Challenges we often see:
Culture of being tested
Participants can be wary about taking part in an exercise due to a fear that they will need to ‘perform’. This can lead to a lower level of engagement in exercise planning and preparation, and participants won’t fully engage in the exercise. Ultimately, it’s a missed opportunity and you won’t achieve your initial exercise goals.
Same old scenarios
Scenarios can become tedious after a while because it’s easy to reuse the same old scenarios that help you explore the top threats on your risk register. This repetition is often due to a lack of imagination, but also because experts are not directly involved. These risks can seem to go through thematic cycles. Not so long ago, every exercise was terrorism related, now we see the same awareness for cyber-attacks. It’s good to take these topical risks head on, but we need to freshen them up and bring a new approach.
Assumption of resources
A lot of exercises take place that involve decision making, but these are made based on information provided to participants on the day. This means that when the exercise presents a particular problem, such as an office building being completely flooded, the response may be that teams will move to remote working. In reality, it takes several hours for people to travel home and get set up at a new location. With this assumption of resources or scenario, what at first seems like straightforward continuity can, in a real-life situation, be more disruptive than it appears.
We often see exercises where participants are able to make decisions or respond to the scenario without any significant challenge. For example, a Crisis Management Team conducting a desktop exercise where they make decisions to ‘shut down this’ or ‘halt production’. Whatever the decision, if there is no dialogue with the appropriate experts to challenge the implications and consequences of a particular decision, then how can useful real-world lessons be identified?
‘Not another exercise!!’
In some organisations, the level of testing and exercising only meetsthe requirements laid down in the business continuity policy. However, too many of the same people are required to be in all of the small desktop exercises, leading to ‘exercise fatigue’. This can come down to a lack of interest, resources, or know-how from the organisation to deliver a large-scale exercise which could see multiple scenarios tested and challenged as part of one single, holistic exercise.
No real objectives and a lack of measurability
Exercises typically come with some key objectives or desired final outcomes, but often these will be to simply ‘test the ability to respond to a given scenario’. Objectives that have no related measurements can leave organisations without a clear picture of success or understanding of how they can improve moving forward. So, the key here is measurability.