STRUCTURED EXTERNAL ASSIGNMENT
Chapter 9
Orientation, Exercising, and Testing
Introduction
All elements of the Plans must be exercised, simulated, or tested
ISO allows progressive exercising and testing
ISO Guidance 22398.2 Guidelines for Exercises and Testing
Not a standard
Exercise and testing:
Validates effectiveness of strategies
Ensure accuracy of information
Introduction
Increases preparedness
Reveals gaps
Identifies misplaced assumptions
Ensures BCMS objectives will be met
Validities training
Identifies gaps in communication and coordination with outside agencies
Demonstrates Top Management Support
Introduction
Exercising and Testing should also apply to BCMS
Must include Top Management
Prevents spontaneous action
Exercise is to train, assess, practice, and improve (ISO 22398)
Test is pass or fail of equipment or system
Introduction
Exercise Program Document
Identifies Exercise Director
Can be the Business Continuity Manager or designee
Should define roles and responsibilities in plan
Should understand exercise practices and project risk
Types of Exercises
All are scenario based
Two types:
Discussion based
Operations based
Exercise types:
Alerts
Start
Staff
Types of Exercises
Decision
Management
Cooperation
Crisis Management
Strategic
Exercise Campaign
Types of Exercises
Exercise Methods
Seminar and Workshop
Exercise risk low
Tabletop
Controller
First read by many team members
Scribe
Low to medium risk
Types of Exercises
Games
Low to medium risk
Drills
Effectiveness
Risk low to medium, could be high for participants
Types of Exercises
Functional Exercise
Multiple definitions
Actual live practice of a function
Command and control of multi-agency coordination
No “boots on the ground”
Can be an extension of a drill
Medium risk
Types of Exercises
Full Scale Exercise
Similar to Functional exercise
Actual operations conducted in real time or near real time
Can involve outside agencies or organizations
Business application includes hot site test
Types of Exercises
Other methods not mentioned in standards include:
Desk Check
Call Tree Exercise
Relocation Exercise
Off-site Storage
Can be high risk
Complex Table Top exercise
Make exercises a positive but challenging experience
12
Scheduling Exercises
Schedule must be developed and maintained
All elements of plans must be exercised with increasingly complexity
Consider time constraints when scheduling
Time to conduct exercise
Evaluation of results
Exercise Plan updates
13
Scheduling Exercises
Preparation of metrics and Management Reports
Rate of two per year
More complex annually
Can focus on risk or poor performance
Major changes can force redirected exercising
14
Orientation
All participants must undergo some degree of orientation:
Understand contents of the plan
Understand the purpose of the exercise
Understand their roles and expectations of the exercise
Rules and exercise protocols
Know the code word to stop the exercise
Become aware of safety hazards and controls
15
Orientation
Communication protocols
Technical
Exercise related
Simulation Cell
Actors
Observers
Orientation Management
16
Exercise Program
Communication protocols
Technical
Exercise related
Simulation Cell
Actors
Observers
Orientation Management
17
Exercise Program
Exercise design requirements
Documentation for each exercise
Improvement process
Top Management’s role in exercise program
Active participation
Defines metrics
Exercises progressively build skills, test strategies, and improve plans
18
Exercise Design
Select objectives
Attainable
Clearly stated
Measurable
Test specific actions or specifications
Establish scope of the exercise
Decide exercise method
19
Exercise Design
Develop realistic scenario
Story that leads players to achieve exercise objectives
Believable
Realistic
Relevant
Simple
Accurate
20
Exercise Design
Can relate to risks identified through BIA or Risk Assessment
Can test ability to analyze information and make decisions
Design exercise plan. Full scale plan should include:
Confidentiality
Safety
Exercise Risk
21
Exercise Design
Exercise Objectives
Scenario
Introduction of scenario to players
Develop fact sheets for the Simulation Cell
Time Line
MSEL
22
Exercise Design
Message Injects
Informational
Control
Inject list for Simulation Cell
Contingency messages
At least one Simulator should participate on exercise design team
Develop Controller and Evaluator Handbook
Exercise Evaluation Guides
23
Exercise Design
Notify participants
Select Controllers, Evaluators, and Simulators
Identification vests
Orient appropriate participants
Conduct exercise
Controllers
Function of Controllers
24
Exercise Design
Positioning
Knowledge of exercise details
Experience
Free play
Technical expertise
Positive approach
25
Exercise Design
Evaluators
Function of Evaluators
Technical knowledge of area evaluated
Understand exercise process, goals, and objectives
Fair and unbiased evaluation
Understand scenario realities
26
Exercise Design
Each task evaluated must have a performance expectation
To what degree was the task completed or not completed
Was it completed in an appropriate time frame
Task completion framed within:
Task Level Analysis
Activity Level Analysis
Capability Level Analysis
Evaluators can comment on their observations
27
Exercise Design
Simulators
Function of Simulation Cell
Simulation Cell location
Communication with Simulators
Begin and end messages “this is an exercise”
Discuss result and prepare reports
Revise plans or management system
28
After Action Meetings and Report
After Action Report combines data from meetings:
Hot Wash
Participation
Feedback form
Questions and discussion
Controller and Evaluator Meeting
After Hot Wash
Discuss observations and recommendations
Checklist notes can be clarified
29
After Action Meetings and Report
Draft After Action Report meeting
Factual accuracy
Presentation of final report
Include Improvement Plan
Stands alone with the Exercise Plan
Describes pertinent elements of exercise
How objects were or not met
Each deficiency or nonconformance should have corrective action
30
After Action Meetings and Report
Approved by Top Management
Summary report can be distributed to participants
Repeat exercise if major deficiencies discovered after corrective actions implemented
31
Review
A documented program to exercise and test plans and the Business Continuity Management System is developed
Demonstrates active Top Management Commitment
Ensures objectives of the program will be met
Exercises are scenario based
Scheduled at planned intervals
All portions exercised with increasing complexity
All exercises product some degree of documentation and corrective action
32