Abraham E. Binder MA, ABCP York University Disaster & Emergency Management Program

Transcription

1 Abraham E. Binder MA, ABCP York University Disaster & Emergency Management Program

2 TTX Basics Real Relevant Refreshed Questions

3 TTX Fundamentals

4 Intermediate level For busy leadership teams Not a Walkthrough Not advanced warfare 1-2 hours in duration

5 Scenario Based Exercise Management decision-making Practice making decisions Various levels of stress

6 Tests are Pass/Fail - Graded Tests have a defined outcome Test show what you know, not what you can do. Exercises find gaps Exercise outcomes are unpredictable Exercises can t be failed, they just display capacity 6

7 The objective of exercising is to ensure that the Business Continuity Plan arrangements are accurate, relevant and viable under adverse conditions Ensure that employees (including service provider staff) are adequately trained in their respective roles Ensure means check Exercising does not replace Training An exercise should be carefully planned to minimize disruption to business as usual processes.

8 The purpose of the Exercise Programme is to ensure that over a period of time: All information in plans is verified All plans are rehearsed All relevant personnel (including deputies) are exercised 8

9 The exercise should encompass: all recovery strategies and solutions; all technical and business procedures; recovery of technology and telephony resources availability and relocation of staff Include key recovery decision-makers

10 Enhance decision-making process and capabilities through practice and information gap identification Create awareness of the recovery timelines involved once supporting plans have been invoked Demonstrate the ability to effectively recover business processes and continue business operations during an outage Increase the likelihood of appropriate response to realistic scenarios based on high probability, high impact risks Create an awareness of the arrangements, strategies and business priorities documented within the Crisis Management, Business Continuity and Disaster Recovery plans.

11 Planning Determine scenario(s) Identify roles/responsibilities and resources required Create test scripts - define expected results Communicate to stakeholders Obtain appropriate approvals

12 Facilitator (s) Observer (s) Suppliers of specialist technical resources and services Insurance representatives Emergency Services Security Local Authority Emergency Planning Officer Communications and Public Relations Subject Matter Experts Suppliers of business services/products Outsourced service providers 12

13 Identify Participants and their Roles and Responsibilities - Recovery Team(s) - Observers/reporters - Time keepers - Auditor/reviewers - Facilitator - Suppliers - Out-sourced Services and Providers 13

14 Know all the answers! Use an MSEL Be creative Consult with business SME s

15 Event Phase Description Impacts Expected Actions Do / Don t Pre-Event Media weather reports show that Hurricane Zeke is moving toward Southern Ontario. No impact yet. Event Day 1 Day 3 Hurricane Zeke strikes Toronto. It is a category 3 hurricane with winds up to 130 mph (210 kph). Much of the city has been evacuated, damage is extensive, etc. Storm has abated. Describe damage to the city. TTC and TSX are down Other businesses are up and running, including competitors who were not as badly damaged. TTC and TSX are running. Company building is impacted. Windows are broken and flooding is extensive. Building out of use indefinitely. Extensive structural and water damage. Building closed. Leadership should prepare staff for an outage, ready plans, take any appropriate actions that can be taken. Crisis is Declared. Crisis Teams meet. Need to get damage assessment, etc. Call trees to tell staff to stay home. Declare Business Continuity Event. Activate plans and ASR. Move fully to ASR. What needs to be set up? Contact clients, redirect phones, etc. What documents re required? Don t trigger a plan yet nothing has happened and the hurricane could miss the building. Don t act before damage assessment is made. Do everything possible to protect staff. Do ensure staff health and safety. Do check plans for most critical work that needs to be done. Monitor competitive position. Report up the chain on status. Receive direction from senior leadership. Murphy Power fails at one ASR site. ASR site is down for several hours. Redirect work, stop work, or other work-around. Week 1 Back to normal for most, still at the ASR location. Per the Murphy. Building remains unavailable. What is required after a week? Do stay in close touch with clients and vendors.

16 No Kvetching! (Assumptions and Artificialities) Outside Communications: TEST TEST TEST Verbally describe all actions Be in the moment Facilitator has the last word

17 How is the exercise conducted? Introduce THEY talk YOU shuttie! Hard to keep quiet when you have the answers Let them talk if they are talking Understand your timing Wrap up Hot-wash

18 Brief Hot-wash Identify what worked well Identify any areas of improvement. Ensure feedback is constructive Participant survey Focus the discussion on areas of known problems to ensure adequate action plans are put in place to resolve these. Any identified areas of improvement should have a corresponding action item defined. Include the lessons learned in the report.

19 Overall test success: include the success criteria established for the test and based on this, the level of success for the test Specific Results: detailed summary of what was tested, and the associated results List any deficiencies found Assign responsibility for carrying out the corrective action Distribute and file in a central repository so that it is readily available to Internal Audit or other staff as needed

20 Base the Scenario in Reality

21 Wouldn t that be fun? CDC did it! But Stick with reality The world is challenging enough Prepare for real threats

22 Practicing for what could happen Making decisions now vs. in a disaster Emergent threats cannot be predicted Every disruption is different Real decisions for real threats Active Shooter good scenario Zombies would ruin it

23 Use your BCM Risk Assessment All aspects of BCM are integrated Risk Assessment informs Recovery Strategies Recovery Strategies drive Plan TTX exercises Plan ISO22313: Societal Security Business Continuity Management Systems

24 Source:

25 Think disasters don t happen to us? Show them Disasters of the Week

26 Ebola vs. Pandemic Terrorist threat Understand the hazard yourself before exercising it If you don t explain it properly, business won t be prepared If you don t know ask That s what DRIE is for!

27 Know The Organization

28 Know the group Find their pain points How many groups will use the TTX? Build in many challenges e.g. TSX Look at your business area Are there common pains? Talk to your SME Multiple groups together

29 Know the participants What is their knowledge & experience level? Safe discussions (no negativity) but There are wrong answers

30 All TTX sessions should be wins Successful in recovery don t close the business Build credibility with participants Have them engage and look forward to BCM events Disasters are inherently a bummer

31 Not enough to have it in mind What does the Plan say? If not documented, won t be accomplished Might not be the same people leading in a disaster

32 What are the larger priorities for the organization? Mission statement Leadership messages Intranet messaging Align exercise to larger goals

33 Never Do The Same Show Twice

34 Been there done that Got the tee shirt Some businesses have used the same TTX forever Add complexity HAVE FUN! If you aren t having fun, they aren t having fun!

35 Multimedia Graphics Data get statistics on the disruption Use forums and user groups to ask Social Media Your company name with #fail

36 Take out leadership first Stop the General from giving orders Who is next in line? Affirm Succession Delegate more authority What does the Plan say?

37 Simcells Different rooms Call-ins Call-outs Props! Notes

38 1. Simulate a disruption 2. Subtract resources 3. Subtract leadership 4. Subtract technology 5. Add another disruption (or two) 6. Subtract a vendor or Service Partner (payroll) 7. Impact a major client (or two) 8. Add a competitor's action 9. Indecision (or wrong decision) by CMT or leadership 10. Pandemic 11. Casualties loss of people (HR, EAP, etc.) 12. Mitigation fails 13. WHF impacted (power, water, internet, infrastructure, etc.)

39 Make a competitive game Example: list of what to do compile Example: poker chips

40 Murphy is the sheriff in this town Plan a Murphy Random Murphys Unrelated problems Look for pain points A train wreck does not stop a blizzard!

41 US Homeland Security - Homeland Security Exercise and Evaluation Program DRIE TO, SWO DRI Canada BCI - Canada DRJ BCM Institute - BCMpedia

42