From theory to practice: The value of exercising, training and awareness in building resilience
One of the main tasks of the business continuity professional is to make sure that staff are equipped to face a crisis. Activities such as training, raising awareness and exercising are essential to make sure the plan is carried out effectively in the case of a disruption.
Training and awareness initiatives should be employed to embed business continuity within an organization, to make sure personnel know the function of response plans and understand their importance. Training and awareness campaigns have to go through several stages to be conducted successfully. First of all, the business continuity manager needs to assess what the current situation is and who is the target, then the campaign is designed and finally it is reviewed to monitor its outcome.
Differently, exercises work towards validating the plans. They have a key role in showing whether an organization is ready to face an actual crisis, while providing information on what may not work. There are various types of exercises that can be set up, ranging from table top to simulations or unit-specific ones. Similarly to training and awareness, after the exercise is over there needs to be a monitoring phase where the outcome is reviewed.
It is important to keep in mind that exercises should bring a clear benefit to the organization. Hence, the business continuity manager must identify realistic scenarios and design the exercise so that it would be of practical help should a crisis happen. To tailor this type of activity to a specific organization, it is also necessary to conduct a sound risk and threat assessment to better identify the threat landscape. This process should look at the likelihood and impact of any risks and threats, to better understand what trends to focus on. It is somewhat worrying that roughly a third of organizations (30%) perform no trend analysis at all when scanning for potential dangers.
The value of exercising, training and awareness lies in an improved response to disruptions across various resilience functions. For instance, in the case of emergency communications management, organizations that have training and education programmes in place are able to activate their plans more quickly than those who don’t. Previous BCI research shows that 91% of the organizations that have adopted such programmes activate their emergency communications plans in less than 1 hour, which is a 12% increase compared to those who do not have training and education at all.
Similarly, those who do not check or validate their business continuity plans tend to have significantly less visibility of their supply chain. Indeed, 41% of those that do not perform supply chain exercises also admit not recording or reporting disruptions. On the contrary, this figure is much lower (21%) among those who do run exercises. In addition, validating your plans tends to affect top management buy in, as those who run exercises experience higher levels of top management commitment.
Preparedness pays off in the context of cyber resilience too, since having awareness-raising initiatives as well as exercising plans is associated with a more effective cyber response. For instance, 40% of those who promote awareness and conduct regular exercises initiate their response to a cyber attack in less than one hour, a much higher figure compared to those who do not validate their plans at all (23%).
As these figures show, training, awareness and exercises show a positive correlation with improved responses across different cases and different functions of organizations. No plan can be good enough if all those involved do not feel comfortable or are not familiar with it. A good response plan begins before a crisis occurs, by preparing for it and reducing the margin for error to a minimum.
On October 4th, four experts in the field will be presenting on this topic, at the ‘ISO22330 – Duty of Care in a Crisis’ event hosted by Fortress:
- Dennis Flynn, OBE – Creating exceptional crisis team performance.
- Gianluca Riglietti, BCI – The value of planning, exercising and training.
- Jon Mitchell, Clearview - Maximising employee engagement in resilience
- Richard Stephenson, Yudu – How communication technology helps meet the duty of care.
There will also be time after for networking and the opportunity to view the Fortress Crossharbour recovery centre, so you can see what they are doing differently and how they have taken on board the sentiment of ISO22330.
For the agenda and to register for this free event go to: http://fortressas.com/duty-of-care-in-a-crisis/
 BCI GPG
 Horizon scan report 2018
 Emergency communications report 2017
 Supply chain report 2017
 Cyber resilience report 2018