Usually, business continuity-related exercises are very carefully planned in advance. Those directly involved are generally well aware of the impending events, often having a good idea if not explicit information about the timescale as well as the situation to be simulated. The more involved the exercise, and the longer the planning, the greater the leakage of information about it. The rumour mill grinds it out.
There are several good reasons for all that exercise pre-planning:
- Preparing for exercises is also [at least partly] preparing for genuine incidents - a convenient [partial] alignment of objectives
- Planning improves the chances of 'success' - an important factor for those personally charged with overseeing, managing and conducting the exercises
- People and organizations confronted with an exercise scenario are less likely to panic, thinking and reacting as if it is a genuine incident, if they know about it in advance
On the other hand, the pre-planning has its drawbacks too:
- People and organizations naturally focus on and prepare for the specific scenario/s planned, perhaps diverting resources from other aspects of preparedness that might be even more important/urgent
- A pre-planned and anticipated exercise removes a substantial element of uncertainty that occurs in real incidents, begging questions such as "Is this an incident?", "What's going on?", "How serious is this?" and "Am I the only person who knows about this?"
- "Success" in an exercise is not quite the same as "success" in a genuine incident - generally speaking, the stakes and hence the stresses are much higher, pushing systems, processes, individuals, organizations and communities to and in some cases beyond their breaking points, something that most exercises studiously avoid. It is conceivable for organizations to become highly accomplished at exercises, yet hopeless in actual incidents.
- There may be adverse effects on operations if exercises go wrong, despite all the efforts to minimise the risks, whereas there certainly will be adverse effects in the case of actual incidents, especially those severe enough to warrant all this preparation, planning, exercising and so on. One consequence of this is that exercises tend to last a few hours or days at most, maybe a further few weeks for the wash-up meetings, reporting and note-taking for the next run. Genuine incidents typically last for weeks or months, with business and personal impacts that can easily last a year or more.
So, with that in mind, it is worth considering whether business continuity exercises are sufficient, in fact, in terms of both preventing or ameliorating incidents and gaining assurance that the arrangements will work properly when required for real.
I'll have more to say about this tomorrow, providing nothing disastrous happens in the meantime.