How and when should you test your crisis plans - and why should you bother? asks Peter Power

We live an age where the unthinkable has become possible and the unlikely almost commonplace. Although ours is the first generation where many of us can say that we have lost not a single relative to war, famine or disease, we are also the first generation to witness the spread of weapons of mass destruction and the equally rapid spread of communication.

Against this background, what should you consider when you examine your own contingency arrangements? How realistic can you get when you test your business continuity (BC) management structures? What should you do to simulate a probable (as opposed to possible) disaster to exercise your crisis management (CM) team? Is it easier just not to ask and take a chance that things will be okay?

Having helped many organisations run useful tests and exercises over the past 20 years, I have come to recognise that you should not be inhibited from planning a practice exercise by contemplating the few truly exceptional crises for which it is a truly daunting task to plan. Instead, identify some of the key issues that may affect the business, such as the perception of terrorism, threats to supply chains, the diversity of risks, mass communications, and so forth, and concentrate on the more likely scenarios. It is worth remembering that chance definitely favours the prepared. Also it is worth distinguishing between a test and an exercise.

  • A test runs through those emergency plans that have been prepared, either to validate them, or, more likely, to identify possible points of failure. A good test will reveal the weaknesses and strengths of he plans, without the players feeling that it was a waste of time.
  • Once the lessons from the test have been thought through and all changes (and training) completed, an exercise, will familiarise the listed BC and CM players with their intended roles, .

    Running a scenario-based simulation provides organisations with the opportunity to anticipate and proactively respond to potential crises before they occur. Such tests are very useful tools for identifying the strengths and weakness of a planned organisational response, and for identifying areas for improvement in what is a comparatively risk-free environment. Of course, only by responding to an actual event will an organisation get the true picture of its capabilities. But the process of selectively testing in advance, under simulated conditions, what might actually occur in reality, can give early and vital clues about the likelihood of success or failure should the worst happen.

    Exercises can range from the simplest of discussion-based tabletop exercises to drills and full-scale simulations that will comprehensively test a company's CM capabilities. They must, however, test how people, not just the systems, respond. Human nature must also be put under the spotlight.

    Unfortunately, too many crisis planners ignore human nature. Such practitioners see the processes they are dealing with as highly systematic, cerebral, and conscious. "If you know what you are doing, you can explain the process to others", is the line they take. Emotion is something that clutters up the calm processing of information and is nearly always factored out of the equation. However, if emotion is ignored you can be sure that a crisis will soon follow.

    It is worth noting a recent comment from Steve Bass, senior vice president at the New York Board of Trade. "No matter how well you have planned, you haven't planned for it all. Few people ever thought that during the recovery effort they would have to ask the question: 'Who is alive?'"

    Tabletop exercises are normally discussions of hypothetical crisis scenarios among the individuals or teams with roles to play in an emergency. The objectives vary, but generally the focus is on broad issues including policy, identifying response strategies and roles, and sharpening decision-making skills in a risk-free environment. Such exercises are often run in a board room setting - literally around a tabletop. These relatively low cost activities are very effective tools, providing they are handled well. But just using the board room is not enough.

    Not long ago, I helped a well known UK company to run a test and was invited up to the board room to facilitate it. This is normally a good sign, since it indicates executive commitment. However, it was soon made clear to me that the only reason for using this room was the size of the table, which just happened to be the only flat surface in the building big enough to lay out all the BC plans. This was a direct clue that more effort was needed to streamline BC management and then to build in human emotion before carrying out the test. There is no point testing something that is bound to fail at the very first hurdle.

    Recurring themes

    Based on numerous feedback reports following many tests and exercises, here are some of the most commonly recurring themes.

  • Many existing BC plans do not reflect the requirements of the business. The expectations for the speed and size of recovery after the disaster are too often based on hope rather than reality.
  • Business expectations are focused on continuity, whereas plans are all too often focused on recovery, sometimes days or weeks later.
  • Too many plans take the form of a spurious comfort factor and have been written to protect the author, rather than inform the reader.
  • Identifying and managing risks are not properly understood, especially by small and medium sized organisations. Risk management is not just about buying insurance. It should be a crucial process for any business.
  • The Management of Health and Safety at Work Regulations 1992, concerning risk assessment, procedures for serious and imminent danger and protection are often ignored and only grasped when it is too late. For example, there is the 'duty of every employer ... to ensure persons ... are not exposed to risks to their health or safety', and so on.
  • Many organisations are routinely operating in breach of these regulations. In particular, they are not properly addressing their duty of care, and misunderstand their obligation to look after the health, safety and welfare of employees. Unfortunately, this widespread ignorance only becomes apparent when disaster strikes. Ignorance is, of course, no excuse under the law.
  • There is an urgent need for improved dialogue between the insurance and the BC industries, aimed at developing initiatives that will more effectively manage the risk of insuring UK businesses.
  • We also need to move towards a uniform standard for BC provisions. This will represent a mark of quality, upon which any organisation with critical processes can rely. In turn, the insurance industry should recognise it, so that buying continuity cover ceases to be thought of as a grudge purchase.
  • The cost of testing, training and exercising in advance is always less than that of not doing it and then facing a disaster. As one CEO put it: "If you think training is expensive - try ignorance".

    Here are a few actual quotes from BC and CM teams who have enjoyed a useful test.

    "The CEO. was exhausted, the MD was exhausted, all of us were exhausted. I found it comforting that, on day one, we were so totally unanimous."

    "We now know how solid our boss is. A man with both feet planted firmly in the air."

    And my favourite, from a CM team who only discovered when tested that they were not the right people for the task, yet found it impossible to accept. When everything had fallen apart, the team leader, coincidentally the head of public relations, summed it up as: "We didn't fail. We just couldn't wait for success, so we went ahead without it!"

    Peter Power is managing director of Visor Consultants Limited (www.visorconsultants.com). He has run workshops on the concept of preventing chaos in a crisis in Japan, China, US and Europe, and was selected by the UK Department of Trade & Industry to write the Best Management Practice Guide on Business Continuity Planning & Risk Management, "Preventing Chaos in a Crisis". He also wrote the British Institute of Facilities Management guide on BC Planning. He has a senior Scotland Yard background, including secondment to the Anti Terrorist Branch, and is a special adviser to the UK Disaster Management Forum.

    PROGRESS SLOW DESPITE DISASTERS

    UK businesses continue to ignore the threat of potential disasters, according to research published in March. Nearly a third (30%) have no plan in place to lessen the impact of catastrophes such as the September 11 terrorist attacks or the foot-and-mouth epidemic.

    The research by the Chartered Management Institute (CMI), published in association with the Business Continuity Institute (BCI), shows that 58% of UK organisations were disrupted by September 11, with one in eight severely affected, while 44% per cent were hit by the foot-and-mouth epidemic, with one in 12 particularly badly affected.

    The research shows that the private sector was far worse hit by September 11 than the public sector - 71% compared to 50%. With foot-and-mouth it was the other way round, with 60% in the public sector suffering, compared to 34% in the private sector. This is explained by the shockwaves sent through commerce - particularly through the financial sector - by September 11, whereas a large part of the government machine, especially local government, was drawn into the foot-and-mouth outbreak.

    It also reveals that in both cases it was the big organisations that were hit the hardest. With September 11, the difference is especially marked. Thirty nine per cent of organisations with an annual turnover of up to £1m were disrupted, while 75% of those with a turnover of £101m to £500m were caught in the aftermath because of their longer supply chains. However, in organisations that regularly tested their business continuity plans, managers were more than twice as likely to report that the effects of September 11 were reduced as a result.

    The research highlights the impact of globalisation and complex inter-relationships in modern business. Sixty eight per cent of respondents outsource facilities or services. However 51% do not insist on their outsource suppliers having business continuity plans. This leaves them vulnerable to disruption, as happened during the 2000 UK fuel crisis.

    Growing recognition of the importance of risk management and business continuity management is reflected in the fact that 86% of respondents believed that risk management should be included in directors' responsibilities, and 60% believed they should include business continuity.

    CMI research in 2001 indicated that senior managers' interest was declining after the high priority given to business continuity management in the run up to Y2K. However, this trend has been reversed as a direct result of September 11, with 82% now rating it as important.

    The research shows that business continuity must now go beyond planning for the loss of IT capability and buildings. Those experiencing loss of skills over the past year increased from 1% in 1999 to 33% in 2002. In the same period, the proportion experiencing negative publicity leapt from 2% to 24%, while the effect of floods increased from 4% to 18%.

    Those questioned were asked what they considered to be the key drivers for business continuity management. The biggest push is coming from customers, both existing and potential, who have themselves experienced serious disruption due to supply chain failure. The next two key drivers are the requirements to demonstrate effective corporate governance and the approach being taken by government and the regulators. UK government is now insisting that central departments, local authorities, education services and health and emergency services implement business continuity management.

    The Department for Transport, Local Government and the Regions (DTLR), funded the project as part of its Sustainable Distribution research programme. Information on the research can be found at http://www.thebci.org.uk

    • Topics