Governance Risk Awareness. Plans Procedures Facilities. Resilience Adaptability Culture

Transcription

1 Exercise Checklists Governance Risk Awareness People Capability Skills Drills Tabletops Simulations Live exercises January 2015 Resilience Adaptability Culture Plans Procedures Facilities Response Mitigation Opportunity Awareness

2 CONTENT Summary Checklist 1. Preparation for Exercises Exercise Format Checklist 2. Exercise Conduct Checklist 3. Exercise Analysis and Close Exercise Strategy Capability and Confidence Making Exercises Real SUMMARY Corpress LLP helps you get the best from your exercise programmes. We recognize the investment of time and resources required to create meaningful simulations and scenarios, the importance of accuracy and reality and the need to provide maximum benefit to the participating managers and executives. In response to conversations with clients we have introduced a number of new ideas and approaches to exercises and simulations, which are designed to engage senior executives, reduce development time and maximize engagement across the business. ü Executive immersive sessions; o time focused simulation exercises with intellectual challenge and defined objectives. ü Access to an issues and risk library; o allowing scenario development and realism to be achieved at lower costs. ü Engaging with staff; o through pre and post communications programmes. ü Linking capability and confidence; o through defined learning objectives Corpress partners offer a wealth of experience to help you develop, run and observe exercises. Allowing you to explore the full potential from simple desktop environments to full immersive simulations. We tailor the service to meet your needs. ü We develop exercises in line with established standards. ü Our exercises are designed to meet your objectives including the provision of individual and team training, demonstration of capability and understanding of risk impacts. ü We offer individual and team training in advance of an exercise to ensure participants are confident of their individual role and process to be followed. ü Our objective is to develop exercises that deliver value to our clients. Hundreds of successful exercises run by the Partners across all industry sectors Including some of the worlds largest commercial exercises Full spectrum of risks from cyber through legal to HR, continuity, security and physical incidents Interfacing with regulators, investors, media Exercises for training and awareness Exercises for testing plans and procedures Exercises for checking capability and capacity Executive team facilitation Crisis Leadership

3 Checklist 1. Preparation for Exercises The following checklist uses PD 25666:2010 and ISO as the basis for the key components of exercises, it also contains observations and points noted by Corpress partners who have extensive experience of running exercises., which means that it extends beyond the scope of the BSI and ISO documents but we hope benefits from this. Corpress has experience of preparing exercises across all business sectors, geographies and scale; covering local and global, small to exceedingly large, in both simple and complex settings, for training and testing purposes. The BSI document suggests that: exercises should, over time, seek to validate in full any continuity or contingency capability. It also contains the warning that a less demanding exercise scenario might not provide an accurate level of validation of the plans. Phase Component Element Corpress Comment Preparation Objectives Clarity over the exercise directives - Is the requirement for training or exercises? - What will be gained by running an exercise? - Who should participate? - What facilities need to be used? - What plans are to be used? - Are the plans up to date? - Check if the people involved have sufficient knowledge and experience to get the most out of the exercise proposed Programme Long term programme - Ensure it benefits the business - Aim to improve the competence and confidence of people progressively through the programme - Develop exercise specific elements which target the incident response capabilities to ensure that these work as expected - Promote the integration of incident response elements into a combined response - Identify any necessary improvements to the contingency or continuity strategy and response arrangements - Ensure a close linkage with the risk registers

4 Phase Component Element Corpress Comment - Don t ignore strategically important projects - Maintain a record of the programme, its objectives, deliverables and remedial actions Preparation Planning Risk, issues and impacts - Examine objectives against the wider business case - Look for opportunities to build storylines around current risks and issues - Identify stakeholders Planning Constraints - Analyse what the constraints are for running an exercise o Management commitment o Resources o Time - Recognise which constraints can be overcome Planning Budget - What are the financial constraints on exercising? o Better to conduct training in advance to ensure value from expenditure on a major exercise o Look at a 3 year budget for exercising to get maximum value from investment. Planning Select the method - Consider: o Drills o Workshops and seminars o Tabletops o Simulation o Live play Planning Scenario, storyline and documentation - The following points are captured from Corpress experience: o Does the storyline which describes the event and the implications, feel relevant and possible? o Has the storyline been used to create a detailed scenario? Note: there is a high level link with the scenario but the scenario is more complex o Has the storyline been analysed to identify the full range of issues, risks and impacts which could arise from the event?

5 Phase Component Element Corpress Comment o o o Have the needs and expectations of all stakeholders been taken in to account? Is the supporting documentation comprehensive? Have training modules been prepared for role players and observers? Communication Embedding knowledge - Now is the time to start communicating with the business; use the opportunity to raise awareness, discuss issues and focus attention on business objectives. o Communicate across the business not just with those involved in the exercise Preparation Risk Security and safety Preparation Procedure Exercise Conduct - Has an assessment been conducted of the impact of conducting an exercise to identify: o The exposure of people? o If facilities or assets could be harmed? o How reputation could be damaged? o If sensitive information could be released, damaged or lost? - How sensitive is the information contained in the scenario and have precautions been taken to control such information? - Appoint Exercise conduct roles: o Director o Controller o Observers o Umpires

6 Exercise format Selection of the most suitable format for an exercise must take into account a range of factors: The target audience Maturity of the participating team(s) Exercise objectives and cost Available resources, including time of key personnel Security, safety and risk considerations Corpress LLP will advise on the most suitable format to meet your objectives. Potential formats are illustrated opposite. Corpress LLP Background Corpress LLP services range from consultancy on crisis, business continuity, risk and resilience, through learning and capability development, to bespoke corporate exercises. We create tailored solutions designed to develop resilience and protect organisations. Exercise Type Complexity Exercise Process Variants Good Practice Frequency Simple Desk Check Review /challenge BCP Desk top exercises to understand emerging risks Medium Complex Walk through Simulation IT DR Live exercise with multiple teams Exercise Complexity Challenge BCP Familiarise users Test single components Proof of capability Scenario plus real time responses Integrate with other agencies Depts or single capability Eg callout Focus can change during the exercise from Incident response through business recovery to crisis management Frequent exercises to maintain familiarity. Programme over period of time to test every component and train teams Every 2-3 years. Ultimate demonstration of capability Our focus is the strategic integration of governance and risk management with real time business processes. We achieve this by placing a priority on people; our firm belief is that effective systems, policies and procedures are there to support highly capable individuals and teams. Simulation and exercise programmes deliver enhanced response capability but also form a key part of risk communication, governance and organisational resilience.

7 Checklist 2. Exercise Conduct Phase Component Element Corpress Comment Exercise Conduct Documentation Quality - Check accuracy of information - Ensure good document control - Ensure if appropriate that: o All role players have been briefed and provided with scripts and injects o Multi- media material is available o Instructions have been issued to control staff o Security arrangements for information control have been checked - Make it real Final check Control - Have exercise briefings been prepared for role- players, controllers, observers and umpires? - Final check on safety and security issues and communications at locations - Check access for role players, observers and participants - What controls are in place for third parties who are likely to become aware of the exercise (own staff, outsiders or media)? - Review briefing material for all participants on the exercise communications protocols and processes - Ensure arrangements are in place for suspending or stopping the exercise to respond to real life events - Are records maintained of the content of the briefing and the details of all participants and stakeholders who receive/attend the pre- exercise briefings? - Ensure all key personnel are aware of how the exercise will start - Check all communication links - Check points of exposure between exercise and real life are monitored Exercise Conduct Observation Coordination - Ensure observers are trained and competent in their role

8 Phase Component Element Corpress Comment - Check the instructions for observation of the exercise - Review the timeline and injects for agreed trigger points and actions and check these have been met - Prepare additional inputs to reinforce the scenario if required to ensure objectives will be met - As appropriate monitor and record actions, activities, decisions, facilities and human factors etc. - Ensure arrangements are in place for the Exercise Director to maintain contact with exercise controllers and observers during the exercise Simulation and exercise programmes deliver enhanced response capability but also form a key part of risk communication, governance and organisational resilience. Corpress LLP scenarios have addressed: Cyber security Whistleblowers Floods Building collapse IT software failures IT Hardware failures Loss of critical suppliers Utility failures Media, Public affairs NGO pressure Financial losses Fraud Human rights Liquidity Relatives Response Explosions Terrorism Strikes CSR Disease Community and social issues Anti trust legislation Regulator action Environmental incident Product recall Bribery and corruption

9 Checklist 3. Exercise Analysis and Close Phase Component Element Corpress Comment Analysis Administration Information - Ensure an accurate record is kept of all participants in the exercise - Gather all documents, photographs and electronic references - Implement a secure policy for retaining/disposing of sensitive documents Feedback Assessment - Gather observations from the participants as soon as practicable - Request observers to submit reports - Interview role players and collate their records - Create a timeline against the scenario - Check for exercise irregularities - Match actions and decisions with communications - Assess timelines - Review impacts, issues and decisions taken against the timeline - Check for actions and process against procedures - Review the use of procedures - Check how effective facilities were Close Documentation Report - Create exercise report - Communicate with key stakeholders - Communicate internally - Plan next exercise Action Plan - Prepare an action plan - Capture feedback on live issues and risks and share with compliance and risk department.

10 Phase Component Element Corpress Comment Reminder Exercise documentation can be discoverable in legal cases and may be subject to review by regulators. They need to be controlled documents. Exercise strategy Achieving a successful response to any incident or emerging or potential issue depends on having in place a response structure and procedures which have been exercised to validate the plans and to familiarise all potential response team members with the process to follow. Exercising can follow a range of formats; choosing the most appropriate depends on the objectives of the exercise, the scale of the potential risks facing the organisation and the resources available to support the exercise programme including time and funding. Corpress LLP consultants have wide experience of developing and conducting exercises in a wide range of business sectors. Exercise design in line with the model illustrated here is straightforward. Delivering a successful exercise which meets the objectives however does benefit from previous experience to recognise and manage the challenges and deliver value for money.

11 Capability and Confidence Alongside the testing of plans and facilities, exercises provide tremendously strong learning environments where the experiences, the practice and the skills learnt build the competence and capability of individuals and teams. Not only when implementing a response to Developing realistic scenarios, based on the organisation s risk profile and using current exposures, allows the lessons learnt during the exercises to be instantly translated back to the work place. To achieve this means that care must be taken to ensure the learning objectives tie in with staff development and that the scenarios are realistic and training/exercise environments provide the opportunity for experiential learning. Our approach of reinforcing learning through communications before, during and immediately after the exercises helps to embed the knowledge, ensure engagement with risks and reinforce the organisations compliance with regulatory, governance or internal standards. We offer a well established approach to exercise design and delivery which aligns with established standards ISO and BSi PD which give guidance on exercise and testing. Working with your team Corpress Consultants will develop a detailed project plan to deliver the exercise in line with your objectives. Making the exercises real an incident or continuity based events but in day- to- day business. Our approach delivers the link between exercises, training and staff development to achieve the maximum benefits from your investment. Knowing how to effectively handle problems, to manage risks and to work in challenging circumstances is a key component of staff development. It is important that the exercise creates the right environment for learning the right lessons. Who knows, tomorrow you could be faced with a very similar set of circumstances and problems and the last thing you want is a response based on false lessons gained from ineffective past exercises. Our approach is to ensure the scenario feels realistic. We recognise that in the real world nothing works perfectly so use this to build in a random element, which engages participants. When appropriate and possible we use live inputs delivered by role players who understand

12 the input and can answer questions confidently. We prepare additional inputs to guide the response team towards a full appreciation of potential impacts of events to the organisation. Working with you we tailor the exercise to meet the objectives: Team training? o Requires a progressive programme of different styles of exercises which allows time for team members, and nominated deputies, to learn their individual roles, understand the process and recovery capabilities available, work out their departmental strategy. o The exercise is preceded by briefings/training for team members to give them individual confidence. A rehearsal of a specific recovery strategy? o A technical exercise to test a capability probably assessable as success or failure. o Also requires a progressive programme to move from detailed testing to a large scale exercise to prove that the recovery strategy does scale up to protect the business. o Audience is both the participants and the external stakeholders regulators, customers and suppliers. Designed to challenge the ability to recover when faced by emerging threats? o This is about making the response and recovery capability real. o Work with risk to identify potential scenarios relevant to the organisation, which means the scenario is on the risk horizon with a level of impact that engages executive thinking. o Output is new areas of work to provide continuity management for emerging risks; better understanding of impacts which feeds back into the risk profile; senior management engagement because the outcome is relevant to their current concerns.

13 For more details on Corpress programmes including training, exercises and workshops please visit our web site at or us on David Evans Lynne Donaldson Duncan Ford EXERCISE Design and Development Course Make it Real For details: