The Value of Exercising and Training in building resilience.

One of the main tasks of the business continuity professional is to make sure that staff are equipped to face a crisis. Activities such as training, raising awareness and exercising are essential to make sure the plan is carried out effectively in the case of a disruption.

Training and awareness initiatives should be employed to embed business continuity within an organization, to make sure personnel know the function of response plans and understand their importance. Training and awareness campaigns have to go through several stages to be conducted successfully. First of all, the business continuity manager needs to assess what the current situation is and who is the target, then the campaign is designed and finally it is reviewed to monitor its outcome[1].

Differently, exercises work towards validating the plans. They have a key role in showing whether an organization is ready to face an actual crisis, while providing information on what may not work. There are various types of exercises that can be set up, ranging from table top to simulations or unit-specific ones. Similarly to training and awareness, after the exercise is over there needs to be a monitoring phase where the outcome is reviewed[2].

It is important to keep in mind that exercises should bring a clear benefit to the organization. Hence, the business continuity manager must identify realistic scenarios and design the exercise so that it would be of practical help should a crisis happen. To tailor this type of activity to a specific organization, it is also necessary to conduct a sound risk and threat assessment to better identify the threat landscape. This process should look at the likelihood and impact of any risks and threats, to better understand what trends to focus on[3]. It is somewhat worrying that roughly a third of organizations (30%) perform no trend analysis at all when scanning for potential dangers[4].

The value of exercising, training and awareness lies in an improved response to disruptions across various resilience functions. For instance, in the case of emergency communications management, organizations that have training and education programmes in place are able to activate their plans more quickly than those who don’t. Previous BCI research shows that 91% of the organizations that have adopted such programmes activate their emergency communications plans in less than 1 hour, which is a 12% increase compared to those who do not have training and education at all[5].

Similarly, those who do not check or validate their business continuity plans tend to have significantly less visibility of their supply chain. Indeed, 41% of those that do not perform supply chain exercises also admit

not recording or reporting disruptions. On the contrary, this figure is much lower (21%) among those who do run exercises. In addition, validating your plans tends to affect top management buy in, as those who run exercises experience higher levels of top management commitment[6].

Preparedness pays off in the context of cyber resilience too, since having awareness-raising initiatives as well as exercising plans is associated with a more effective cyber response. For instance, 40% of those who promote awareness and conduct regular exercises initiate their response to a cyber attack in less than one hour, a much higher figure compared to those who do not validate their plans at all (23%)[7].

As these figures show, training, awareness and exercises show a positive correlation with improved responses across different cases and different functions of organisations. No plan can be good enough if all those involved do not feel comfortable or are not familiar with it. A good response plan begins before a crisis occurs, by preparing for it and reducing the margin for error to a minimum.

[1] https://www.continuitycentral.com/index.php/news/business-continuity-news/544-business-continuity-training-and-awareness-raising

[2] https://www.thebci.org/news/top-tips-for-running-a-business-continuity-exercise.html

[3] BCI GPG

[4] Horizon scan report 2018

[5] Emergency communications report 2017

[6] Supply chain report 2017

[7] Cyber resilience report 2018

In my presentation at the ‘ISO 22330 – Duty of Care in a Crisis’ event hosted by Fortress Availability Services Ltd on Thursday 4th October, I will explain these principles in more detail.

Other experts in the field also speaking at this event are:

  • Dennis Flynn, OBE – Exceptional team performance in a crisis.
  • Richard Stephenson – Communication technology delivering Duty of Care in a Crisis.
  • Jon Mitchell, Clearview – Maximising employee engagement in resilience.

Let’s talk! Get in touch to find out how we can help on +44 (0)20 3858 0099 or [email protected]