Digital Software Tools for Improving Exercising and Testing in Business Continuity & Resilience Management
COVID pointed up the need for exercising and testing. But how.
If this compounding crisis moment has taught us anything, it’s that businesses can’t just plan for critical incidents. They must also make maximum use of the controlled, risk-managed environment of exercises and testing before crises.
That they can do by stress-testing their business continuity and resilience plans under conditions that best approximate the crisis scenario.
The question, of course, is how – and what a question it is. Even after years of COVID-related disruptions, business continuity and resilience practitioners still complain that pre-crisis testing doesn’t sufficiently prioritize complex disruption scenarios.
How, then, can organizations go about improving the quality of their exercise management regimes?
Best-practice frameworks for improving exercising and testing
Following best-practice frameworks can get you some of the way there.
International standard ISO/DIS 22398, for instance, lays out such a framework for performing resilience testing and exercises, outlining the procedures necessary for planning, implementing, managing, evaluating, reporting, and improving exercises. Which of its many procedures, though, goes to the heart of answering the prioritization question?
The needs and gap analysis comes to mind. In the exercise and testing context, the needs and gap analysis serves to establish the very need for exercises and testing based on an assessment of company risk, then helps to develop a plan to execute exercises and testing to address those risks.
Organizations, for their part, undertake the process by asking themselves some if not all of the following questions:
- Does the exercises and testing plan address requirements for exercises and testing?
- Can the exercises and testing plan promote consensus with interested parties?
- Does the exercises and testing plan offer an opportunity to reach and interact with its target group(s) and potentially address their interests?
- Does the exercises and testing plan provide an opportunity to address multiple issues in depth?
- Does the exercises and testing plan focus on key issues?
- Does the exercises and testing plan provide information tailored to the target group(s)?
- Is the exercises and testing plan practical and relatively easy to implement?
- Does the exercises and testing plan provide for information transfer at relatively low cost?
- Is the exercises and testing plan easy to update?
- Is the effectiveness of the exercises and testing plan measurable?
- Is the exercises and testing plan a good vehicle for education?
- Is the exercises and testing plan creating a constructive and supportive atmosphere?
- Is the exercises and testing plan an effective way to get publicity or increase public awareness?
- Does the exercises and testing plan conform to the organization's constraints?
Moving away from generic testing
Answering these questions helps companies get over one stumbling block to exercise management quality. And that’s generic testing.
Instead, companies should use the gap analysis process to develop customized exercise management programs, better suited to addressing specific business risks, with the resultant gap analysis signaling to planners what kind of exercise (out of the many available options) that they should be conducting and what testing that exercise necessitates.
From there, organizations can move through the generic stages of testing and exercises. Stages which include the following:
- Run through
- Start-up briefing
- Post-exercise briefing
Per best practice, the after-action report caps the process in its final stages. What does the after-action report get you?
Well, the after-action report gives organizations an overview of the exercises and testing performed, inclusive of reports on any successes against performance objectives as well as issues identified and subsequent remediation actions to be taken and by whom.
Digital capabilities to improve exercise management
Of course, best practice, full-lifecycle exercise management processes don’t just implement themselves, as many companies floundering to put a best-practice program together, can attest. What can they do to ensure that the program comes together efficiently, with the necessary tools to ensure planning self-improvement through exercises?
That’s where integrated business resilience software comes in. Using the new digital transformation technologies of analytics and workflows, these platforms help businesses to (1) better anticipate and identify trends, (2) prevent situations that may generate an interruption, and (3) respond more efficiently to disruptions that do arise.
They also work to better fuse the planning and exercise management competencies together within the greater business continuity and resilience management program.
Well, the platforms in question function as plans. That means when customers need to develop their continuity and resilience plans, all the data they have previously entered seamlessly comes together. This way continuity and resilience managers don’t have to go sifting through documents to find the data they need, eliminating the risk of someone referencing an out-of-date plan during a crisis.
What’s more, because the plan is in the platform, multiple stakeholders can collaborate on the development and updating of the plan, which enables better engagement. All data associated with building the plan is managed centrally, in a controlled way. And data points only need to be captured once and updated, which reduces the risk of duplication.
The platform as plan approach leads to more efficient exercise management, as does the platform’s own enhanced exercise management functionality.
What are they?
For starters, exercise dashboards navigate users and their teams through each phase of an exercise, ensuring everyone understands what needs to be completed and when. From there, the platform’s automation capabilities ensure the correct teams and/or personnel are invited to participate in the exercise and receive regular updates via automated notifications throughout the exercise.
Once the exercise is activated, all users can easily see what type of exercise is being
completed. And based upon the affected assets/activities, the recovery strategies required for the affected assets will automatically be populated for the team.
Built-in communication and collaboration tools, e.g., chat, email, SMS, and voice messages,
then, make it easy to collaborate in real time, better coordinate responses, and keep everyone informed.
The platforms also provide the capability to record meetings, minutes, and action items. This is a mirror of the platform’s incident management functionality, designed as such to ensure a consistent user experiment. Which gives practitioners the benefit of familiarity in the event of a crisis.
Of course, exercise management is only one aspect of business continuity and resilience management. What of the remainder? Digital business continuity management software can help there, too, with capabilities purpose-built to improve core process, such as the Business Impact Analysis and more.
What do those capabilities look like? Download BCI Corporate Sponsor, Noggin’s, Buyer’s Guide to Business Continuity Management Software to find out.