Dry Run Brings Plan to Life

May 1, 2004
/ Print / Reprints /
/ Text Size+
Maintaining and implementing business continuity plans include planning and coordinating certain plan exercises, and evaluating and documenting their results.

Why are plan exercises important?

For survival, every organization should develop processes to maintain the continuity capabilities and ensure that the plan remains in alignment with the organization’s strategic vision and tactical direction.

Also, if a disaster or crisis occurs that suddenly activates the business continuity plan, employees must be ready to effectively and efficiently implement it. Having an approved plan in place, and even having employees trained in carrying it out, is only two-thirds of the essential preparation process. Real scenario-based testing through planned exercises truly brings the process to life and engages everyone in it.

Exercises also will uncover potential gaps in the implementation plan and determine if certain functions needed to carry it out are understaffed. This will be apparent during scenario-based testing, and could indicate a need to assign more people to certain areas. The exercises also will reveal whether some employees not equipped to handle their assigned functions Further training in these areas can be conducted or people can be reassigned as needed to match talents with functions.

Security managers should pay special attention to any communication gaps that might exist between certain areas during the exercise. It’s better to learn about these problems now than when an actual disaster or crisis occurs.

Once the scenario-based testing exercise has been completed and evaluated, the manager should develop an exercise strategy that does not put the organization at risk. It should be practical, cost-effective and appropriate to the organization. It should approximate the types of incidents that the organization is likely to experience and the problems associated with these incidents. An exercise based on a highly unlikely set of circumstances may not engender the best level of interest and commitment of employees – they could see it as a waste of time. However, a good scenario choice can serve to motivate employees and gain their highest level of commitment to the process.

The exercise should be mapped out in a logical, structured approach and the same set of information communicated to all participants. If assumptions about certain aspects of the simulated problem are to be made, these must be stated clearly so that all participants understand them. The amount of information delivered at the start of the exercise must be reasonable, so that participants will be able to remember it and act on it when necessary.

Exercise types

Several different types of exercises can be employed, including:

  • Walkthroughs/tabletop exercises
  • Simulations
  • Modular/component xercises (call trees, applications, etc.)
  • Functional exercises (specific lines of business)
  • Announced/planned exercises
  • Unannounced/surprise exercises

Exercise evaluation criteria also need to be carefully developed before the exercise begins and aligned with the exercise objectives and scope. These will include both qualitative and quantitative results to be measured. Criteria should cover expected versus actual results and unexpected results.

These results should be compiled into a cogent, comprehensive summary with recommendations for possible improvements and adjustments to the business continuity plan.

Debriefing sessions with participants will provide opportunities to review exercise results and identify action items. Time schedules for completing these items also should be established.

A final bit of advice on planning exercises: start small. With all of the considerations outlined above, conducting a successful exercise and gaining the necessary actionable feedback is not an easy process.

For all of these reasons and more, it is vital that each exercise conducted be considered a success – by both the business continuity planning team and the exercise participants. Small exercises have a greater probability of success, so begin with a walkthrough/tabletop exercise and progress to full-scale simulations and real-time testing later.

Did you enjoy this article? Click here to subscribe to Security Magazine. 

You must login or register in order to post a comment.



Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.


Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

Security December 2014 issue cover

2014 December

This issue of Security Magazine covers our 12th annual Top Guarding Firms list. Check out the best of the best as of December 2014. The 21st century has brought with it new types of security threats. Read how to combat and protect against these threats.

Table Of Contents Subscribe

Security Emergency Preparedness Training

Which security personnel emergency preparedness training is the top priority to you and your enterprise?
View Results Poll Archive


CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.


Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.