Use tabletop exercises to stress-test your business continuity management and make sure critical personnel are familiar with the BCM recovery plans.
The wildfires wreaking havoc from Southern Europe to Scandinavia to California offer a timely reminder that natural disasters are difficult to plan for and businesses need to make sure their continuity plans remain robust and current, stipulating exactly how business operations will resume after a natural disaster — or an operational one, such as a broken contract.
In a recent Gartner survey, 83% of respondents reported having a defined response plan for a cyber-related incident, and 75% had plans to deal with the effects of a fire or explosion.
More than 40% of businesses will never reopen after a major natural disaster
“Even just a few moments of downtime can be costly, so it is essential that firms implement sound business continuity procedures,” says Gartner principal executive advisor Ian Beale. “In fact, more than 40% of businesses will never reopen after a major natural disaster.”
The number of incidents that organizations face continues to rise. In a 2016 survey, 22% of organizations reported 11 or more disruptions over the prior 12 months, a 15% increase from the year before. The costs of such incidents are also rising. In 2016, an unplanned data center outage cost $740,000 on average, up 38% from just six years prior.
“Tabletop” your plan
Without formal processes and guidelines, ad hoc responses will likely extend downtime and business loss. An effective business continuity management (BCM) program will enhance enterprise resiliency and help the organization react and recover more effectively from unanticipated business interruptions. Plans must be tested to ensure they will enable the organization to weather disruption.
Tabletop exercises for BCM test the effectiveness of procedures and safeguards in place to respond to and recover from specific continuity incidents. They are an effective way to gauge organizational preparedness and awareness, as well as to uncover flaws or gaps in recovery plan design.
Learn more: Gartner Principal Executive Advisor Ian Beale hosts a webinar (register here) for the Institute of Risk Management.
Mind your own “business”
The first step in the tabletop exercise is to define what threats and risks are specific to your organization. A risk being top of mind due to the global news cycle doesn’t automatically mark that risk as being the No. 1 threat to every organization.
Although business continuity incidents are becoming more frequent overall, organizations should still prioritize their own scenarios. When prioritizing risks, it’s important to first consider your firm’s regulatory obligations, response plan maturity, criticality to business operations and, finally, response plan complexity. From there, leaders can draft relevant and comprehensive scenarios.
The single most important consideration when conducting a tabletop exercise is the clear assignment of roles and responsibilities for participants and facilitators. Effective tabletop exercises should include each of these roles:
- Scribes. Individuals from the business who document the key actions taken, and issues and findings from the exercise. These individuals work with the facilitator to ensure all findings are adequately captured.
- Evaluators. Employees who know the processes being exercised and evaluate players’ responses against the established objectives. Functional expertise for evaluators is critical, as they must be able to consider the feasibility and efficacy of players’ decisions.
- Recovery Team Communications. For larger exercises, players may be broken into smaller teams to represent specific business functions/units. One player is selected from each team to act as a liaison with other teams. Only team communicators can communicate between teams. At the end of the exercise, they also communicate lessons learned to the scribes.
- Players. Exercise participants actively involved in responding to the presented scenario. They are responsible for enacting the response plan or not. Those directly involved in the response plan are there to practice enacting it, while those without direct responsibility participate as a cross-training or awareness opportunity. Ideally, this should comprise a mix of functional leaders and frontline management.
- Facilitator. The individual responsible for running the exercise. This includes presenting the scenario as well as any additional elements, such as injects. The employee can be internal, such as the head of business continuity, or an external party such as a hired consultant. Experience conducting and facilitating group workshops should be prioritized above knowledge of the business and its operations when selecting a facilitator.
- Observers. Individuals from the organization who know the business well but are not directly involved in the exercise. Players consult these individuals during the exercise to learn more about certain elements of the scenario. Ideally, observers should be experts in all affected functional areas of the scenario.
Tabletop exercises serve as an effective and inexpensive way to test the efficacy of business continuity and disaster recovery plans. They can be applied across a broad set of scenarios and are not confined to testing IT resiliency and security. To fully benefit from tabletop exercises, organizers need to determine how to prioritize the response plans to test, draft relevant and comprehensive scenarios, and clearly define the roles and responsibilities of those involved.
Members of the Risk Management Leadership Council can read a primer on business continuity management.