This page contains a Flash digital edition of a book.
designed with participants chosen from senior people in the business lines and countries likely to be affected by a crisis, and supported by the infrastructure departments whose services are likely to be called upon, an exercise of that sort can work wonders. It can shine a powerful spotlight on what could cause a crisis, what could go seriously wrong, and how revenue streams and reputation could evaporate along with the lives and livelihoods of the people for whom the business is accountable.


However, a preliminary exercise is not a substitute for what comes later, that is, plans that build in regular training and rehearsal.


The start point of designing a plan is a business impact analysis (BIA). The BIA is often seen as the province of business continuity management (BCM), but the author’s view is that all parts of the resilience cycle start with a BIA, including a CMP. If protection measures do not reflect the risks faced by the business - all risks, not just ‘security’ risks - then it is hard for security to explain with a straight face why they are there.


This is not the place to describe a BIA, CMP or BCP, or to justify the author’s view that a BCP is best invoked via a CMP. However, here are some outcomes that are often missed:


• Testing and training: should be included in a CMP, with dates, as well as allowing for surprise exercises.


• Public safety: the best exercises include stakeholders, if only as observers, as well as sister organisations, suppliers, distributors, and regulators. A key component is often the public safety services that need to know how you will call on them, and how your plans might conflict with theirs.


• Metrics: preparedness for a crisis relies on data; not just where people are or might go, and which processes might be affected, but also knowing, for example, who has not renewed their plans in line with policy, who has not been trained, or who has not been allocated roles in line with their CMP. A metrics process should capture this data routinely.


• Focus on business-as-usual (BAU) as the final outcome of a CMP: the resilience cycle chart shows security as the pivot, and describes it as BAU and as the start and end state. A CMP needs to deliver and train to that normality, or it will be incomplete.


Exercises


The most important element of an exercise is to have it! Planning is important but there is no need to over-plan. It is better for stakeholders to see the company as it is, dealing with lessons learned, than to have them sit through a staged success. Provided the exercise does not itself become a disaster zone, the stakeholder is drawn into becoming part of the solution.


© CI TY S ECURI TY MAGAZ INE – WINT ER 2014


If we accept the BS11200 description of a crisis, scenarios can be almost anything provided they challenge decision makers and test plans. If BAU security falls short of the standard’s threshold for a crisis (‘abnormal’, ‘not resolvable through pre- defined plans’), then the scenarios are better selected as an outcome of the risk assessment, and by definition the risk acceptance, process. Otherwise there is nothing wrong with the stalwarts of ‘loss of critical building’, ‘terrorism’, or ‘pandemic’. These three offer different perspectives, and can be channelled in various directions. They also offer stories that are ‘instant’ vs ‘slow burning’, global vs regional and local, or full resilience cycle vs quick return to BAU.


Surveys


Policies & Standards


Manuals & Templates


(Re)design Process Management Incident


Strategic & Tactical. Global, Regional, Local


Exercises and continuation training: TTX & LiveEx Incident, Crisis, DR, BCM


Logistics


• CM room for local participants and a control room for TTX controllers and observers.


• Ensure good IT connections and communications.


Table top exercises (TTX)


If forced to choose, live exercises (LivEx) should make way for TTX. Having both is preferable but, staying with BS11200, communication, decision making and coordination of valid responses are crucial to surviving the unexpected, and it is hard to run a LivEx around the extraordinary.


The following is a general guide to a TTX. Design


• Precede it with a training session (can be e- training or virtual).


• The TTX should focus on decision making, including incident management, CM, BCM, security, and return to BAU.


• Good themes are people, products and processes. Good issues are supply lines, IT and communications.


• Using real CM facilities, participants can work from their own countries; similarly, the TTX can be multi-regional or global, without commensurate escalation of resource.


• Pressure on participants comes from selection of best options, not from volume or speed of activity.


• An example chief scenario might be a build-up to international conflict or disaster, the conflict or disaster itself, and return to normality.


• If there are limited resources or experience, commission a specialist firm to plan and run the TTX entirely or, better, to embed a specialist temporarily in order to understand gaps and requirements, design an exercise around them, and harness the organisation’s resources to run it under supervision. In this way the company’s HR controls the HR elements, the IT controls IT, and the key business lines likewise.


• Consider CCTV / audio so the control room can observe the CM room remotely.


• Have exercise ‘BBC’ type input into the CM room.


• For people participating remotely, consider WebEx type links.


Lessons learned


Finally, lessons learned (LL) are vital, and the TTX should build in participant wash-ups and longer-term post-exercise analysis, supported by implementation metrics. Here is a list of common LL:


• Planning and readiness during BAU are essential.


• Develop Company relationships and mutual support inter-country and intra-region.


• Develop relationships between the Company and distributors, manufacturers, and suppliers.


• Include suppliers’ roles in crisis plans : e.g. utilities, security, building restoration, and salvage or restoration of critical resources and documents.


• Include staff welfare, payments, and communications in crisis plans.


• Design effective processes to sustain CM teams; prepare a shift or ‘follow-the-sun’ system. People need to sleep.


• Have prepared crisis management rooms, and alternatives, at regional and country levels.


Especially: have fun.


Richard Lovell-Knight Director of Risk and Information services Pilgrims Group


www.pilgrims group.com


> 7


The Resilience Cycle – An approach Risk assessments, Reviews, Reports, Plans Management Crisis Business as usual


Resilience Cycle


Security Management Continuity Business


Security, CM, BCM Plans


Awareness Training


Process, Risk, Solution Analyses


Disaster Recovery


Analyses


Business Impact


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36