April 2022 - ChooseTCS

Chapter 4 – Exercise Plans and After-Action Reports

Well, this feels a bit like saying, “Goodbye!” to an old friend. It’s hard to believe we are seven weeks into this BCP series. Hopefully, at least, when you decide to tackle this for your organization this effort will help you develop an effective business continuity plan.

Part 7 covers exercising (working out) your plans and documenting the good, the bad, and the ugly…also known as the After-Action Report (AAR). Anyone who has followed my posts for a while should expect Clint Eastwood films to show up from time to time, especially the Westerns. Okay, where were we? Finding the weak points in our plan is a success if we can incorporate our learning into making the plan better. Since we are now nearly 82% complete according to the Business Continuity Plan Generator, let’s wrap things up in this final session.

4.1 Business Continuity Plan Exercise Methodology

Borrowing straight from the app, we find four methods that can be sued to validate our plan:

Tabletop Exercise – key personnel discussing simulated scenarios in an informal setting.
Functional Exercise – simulates the reality of operations in a functional area by presenting complex and realistic problems.
Full Scale Exercise – real operations in multiple functional areas present complex and realistic problems that require critical thinking, rapid problem solving, and effective responses by trained personnel.
Drill – coordinated, supervised activity usually used to test a single specific operation or function.

Starting out, the Tabletop method will be the easier to implement. The goal should be to increase the cadence and rigor of your tests over time. You will want to mix up scenarios and test different department functions and roles under a variety of conditions. Be sure to schedule this with your IT and other supporting vendors or partners, if necessary, to ensure full participation. Our vendor for BCDR backups and cloud virtualization want advanced notice of the drill although, if pressed, they do accommodate “spinning up” the virtual servers in the cloud environment with short notice if it comes to that. Maybe that’s a better measure of their true capabilities (hint, hint)?

4.2 Exercise Objectives

This section documents the desired objectives of your test. And these goals should be SMART:

Further, per the Plan Generator guidance, you want your objects, at a minimum, to accomplish the following:

Determine the state of readiness of your BCP by creating a learning environment for all participants to learn about the plan.
Validate the BCP resource lists — people and inventories are sufficient to effect recovery of business operations and/or IT services as appropriate. Document changes and updates (including omissions) to the BCP.
Verify the information in the BCP is current and accurately reflects the organization’s requirements.

There is a table to enter these or other objectives to document what we expect to get out of our AARs. Additional guidance is given to have separate tests for the IT staff and assessing technical capabilities and another for the end-users who will not benefit from being in the middle of a technical drill.

Section 4.2 also outlines a timeline of tasks occurring as early as 90 days prior to the test and covers post-exercise steps. Something like a Tabletop review will be much less formal.

4.3 Developing the Exercise Scenario

Here is where we develop actual testing scenarios. A fun way to do this might be to write up many different scenarios ahead of time and then pick one at random for the test. You will want these to be somewhat within the realm of possibility and not always going for the Black Swan event like “An asteroid hit the city and there is no human life left within 100 miles of the crater.” While exciting to discuss, the AAR is likely to be brief with little actionable takeaways.

4.4 Exercise Evaluation

The written evaluation of an exercise is most commonly referred to as the After-Action Report (AAR). This section provides a template for how the report should be written. The key to a successful test is to have clear (read: SMART) objectives, a rigorous testing scenario, and document every minute detail that could be useful to inform what went to plan and what things need additional work. The goal should be to learn something actionable, otherwise the inputs to the test likely need adjusting, ie: scope, depth, and rigor. If, despite raising the bar each time, you are not finding failure points, it just might be a sign your business continuity capabilities are robust and hold up under pressure. But I would be skeptical of this notion, at least.

Decide who should be copied on the AARs and distribute the report accordingly. If there are action steps coming from the AAR, be sure you define “who, does what, and by when”. And that needs to be a person accountable to the task, even if this involves delegating to others. The adage remains true, “If everyone is responsible, no one is.”

4.5 Exercise Reports

Last, but not least, section 4.5 provides a table where we can record the Test Number, Date, Exercise Type, and Plan Area Exercised. A copy of each AAR associated with the documented test should be added to the electronic and physical copies of the plan.

Wrapping Up and Changing Gears

If you have followed along for the past seven articles, you have a good idea of what it takes to develop your own business continuity plan. If you have done the work through each step of the way, all the better and now pat yourself (and your team) on the back.

So what? Now what? First, do not underestimate the strategic importance of having this plan in place. It’s hard work at first but will get easier over time. And when the worst happens, the plan will pay huge dividends, possibly being the one thing that saves your company. Okay, let’s all take a deep breath before I say – But wait…there’s more! Next week we will shift gears from business continuity to disaster recovery. To build your Disaster Recovery Plan, we will leverage the second half of the tool and TCS will walk you through all of the steps just like we have done here.

Until next time, I think we should spike the football, have a victory dance, or engage in any other celebration of choice for getting to this point. Kudos from the team here at TCS! We would love to hear your success stories or help you along this journey, so don’t hesitate to give us a ring if we can help. TTFN!

Chapter 3 – Plan Administration and Maintenance

Folks, we are in the home stretch now. Our BCP app fun meter shows we are roughly 2/3rds of the way to spiking the football on our plan. Let’s take a minute to reflect on the journey so far. In Chapter 1 we defined the scope, policy, initial assumptions, and objectives to set the rails for our plan. From there, we performed a risk assessment and business impact analysis. After that we were able to clarify our business continuity strategy and start to organize our plan based on the roles in our organizational chart and physical facilities.

Chapter 2 had use identify and document our teams, outline essential tasks and actions during a crisis, and compile lists of key contacts and mission-critical equipment, software, and supplies. As a result of the work thus far, we have a plan and we know what we know and what we need. This should inform how we stage or maintain ready access to the minimum items and information required to sustain business operations. Now we will shift gears into the administration and maintenance of the plan. This part is what will make the difference between an old dusty binder on the shelf versus a living and active process that is strategic to the health and sustainability of the organization when the worst happens.

In the first section of Chapter 3 we define the high-level guidance to govern the actions of the Business Continuity Team Leads (non-Service management in our case). We adopted the sample text in our case with slight modifications. Specifically for TCS, we will not need an alternate recovery site as our work from home process is sufficient to maintain operations through the recovery period. A key recommendation is, “The most successful planning teams are limited in size, have a formal membership, regularly scheduled meetings, and members are designated in writing.” Since we use EOS as our management framework, we can incorporate the ongoing maintenance of our plan into our quarterly planning sessions which will support turning identified “Issues” into quarterly goals (“Rocks”) or shorter term action items (“To Dos”). This provides the linkage we need to bake this into our ongoing process and meetings to give the plan its proper attention and focus.

3.1 Functional Teams Responsibilities

In this section we define pre and post-disaster responsibilities. Pre-disaster items include areas like: awareness and training, evacuation drills, and developing alternate site capabilities. We do not want an actual disaster to be the first time we have thought about these things. General George Patton said, “You fight like you train.” Another sentiment expressed by one-time professor at the Royal Academy of Music, Harold Craxton stresses, “Amateurs [musicians] practice until they can get it right; professionals practice until they can’t get it wrong” Pick your inspiration, but the point remains – we need to pay more than lip service to the preparation and practice of our plan in order to expect it to pay dividends when we put it into action.

3.2 Business Continuity Plan Administration

In this section we define who is responsible for developing training materials and how often training and drills will be conducted. Your mileage may vary, but we opted for annual training and biannual drills. The reality for TCS is working remotely is so engrained into our normal process, and our systems are mostly cloud hosted, that we routinely operate in a similar manner as we would in a business continuity situation. This allows the main thing, Service delivery, to be somewhat assumed and frees management to focus on communication, coordination, and recovery which significantly enhances the capabilities of our small management team by not spending vital energy fixing operations to support Service. The other benefit is our clients will be less impacted by an event affecting TCS and we don’t want to minimize the importance of that.

3.3 BCP Awareness & Training

Here we will outline the annual events and supporting documentation for our ongoing awareness and training. To not reinvent the wheel, the guidance provided in the app is solid: “Employee newsletters are a great tool to keep awareness high in between annual events. They are also the perfect venue to remind employees about seasonal hazards like severe winter storms, flooding, hurricanes, tornadoes, etc. Helping to keep your employees personally prepared and resilient will help the company be more resilient as well. The Federal Emergency Management Agency (FEMA) has an excellent Web site: http://www.ready.gov that provides free resources for both personal and business preparedness. In addition, FEMA is the executive agent for the Department of Homeland Security’s National Readiness Month in September of each year. This is a great time to work with local emergency response agencies to give special presentations that focus on personal and business readiness.”

Having a folder content ready to go for employee onboarding, quarterly employee emails, and annual training we ensure you can easily maintain the ongoing effort without much hassle. These resources can be found online, as mentioned above, so download some posters, graphics for emails, and pdf one-page handouts and you should be set. Don’t spend time developing anything you can find free on the web.

3.4 Exercising (Testing) the BCP

This section is straightforward and simply documents the date, type of exercise, purpose, and participants of each BCP test. This can be a “Table Top” test where you verbally talk through a scenario and discuss how your plan would apply, noting any deficiencies. On the other end of the spectrum you can do a full live BC drill where you will operate in the same manner as if a disaster actually occurred. These routine tests will help pressure test your plans and find areas where improvement is needed. I have conducted a number of BCP tests for clients and have written After-Action Reports (AARs) to document the good, the bad, and the ugly. This is good to do on an annual basis and this is a requirement for some of our regulated clients. Feedback from testing will help inform necessary improvements your plan and capabilities to better support the organization in a real disaster.

3.5 Business Continuity Plan Maintenance

Very simple – document the revision history of your plan along with a brief summary of changes to the plan. Nothing more to do or add here.

3.6 Business Continuity Plan Approvals

Much like section 3.5, this is a straightforward, but essential step – someone in senior management needs to sign-off on each revision of the plan.

At this point we have a Business Continuity Plan, we have documented the supporting details to execute the plan, and have incorporated the ongoing administration and maintenance of your plan into your strategic business management process. We have a way to train, test, and update the plan. Next week we will take a deeper dive into exercising our plans and producing after-action reports. TTFN!

Business Continuity Part 7