Disaster Exercises Designed to Improve Operational Resilience At the Iowa Bankers Association’s Technology Conference, I had the privilege of presenting to IT professionals who were there to learn the latest banking technology trends and solutions, including risk management and business continuity. Managing risk exposures effectively is critical to mitigating potential business threats. It’s especially true for the banking industry, where cybersecurity breaches, credit, market, liquidity and reputational risks can have devastating consequences to their operations. My presentation focused on designing effective table top exercises to prepare for potential threats that can’t be eliminated completely. I recommend that all businesses simulate an emergency operation center to practice business recovery. Through exercises, such as tabletop, walkthrough, simulation, test or full recovery, business personnel can be trained to respond effectively to a crisis, minimizing downtime and improve operational resilience. Here are the highlights from my presentation. Types of Recovery Exercises: Tabletop: The primary purpose of the tabletop exercise is to familiarize employees with the recovery process by reviewing the business continuity plan and strategies for their department’s functions. When conducting a tabletop exercise, it is important to create a scenario that is realistic, using a high probability and impact threat. This should be taken from the most recent operational risk assessment. Once the scenario story is developed, schedule individual team meetings to discuss the disruption scenario and outline appropriate responses. Each team should ensure their plan and checklists fully address all options for an effective and expedient response. Walkthrough: Walkthroughs are designed to verify process recovery dependencies are adequately addressed in plans by inviting multiple teams that have interdependent functions. This will help uncover gaps between individual team plans. When conducting a walkthrough exercise, validate dependency requirements and determine if they are accounted for in the recovery plan. Note gaps in the plans, resolve the issues and then update the plan documents. Simulation: Simulations provide a step-by-step enactment of serious company-wide scenario to test the company’s recovery readiness. This is important to ensure the overall effectiveness of the business continuity plans and recovery strategies. Company-wide participation in the simulation should be required. This type of exercise includes role playing, where teams conduct briefings and practice issue resolution. One primary objective of a simulation exercise is to improve communications, both internally and to external stakeholders, while managing the chaos. Test: The test exercise validates the effectiveness of the IT recovery plan related to a business process. The primary purpose of the test exercise is to recover a subset of processes with the supporting technology offsite. In certain emergency scenarios, you may not be able to go back to your office. This type of exercise confirms the plan works at an alternative location and reveals any gaps or faults in the recovery strategies or capabilities for a specific business function, such as payroll processing. Full recovery exercise: A full recovery exercise validates the time needed to recover from a high-impact threat if everything is down at one time. This is usually conducted by heavily regulated or critical infrastructure service providers to test the duration of recovery for a simulated catastrophic destruction of business assets. This exercise should include all critical staff assigned the roles and responsibilities for both business process and IT recovery. Speed is important with this exercise and while few companies practice full recovery, it is key in finding the capacity gaps of staffing and discovering the true recovery time capability of the company. Steps to Improve Effectiveness of Exercises: Exercise business recovery techniques regularly. Business recovery exercises are an effective method to eliminate gaps between interdependent team plans. It is the best way to familiarize a team with the process of response and recovery. Without a well-practiced business continuity plan, your business could be unprepared for a crisis. Start with a simple tabletop exercise. A tabletop exercise is an easy, yet highly effective, way to begin solidifying your business continuity plan. It is recommended to start with tabletop exercises first and then progress to more complex recovery practices. Use probable threat scenarios. Simulating the most probable, high impact threats will keep your business and employees better prepared and ready to respond when faced with a crisis. Use injects. Injects add more information to the exercise, exploiting gaps or vulnerabilities the company has yet to resolve. Often, these are messages typed on a slip of paper or delivered through an electronic notification tool or verbal messages to the exercise team that highlight communication problems or gaps in the plan. The team member receiving the inject may want to share the message with their team since it could affect decisions during the exercise. This also tests their ability to recognize the need to effectively communicate discovered impacts to the rest of the exercise team. Use exercise findings to improve your business’s risk management plan. After completing a recovery exercise, your business should have a workable list of issues and gaps to address and possibly discovery of new risks needing mitigation. Use findings to improve the recovery strategies and practice recovery again to ensure the updated plan’s validity. Once teams no longer discover issues, it is time to move to the next level of exercise. What is your organization doing to prepare for potential crises? Vicky McKim Vicky McKim is 1 of 125 professionals internationally to hold her level of certification. She is a Certified Risk Management Professional, holds a Master Business Continuity Professional Certification and is an Associate Fellow of the Business Continuity Institute. Vicky has 30 years of experience in the field of risk management, business continuity, and disaster recovery, including BCM Program Director for two global organizations. Vicky has spoken and taught at national, regional, and local conferences for more than 15 years. Her experience provides her audience with a proven perspective on how to improve risk controls and continuity for their business operations, along with many practical examples of what the next steps may look like. Vicky's stories and practical guidance empower those listening to take action to create more resilient environments for their workplace.