recovery plans are current and viable according to current recovery requirements.

Identify the Complex Web of Recovery Plans Needed to Be Exercised

Disruptions can be caused by a variety of events: natural disasters, weather events, technological failures, power outages as well as the growing number of malware intrusions and denial of service attacks. There are several types of recovery plans that need to be in place to protect the business from the various crisis events that could befall an organization. These plans can be categorized into four main groups:

Depending on the cause of the crisis, the organization's operational geographic footprint, the extent of the crisis impact and the phase of the crisis playout, different recovery plans, and views of those plans are needed.

The number of recovery plans that an organization has depends on its business model and geographic footprint: A global organization can have thousands of recovery plans, whereas an organization with a single facility may have fewer than twenty. There are also many views of plans; for example, one plan for each business department, but then a rollup of all recovery plans for human resources across all locations. Also, there may be dependencies between different parts of the organization during a disaster that need to be documented, coordinated and managed.

Gartner recommends organizations use the following model to determine the minimum number of recovery plans needed for a successful BCM program:

  • An enterprisewide crisis management plan

  • Enterprisewide crisis communications plan(s) that covers the internal workforce and external stakeholders

  • A damage assessment plan for disasters that cause physical damage to an organizational resource

  • Evacuation and shelter-in-place plans for every building that the organization occupies

  • A business recovery plan for every business unit or department

  • IT disaster recovery plans for every internal and external location where IT services are delivered, as well as for each application or recovery process

  • A supplier contingency plan for mission-critical suppliers

  • A stand-down plan that addresses how the organization returns to normal operations once the crisis is over

Review your current set of recovery plan types against the list above and those noted in Figure 1 to determine where in your BCM program you need to augment your recovery plan coverage. In addition, many organizations use business continuity management planning solutions to help them develop and maintain their recovery plans (see the Recommended Reading section for the Magic Quadrant research on this topic).

Create an Annual Exercise Schedule

Exercising is far more valuable when it offers consistent, comparable evidence for organizational and BCM leaders. Regular exercising promotes the consistent refinement of recovery procedures and progression over time. Recovery plans should be exercised for all plausible crisis scenarios and across all operational resources including the workforce, information technology and data, suppliers and partners, facilities, equipment and operational technology, vital records, customers, and external stakeholders (such as government agencies, utilities, insurance companies and regulators).

Given the complexity of an organization's recovery plans, it is conceivable to perform several exercises per year. Therefore, Gartner recommends that organizations formalize the process by creating an annual exercise schedule. This schedule should provide an outline and mapping of the following information:

  • The number of exercises to be conducted

  • The target date of when each exercise will be conducted

  • The recovery plan(s) to be included in each exercise

  • The exercise method and type to be performed for each exercise

  • The business processes and participants involved in the exercise

  • The planned location(s) at which the exercise will take place

  • The facilitator(s) of each exercise

The recommended frequencies for conducting recovery plan exercises is as follows:

  • Quarterly for mission-critical business units and applications.

  • Every six months for business-critical business units and applications.

  • Annually for all non-mission-critical and non-business-critical business units and applications.

  • For complicated IT environments, full-scale exercises may not be feasible, and therefore more frequent component exercises may be required (for example, related applications supporting a business process).

  • Quarterly for a crisis communications component exercise, depending on such variables as your organization's workforce turnover rate, contact information changes and actual events experienced.

  • Conduct building evacuation plan exercises at intervals required by your local fire protection regulations, and at least annually.

The exercise schedule should be developed by the BCM program office and reviewed and approved by senior management for two main reasons:

  • To ensure that senior management understands the depth and breadth of recovery plan exercise management process

  • To provide their support and endorsement to the business and IT units that such exercising is an important BCM practice for the organization

Review Exercise Methods and Types
Exercise Methods

When preparing to exercise one or more recovery plans, organizational and BCM leaders should recognize that some exercising methods — the "how" of performing an exercise — are more appropriate than others, depending on the type of recovery plan. Each exercise method requires a different level of organizational commitment to needed recovery resources and resulting funding. Walk-throughs and tabletops require a lower level of commitment than do component and functional rehearsals.

Gartner defines five methods of exercises: walk-through, tabletop, component, functional rehearsal and cutover. Walk-throughs and tabletop exercises are typically conducted in conference rooms and in compressed time. Component, functional rehearsal and cutover exercises are conducted at actual recovery sites and done in actual time to fully assess the organization's ability to meet the recovery requirements (MAD, RTO, RPO) of the organization.

Exercises Conducted in a Conference-Room-Like Setting and in Compressed Time

A walk-through exercise involves an initial review to assess the viability of the written content of any type of a recovery plan. This is done with the plan author, recovery team members and key stakeholders. Typically, external resources, such as emergency management and utilities, are not engaged at this level of exercise.

Examples of exercise methods:

  • A review of a new or revised plan; or a review of a business unit or IT service recovery plan after an annual business impact analysis (BIA; see Recommended Reading)

  • A review of a plan when exercising is not feasible due to such factors as time, resources and technical environment

A tabletop exercise (see Recommended Reading) brings together one or multiple recovery teams and plans to discuss roles and responsibilities and how they would react to a crisis, without actually performing the actions. The goal of a tabletop exercise is to test the participants' ability to make decisions, follow the recovery procedures and validate recovery needs and to identify gaps in procedures, dependencies and expectations. The facilitator-led discussion is based on a predefined scenario that unfolds over a period of time, sometimes with surprise changes injected into the discussion. External resources may be engaged, such as police, utilities, key customers or service providers.

Examples of exercise methods:

  • IT service recovery plan(s) exercise

  • Crisis management team exercise, such as an active shooter exercise with police

  • An exercise with line of business and/or its supporting administrative departments to identify and validate interdependencies

  • An exercise to review a service provider outage; for example, telephony, data network or outsourced IT service

Exercises Conducted Using Recovery Resources (IT Systems/Services, Facilities [Internal, External or Supplier], Equipment) With Recovery Tasks Executed in Actual Time

A component exercise evaluates the effectiveness or ability to recover one or more components of a recovery strategy. Several components may be included in the same exercise (aka integrated exercise; for example, a notification system and recovery site). The key distinction between a walk-through or tabletop exercise and a component exercise is that the latter involves either:

  • Recovery teams or resources relocating to recovery sites (for example, a data center recovery site or work area recovery site) or using recovery resources of suppliers at off-site locations, or

  • The use of recovery resources to test a specific recovery component

Business personnel may not have to relocate to verify they can access the recovered business or IT service. In this way, component exercises are compressed in time by excluding certain response elements or dependencies to emphasize achieving the exercise objectives.

Examples of exercise method:

  • Call notification exercise to validate that employees can be contacted on the information they provided

  • Building evacuation test

  • Work area recovery; one or multiple LOBs

  • Operational equipment movements from an off-site location to the recovery site

  • Data center recovery to verify RTO and RPO

  • Partial data center failure

  • IT SaaS or cloud provider failure

A functional rehearsal is a well-coordinated event that involves internal and often external resources. Functional rehearsals exercise recovery tasks, crisis communication, leadership response, and relocation of the workforce and other resources. This exercise includes defined objectives, metrics, success criteria and a scenario with one or multiple business units, often involving external vendors and/or third parties (planned or unannounced). A full functional rehearsal exercises all parts of a plan(s), with recovery tasks carried out where possible. A partial functional rehearsal exercises portions of a plan(s), also with recovery tasks carried out where possible. Large-scale functional rehearsal exercises activate one or more recovery plans by simulating a disaster. The scope and objectives of these exercises may disrupt actual operations (such as causing a workforce relocation).

Examples of exercise method:

  • Full-scale integrated business and IT rehearsal.

  • Complete data center rehearsal.

  • Participation in your application service provider's disaster recovery rehearsal.

Cutover of operations from production to recovery for an extended period of time. A cutover exercise can be focused just on the data center, or it can involve a work area site (less common).

Example of exercise method:

    Exercise Types

    Regardless of the method used (see above section), there are several types of exercises conducted in most BCM programs — the "what" component of a BCM program you are exercising. Below is a description of the more common exercise types.

    Emergency Evacuation

    Human safety remains a chief concern for most companies. When a crisis occurs during the work day, it is important for staff to know proper facility exit procedures. Exercises should occur for staff to practice how to evacuate safely and quickly, where to meet once outside the building, and what to bring with them.

    These events should occur one or two times each year, and success criteria depend on the type of facility and local fire code requirements. Exercises should measure staff adherence to best practices, including:

    • Using the closest exit

    • Avoiding central staircases and elevators

    • Completing of roll call at designated meeting spot

    • Carrying personal belongings (keys, ID, phone), as they should not risk going back to desk for these items

    Emergency Notification (Call Tree)

    This exercise involves contacting staff quickly using notification software (see Recommended Reading section for a Market Guide on this topic) or an executive initiating a telephone cascade, also known as a "call tree." The goal is to determine whether contact methods are accurate, and to measure the time it takes to reach everyone. These methods may also be used to practice reaching key suppliers. For stronger reporting, the exercise should include staff confirmation upon receipt of the message.

    Work Area/Alternate Site

    If an alternate work site has been arranged, sending staff there for the exercise will identify gaps and issues the organization would not otherwise detect. Exercise criteria should include:

    • Accessing production (or backup) systems from the site

    • Exercising specific business requirements (such as customer phones/equipment, business records, mail processing and seating arrangements)

    The business unit exercise participants should review and validate their functional manual workarounds and update as appropriate. Some organizations have their personnel work from an alternate site on Fridays, or every month or six weeks, to ensure that the site (organization-sponsored or work-at-home) is as current as possible when a crisis strikes.

    Exercise planners should provide a detailed exercise script for staff to complete, capturing what supplies or equipment (from the office) were needed, and arranging to store them at the alternate site or agreeing to purchase it at the time of disaster.

    Crisis Management

    This exercise should examine the leadership's communication, coordination and decision making during a crisis scenario. Typically, a crisis management exercise can take the form of a tabletop exercise, but such an exercise can expand over time to involve external resources, including emergency responders. The scenario details unfold piece by piece, and the team practices their response to each "inject" — a set of new information. The exercise should include a facilitator, a scribe and observer roles for best results and a more robust exercise report. Choose a scenario that the team believes could happen to the company. For scenario ideas, review your risk assessment results and choose one of the higher-rated threats to build the scenario.

    IT Disaster Recovery

    This exercise examines the ability to recover/restore critical hardware, system software and applications within the RTO and RPO. IT disaster recovery (IT DR) exercises may be designed to recover and failback a subset of applications or perform a full data center recovery. Business unit exercise participants should be included in the exercise to validate the restoration of their applications and data according to stated recovery point objectives.

    Unless an organization is mature in this area, these exercises are generally planned like a small project involving infrastructure, application subject matter experts and business unit exercise participants.

    Use Exercise Development Best Practices for a Well-Structured Exercise

    It is best to begin planning the exercise at least two to three months ahead of the exercise date, especially when engaging LOBs. Use a "crawl, walk, run" method for the exercise development. It can be counterproductive to attempt to perform too much on the first exercise. Instead, focus the first exercise on familiarity with processes, people, facilities and equipment (crawl). As familiarity is reached, increase the complexity with each future exercise (walk, then run).

    Use the following considerations and recommendations to ensure an effective and successful exercise.

    Establish the Exercise Format

    Establish the exercise format:

    • Determine the scope of the exercise; for example, one or more recovery plans, business units, locations, suppliers and so on

    • Obtain management support for the exercise in advance. Ask management what they would like to get out of the exercise and make them part of your exercise objective.

    • Decide upon the exercise method and type. You may combine a few exercise types within the same exercise.

    • Determine the location where the exercise will be conducted.

    • Decide whether the exercise will be a surprise event or a planned event. Walk-throughs, tabletops and component exercises typically are planned events, whereas functional rehearsals and cutovers are both planned and surprise events. Surprise exercises require much more planning and management support to ensure that there is little disruption as possible due to the exercise itself. Gartner recommends you never use a surprise exercise as a first-time event — you should have gone through a number of exercises across as many methods before you plan a surprise exercise.

    Establish the time frame required for the exercise:

    • For walk-throughs and tabletop exercises, the total exercise time frame should span three to four hours in duration, but obviously adjust timing according to the scope of the exercise and the type of business unit. The actual scenario play-out should be no more than two hours. More mature teams or ones with external resources may require longer exercises. After two hours, people become tired and distracted, and the quality of the participation diminishes.

    • For component, functional rehearsal and cutover exercises, the exercise time frame will be the actual amount of time required to execute all recovery tasks needed for the exercise scenario.

    • Exercise participants may not be your normal recovery team members. Therefore, more time may be needed for the scenario play-out, or the scope should be reduced. Don't be discouraged if you do not get through the entire planned scenario and all of its scenes. What you are looking for is quality over substance. Far too often, facilitators will rush through a scenario for the sake of the clock, and not consider the value participants are getting from extended discussions.

    • Ensure you allow enough time so that people arrive on time and don't have to immediately leave at the stated end time of the exercise.

    Identify the Roles Included in the Exercise

    For each exercise, the participants will vary on the scope and recovery plans to be included. Below is a description of the common roles involved in an exercise:

    • Senior management and the BCM program executive sponsor should participate in as many exercises as possible. Their presence sends a message to the entire workforce that the organization takes their response, recovery and restoration procedures seriously. If senior management cannot attend an exercise, they should still urge all participants to treat the exercise seriously by sending out a pre-exercise encouragement message, and they should be in attendance at the after-action report and lessons-learned meetings. Also, when the objective of the exercise is to educate and train senior management, they should bring their second-in-command to the exercise to ensure cross-training.

    • Players — Recovery plan owner and recovery team members (primary, secondary and tertiary, depending on the scope and objectives of the exercise) who respond to the situation presented, based on expert knowledge of response procedures, current plans and procedures, lessons learned from previous exercises, and insights derived from training. Many organizations choose to involve their suppliers, partners and other external stakeholders in some of their exercises.

    • Facilitator(s) — The person responsible for moderating and keeping participant discussions focused on exercise objectives and core capabilities. Facilitators ensure relevant issues are explored. They provide situational updates and additional information, and resolve questions as required. Often, the facilitator is an external party who is skilled in exercise management, but doesn't know the in-depth workings of your organization.

    • Observer(s) — People from your organization who know the business well, but do not directly participate in the facilitated discussions. They may support the development of player responses to the situation during the discussion by asking relevant questions or by providing subject matter expertise.

    • Evaluator(s) — People from your organization who know the business well, so that they can observe, document and evaluate exercise objectives and player discussions.

      • Scribe(s) — People from your organization who document the key actions, issues and findings of the exercise. Scribes may work with the facilitator and overall exercise planner to ensure the full set of feedback is documented in the exercise after-action report.

      • Recovery team communicator(s) — Communicators are selected for each recovery team participating in the exercise at the time of the event. They are responsible for liaising with other recovery teams during the exercise. They present details of the team's response during the exercise situation status update, and act as the spokespeople for the "lessons learned" section of the exercise.

      Establish the Exercise Evaluation Criteria and Reporting Artifacts
      • Develop clear and concise exercise objectives (three to five objectives are typical).

      • Develop exercise success criteria based on the objectives.

      • Develop exercise execution evaluation metrics (attendance, participation and recovery plan update status) for each type of exercise. This is necessary to write an evaluation report after the exercise.

      • Develop a lessons-learned survey to be used pre-exercise and post-exercise to capture progress made by exercise participants (see the Recommended Reading section for a BCM Toolkit containing relevant templates).

      • Develop a post-exercise evaluation form that all exercise participants complete after the exercise is over (see the Recommended Reading section for a BCM Toolkit containing relevant templates).

      • Develop an after-action report to report all exercise findings to exercise participants and senior management. See the After-Action Report template in the BCM Toolkit referenced in the Recommended Reading section, a modified version of the U.S. Federal Emergency Management Agency's (FEMA's) After-Action/Improvement Plan template.

      Develop the Exercise Scenario and Associated Artifacts

      When defining scenario(s) for the exercise, consider the following:

      • The scenario used in the exercise must be realistic and plausible for your organization; that is, it covers the way your organization conducts business, and includes the resources (potentially including service providers) used by your business and IT operations. Do not bring in events that make no sense to the business, as it may set a negative tone to your exercise and reduce active participation and engagement.

      • The scenario should be focused on specific recovery plans and associated recovery team members. Make sure that each exercise participant will have a role to play within the exercise; bored participants will lead to ineffective results.

      • Early in the exercise, consider "taking out" a key member of the team (for example, due to illness) to simulate what would happen if that person was not available during a crisis. This highlights a gap, and allows others to step up and lead the team.

      • Determine whether injects will be used, and if so, when and by which team member. An inject comes in two forms: as a programmed element — usually time-bound — that is used to forward the exercise scenario; or as a "pop up" event (dynamic, random). Injects represent events, information, constraints, problems or other modifiers that can affect the play-out of the scenario. Injects are shared with one or more recovery teams. When using injects, look for the recovery team's ability to identify the applicability of the inject to the exercise scenario, and the appropriateness and effectiveness of actions taken (or not taken).

      • It is probably safest to not use injects in your first exercise; gain some experience first, and then add them after a successful exercise or two.

      • The scenario should be developed by personnel who understand the full scope of business and IT operations for the scenario event. Getting the content specifics, flow, timing, resources, dependencies and injects right should be walked through at least three times once you have a good draft. Every detail of the scenario should be investigated to ensure that the planning team and facilitator know every aspect of the real operation and where it can be derailed. For example, you may plan to test production IT server recovery operations at an alternate site. Using a power outage as the cause of the event may not be realistic for your organization if there is an on-site power backup generator.

      • Develop an exercise script (see Note 2) based on the objectives and scenario developed for the exercise to ensure that the scenario plays out according to plan and to consistently capture all issues arising during the exercise.

      • Develop explanatory background material (for example, an organization description, if not using your own organization; business unit descriptions; scenario roles and responsibilities).

      Use Exercise Execution Best Practices for Exercise Success

      Once you have the exercise developed, you need to execute your plan. Use the following considerations and recommendations to ensure the exercise is successfully executed and reported, and have all recovery plans updated for gap closure.

      Execute the Exercise
      • Perform a pre-exercise key lessons assessment survey of all exercise participants to record their understanding of your organization's recovery practices.

      • Communicate to all parties that the goal of the exercise is to identify gaps and issues. Doing so sets exercise participant expectations and positions the exercise as a learning experience, rather than a judgment of success or failure.

      • Engage business unit exercise participants to validate results.

      • Conduct the exercise following the exercise script.

      • Track all issues arising during the exercise (use the exercise script to record the issues).

      • Perform a post-exercise key-lessons-learned assessment of all exercise participants to determine if the exercise was successful in improving their understanding of your organization's recovery practices.

      Communicate Exercise Results

      What organizational and BCM leaders do with the results of the exercise is just as important as any preparations for the exercise itself. It is important to capture and track unresolved issues and next steps. Communicating exercise results to organizational and BCM leaders, including positive performance results as well as areas of improvement, reinforces the need for continual exercising to mature the program:

      • Exercise planners should conduct a post-exercise debriefing meeting to capture early lessons learned and observations, as well as top-of-mind suggestions for improvement and next steps. If time permits, also review exercise results against stated objectives, and identify training requirements and/or updates to the plans or processes.

      • If time does not permit a more thorough debrief before adjourning the exercise, be sure to host debriefing sessions with exercise participants to capture their lessons, observations, plan updates and improvement suggestions.

      • All participants should be given the opportunity to evaluate the response and recovery process and provide their own input to the final measurement (see the Recommended Reading section for a BCM Toolkit containing relevant templates).

      • Exercise planners should create an after-action report to communicate the exercise results with key executives, managers and exercise participants. Commit to publishing the after-action report within two weeks of conducting the exercise; otherwise, people move on to other things, and the BCM team has lost participant and management attention.

      Update Recovery Plans Based on Exercise Findings and Gaps
      • Based on the findings of the exercise, a gap closure report should be developed (often part of the after-action report) to ensure that all recovery plans are reviewed and updated based on the gaps found during the exercise.

      • The BCM program office or exercise leader(s) should use this gap closure report as a roadmap to report gap closure progress to management on a monthly basis.

      Use Business Continuity Management Planning or Crisis/Emergency Management Platform Solutions to Automate Exercise Management Tasks

      Developing and managing an exercise management effort can be a daunting task. There are many recovery plans and tasks that need to be tracked for the overall schedule, as well as for each exercise. To make that process easier and more consistent, organizations can use business continuity management planning (BCMP) or crisis/emergency management platform solutions. When used successfully, these solutions house any type of recovery plan as well as the workflow for the invocation and execution, or exercising, of the plans when needed (see the Recommended Reading section for Market Guide and Magic Quadrant on this topic).

      Acknowledgements

      We would like to thank Nancy Valente, CBCP and MBCI, who generously contributed her insights and experiences to the research note.

      Gartner Recommended Reading

      Some documents may not be available as part of your current Gartner subscription.

      Gartner provides clients with an online self-assessment maturity tool called ITScore for Business Continuity Management. The results presented in Table 1 are cumulative results from 1,021 clients who conducted their maturity self-assessment for BCM from September 2012 through December 2016.

      BCM leaders should understand the difference between an exercise and a test so that they select the right approach for the planned objectives:

      • An exercise is a rehearsal of response, recovery and restoration tasks with the needed recovery teams. An exercise's intended goal is to demonstrate and assess the staff's BCM competence and capabilities related to the objectives and scope of the exercise. The intent of an exercise is to learn from the event to improve recovery plans.

      • A test is a stand-alone event or component of an exercise with the goal of demonstrating operation of a business or IT resource in response to a disruption. Tests typically are pass/fail types of events, rather than a full assessment of competencies and capabilities.

      Use the template shown in Figure 4 to develop an exercise script.

      Exercise Script

      ©2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form without Gartner’s prior written permission. It consists of the opinions of Gartner’s research organization, which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without input or influence from any third party. For further information, see Guiding Principles on Independence and Objectivity.

      Already have a Gartner Account?

      Become a client

      Learn how to access this content as a Gartner client.