Logo

Tuesday, June 5, 2012

HOW TO EXERCISE YOUR CRISIS MANAGEMENT TEAM By Chris MacArthur, CBCP, MBCI.


The new chief information officer summoned two executives and myself, the BCP coordinator, to his office to be briefed on our business continuity management program.  As we reviewed the latest executive dashboard report, I could sense his growing impatience.  Finally he blurted out that while he appreciated the update, he really needed to know what exactly to do if disaster struck one of our data centers / centres.

Is your crisis management team (CMT) ready for the unexpected? Do you feel comfortable that they know exactly what to do in a disaster situation?  Don’t fall into the trap that just because they are executives that they will be able to ‘figure it out.’  As we all know a disaster is not the time to think about what to do next.  Now is the time to take steps to improve your organization’s readiness to respond to a disaster while boosting the credibility of your plans and organisation.

Key benefits:

There are several key benefits that your CMT as well as your organization will realize by investing the time to practice what to do in the event of a disaster:

- Improve confidence in knowing exactly what to do. By facilitating a well-planned exercise the CMT will have more experience and knowledge about how they should respond in a disaster scenario.  

- Save valuable time and effort. It is said that in a serious medical emergency there is what is called the ‘golden hour’ in which there is that brief window of time - often sixty minutes - following an injury where there is a higher chance that critically injured patients can be saved if they receive prompt medical treatment.  Based on my personal experience if your senior management are familiar with the pre-defined protocols to follow within the first 60 minutes of a disaster being declared, then there is more likely a more favourable outcome to be achieved. Precious time will be saved if they are provided with awareness and training on how to respond.
\
Provide knowledge on the appropriate response actions to take. During a crisis management readiness exercise your executive team will acquire more knowledge of the response action steps they may need to take when faced with a disaster. This may help to reduce the severity of the crisis, as some confusion would be alleviated.
Let’s now explore concrete ideas to help you improve the readiness of your CMT.  Although there are many choices available, I would like to recommend a table top exercise. This type of exercise is low in cost, has a high degree of finding errors, and will contribute to your executive’s ability to respond more quickly and effectively in a non-threatening environment. Let’s explore some steps to consider to help you develop this type of an exercise.

CMT table top exercise design

As you begin to design your CMT readiness exercise, treat this like a project. This means you will need clear objectives, scope, timeline, budget, top management support, and stakeholder involvement. Although the actual table top exercise should last about two-three hours, there are many hours of preparation needed to ensure you will have a successful outcome.

Here is an outline to assist you:
- Obtain support and commitment from senior management. I recommend you develop a clearly worded memo to the CMT stating the purpose of the exercise, the benefits, and expected outcomes. Don’t forget to include the budget required (i.e. catering costs, travel for out of town participants, meeting room costs, etc.), and the date and time duration of the exercise. Due to the amount of advance planning required, aim for an exercise date at least two months away. Prior to sending the memo verify that there are no other conflicting events which may prevent the majority of your CMT members from participating. Although this may be a challenge each CMT member should have a pre-designated back up person. If the primary isn’t available then the back-up person should be invited to participate. 

- Scope and objectives. Considering our data center example, you will need to form a working group comprised of stakeholders from the data center, a CMT member (alternate member is suggested), communications, operations, and other groups as required. 

- Craft a memo inviting your stakeholders to the working group meeting. Once again you will need to articulate the purpose, benefits, time commitment, and expected outcome of the exercise. In regards to the time required state that there will be a need to meet bi-weekly for about one-two hours for the next two months. Experience has also shown that if this stakeholder memo were to be sent from an executive sponsor it may have more impact. Doing this clearly demonstrates top management support and it will influence your stakeholders.  
- Develop key issues to focus on in the table top exercise. When engaging stakeholders consider using open ended questions to get the discussions flowing. This should help you to identify some common areas of concern. Review any prior documentation that may help you better understand how your CMT responded to previous business interruption events.  Obtain agreement from key stakeholders on the key issue(s) that need to be focused on in the exercise. For example: All CMT members need to clearly understand their roles and responsibilities in determining whether or not to invoke affected disaster recovery plans.


- Identify exercise objectives. Once you have agreement on the issues, engage your stakeholders in discussions to set two-three exercise objectives. Some possibilities are:
  • create awareness of the protocol to follow in a disaster situation;
  • validate the completeness of the CMT guideline package.
- Scenario development. Involve the working group members in developing a scenario and in selecting a triggering event. Some possible sources could be the results of a recent BIA. Should your BIA be not up to date or not yet finalized you may consider facilitating a discussion with the working group to reach a common understanding of the threat landscape. This conversation would need to identify threats and risks, list the internal and external risks, categorize the probability of occurrence and impact, and identify current mitigation strategies and controls that are in place.

- Once this information has been documented, it may be helpful to complete a risk and vulnerability assessment. As you know this requires reviewing the data you have compiled and classifying and assigning a weighting factor to the risks and vulnerability of the data center. This information will be included in your table top scenario, and as well aid the team immensely in risk mitigation for the data centre.

- The final step is to prioritize the threats and vulnerabilities based on the weighting factor. I suggest that you consider a matrix to make this information more visual. Please note that during the table top exercise the CMT members will be asked to also review, validate, and prioritize this information.

- Prepare a crisis response team guideline package which participants would refer to during the exercise. Some points to consider in this guide include:
  • Word document table which consists of a timeline and associated description of actions to take in a disaster. (See below for an example.)
  • Complete contact information for the executive team (don't forget this must also include contact information of a designated back up). The contact information should include not only work and number numbers but also up-to-date Blackberry PIN numbers in the event that the voice network is congested.
  • Conference bridge number reserved exclusively for the CMT;
  • Primary and secondary meeting location that includes the tools the team will need (i.e. white board, conference phone, spare cell phone chargers, LAN connection, laptop and projector).
You now have all of the ingredients necessary to deliver an effective table top exercise which should last no more than two-three hours.

In conclusion, a well-planned crisis management team table top exercise can significantly improve the readiness of your executive team. They will be better equipped to make informed decisions while the clock is ticking. There is no question this will also raise awareness on the strategic value of the business continuity management program and boost the credibility of your plans and your organisation.

Sample CMT Quick Reference Guide


TimeDescription
0:00Disaster Event
Key trigger issues that would lead to activation of the BCP or DRP are:
  • Total loss of all communications
  • Total loss of power
  • Flooding of the premises
  • Loss of the building
< 30 minutesThe CIO may be contacted by either the Departmental Security Officer,  the BCP Coordinator, or by a Data Center Manager that a disaster has occurred
< 60 minutesCIO informs CMT members of disaster event and establishes communication protocol (e-mail, teleconference, in person)  
1 hour 30 minutesCMT convenes and is presented with situation details and impacts from:
  • DSO
  • Data Center Manager
  • BCP Coordinator
 There are three possible options
    • Stand down.  
      • Follow pre-defined BCP procedures
    • Stand by and wait for further details
      • Follow pre-defined BCP procedures
      • Meet in an agreed time to review situation. 
    • BCP invoked
      • Follow pre-defined communications packages
      • BCP Co-ordinator will inform BCP owner and responsible senior manager to action BCP
      • BCP owner instructs the Disaster Recovery Team to activate the Disaster Recovery plan and follow the pre-defined Disaster Recovery steps and procedures.
      • BCP owner updates the CMT at the completion of each major phase of the DR plan (respond, recover, resume,  restore at home site).
      • Disaster has ended CMT de-activates DRP



AuthorChris MacArthur is the IT-Business Continuity Lead for a large department in the Government of Canada. During the past six years he has played a lead role in evolving business continuity from a reactive to a proactive business model. He is often seen as the 'go to' person for providing business continuity advice and guidance. He is a certified business continuity professional (CBCP, MBCI) and is familiar with all aspects of business continuity and disaster recovery planning. cmacarthur@rogers.com

No comments:

Post a Comment