Why do crisis or business continuity exercises?
Are exercises really that valuable to maturing a crisis management or business continuity strategy?
In this episode of the Managing Uncertainty podcast, Bryghtpath Principal & CEO Bryan Strawser takes on that topic and more. Topics discussed include effective exercises, table top exercises, simulation exercises, integrated exercises, business continuity, crisis management, information security, data breaches, and the need to build muscle memory for crisis teams.
Hi, folks. Bryan Strawser, Principal and CEO at Bryghtpath, and welcome back to the Managing Uncertainty Podcast. Today we’re going to talk about why we do crisis management exercises. Why do we exercise our plans?
One question that we get a lot here at Bryghtpath from prospective clients is about coming in and running crisis exercises of some type. It could be a tabletop exercise. It could be a full simulation exercise, where you’re actually working through and doing some of the things that are in your plans, or all of the things that are in your plans, or some variation on the exercises. It could be a virtual tabletop instead of an in-person tabletop, so on and so forth.
Now there’s a number of reasons that you want to exercise your crisis management plans. The first one is, is to see if it works.
If you create the exercise scenario correctly, and you set the type of exercise that you’re doing, correctly, for what your goals are, you can test and see if your plan would actually work in the crisis situation that you intend it to work it in.
And what I mean by that is, not that necessarily, you’re going to be successful in managing the crisis and testing that in your plan, but you’re testing the processes that you put into place in your plans.
For example, we do a number of data breach exercises, or other crisis exercises, where there’s a significant internal and external communications component. And we’ve often found in the plans, and exercises that were involved, that one of the challenges is actually working through that communications process.
Think about the number of moving parts in a data breach. When it comes to what, and how, and when, and where you’re going to communicate what has happened. And particularly if you’re in a regulated business, you have to balance the need to communicate internally, communicating with your customers, your stakeholders, your vendors, your regulators, and of course, your employees and leaders, and your institutional investors.
So, there’s a number of audiences that really come into play as you’re thinking about crafting that communication, and you will likely have, most companies would have, relatively robust communications review and approval process.
If you think about your typical large scale communications campaign within a company, if you’re not time pressed, if you’re not being forced to communicate something due to external threats and influences, well, you have all the time in the world to create your communication strategy and publish the communications on your timetable.
But in a data breach, you don’t have that. You are balancing the challenges of regulation, which might require you to disclose within a certain period of time. You’re balancing the challenge of notifying your stakeholders that that communication is coming from you and not from a third party. You have the issue of the press finding out that something has happened, whether through their own investigation, or because of a leak of some type inside your company. And then, law enforcement, particularly federal law enforcement, may know about the data breach, and are pressuring you to communicate or not communicate what’s going on.
These are all things that can be simulated in the course of an exercise, and the appropriate amount of stress, put on the process … Not really trying to stress out any individuals … But we can put the right amount of stress on the process to give folks a window in which communication has to be drafted and approved within the exercise and published.
And if not, then we can have adverse things happen. So here, that’s just one example of things that have to happen in a data breach, but we’re really testing here like, does the plan and the process work? And often we find, for the first exercise where we do this, that those processes are inadequate. That they are too cumbersome, too bureaucratic, not streamlined enough, but you don’t know that until you try and exercise those kind of plans.
Another reason to exercise your plans, is that people change roles change. Roles change, you get new individuals in roles. You have individuals joining the company from outside. You have folks that have left. You have new structures and new positions, new team alignments, new org charts, new challenges that have come to your company.
By exercising this, we build the muscle memory in a crisis that we really want to have by exercising. And that muscle memory goes back to focus of being familiar with the plan, understanding the processes and procedures, and being able to react as things happen in the course of the exercise.
For newer employees, newer members to your team, newer members to your crisis process, this helps them familiarize themselves with the processes, and procedures, and expectations that are going to be at play for them as they work through a future real crisis situation.
Another reason we exercise is, the plans may simply become obsolete. As your technology changes, as the challenges change, as the reputational landscape has evolved. Perhaps your plan that you have today is simply not adequate anymore. And you need to have a new plan, a new annex or major changes to your plan, in order to really address what’s changed in the environment, what’s changed in your company.
I wouldn’t say that you necessarily need to start over, but, perhaps in some cases, you do need to throw out the plan and start over, in a rare circumstance.
Another reason we exercise plans is, to show leadership that the plan is not sufficient. Often we find this happening when subject matter expert within crisis management, or business continuity, or disaster recovery has been arguing that the current planning is inadequate, that the resources provided to the team are inadequate. They’re not sufficient to be able to lead the organization through a crisis situation.
You can use an exercise as a way to show the inefficiencies, the insufficiency of a plan. You can show that the current processes, do or do not work. And if you’re using a third party to do this, then you can get a fairly unbiased view of what is and isn’t working, by doing a solid crisis exercise or continuity exercise that really demonstrates that one way or the other, and makes recommendations for your team and for leadership.
And then, in some cases, we’ve even been brought in to work with a client on doing an exercise where there is no plan, and it helps leaders understand, in the moment of a complex situation, that they see in an exercise, that, “Wait a minute, we really do need to have some documented processes. We really do need to have a plan on how we’re going to manage these situations moving forward.”
Much of this comes down to, how your exercises are structured, and what the goals of those exercises are, and that there’s adequate time given for the exercise, in order to reach the goals that you’ve outlined.
We like to do exercises in kind of an order. As the crisis management capability of a company matures and evolves, then the exercises should become more complex, and more difficult to do easily.
When we are working with a client that has a relatively new crisis management plan in place, or kind of a rebirth of a crisis management plan, we really like to do exercises, at first, from a confidence building standpoint. Let people get comfortable with their roles, understand the expectations within the crisis, and use that in order to kind of build those initial maturity steps for the organization.
But over time, we’d like to make these exercises more difficult by introducing new factors, by introducing more injects during the course of the exercise. We like to introduce injects in different ways. We like to use e-mail. We like to use audio visual news stories that pivot one way or the other, as the team does or doesn’t do certain things. We like to have live phone calls come into the exercise and force someone to deal with something in real time, and then report the output of that.
We even like to have multiple calls come in, and have the team have to work through these very asynchronous movements within the exercise that cause actions to happen, or cause the crisis team to have to react to some things that are going on.
All of these fit within a solid exercise strategy, and really help move the organization along, in terms of maturing the process through those experiences that folks have gone through.
So, just to summarize briefly why we exercise crisis plans. First, we’re checking to see if the plans and processes, defined within the plans, work. We’re thinking about new people, new positions and new challenges as the organization changes. We’re thinking about the external influences, how the plan may need to adapt, or even the plan becoming obsolete and needing to be significantly updated or started over.
They need, sometimes, to show leadership that the plan is insufficient, that there are insufficient resources and things need to be done. And also to show the leadership that there’s a need to even have a plan, that some organizations have not even made that type of an investment.
We’re always trying to build muscle memory, as we work through these exercises, so that in an actual crisis folks are familiar with the plan, they’re willing to work together, their relationships are in place, and we’re able to move towards a successful conclusion to whatever critical moment that your company is faced with.
We’ll go ahead and end things there. Thanks for listening to this episode of Managing Uncertainty. We’ll be back next week with a new episode. Thank you.