In prior articles in this series, we explored the first three steps of the High Alert Institute’s four-step approach to disaster/business continuity risk assessment, planning, mitigation, training, and evaluation:
Step 1: Collate an All-Hazards list of planning scenarios
Step 2: Use free government software to help you identify risks, mitigations, and write your plan
Step 3: Set up mutual aid relationships with your staff and vendors
This final article in the series explores Step 4: Conduct disaster exercises and after-action reviews.
The most accurate test of operational business resilience, and that of greatest risk, is through the experience of an actual disaster. Well-planned, well-executed, and well-reviewed disaster exercises, however, can provide most if not all of the same lessons. As a result, simulated disaster responses can lead to plan improvements without the inherent risks and business interruption of disaster events.
Training and exercises for your disaster/business continuity plan should be based on the outcomes of Step 2 – scenarios scored using the ASPR RISC Toolkit and the plan generated by the DHS BCP Suite. Critically important to this process is to have your organization’s disaster response mimic your regular business day. As Vince Lombardi said, “Practice the Way You Play.” And the self-directed exercise included in the DHS Suite allows you to test your newly implemented BCP and practice just how you will play.
The DHS BCP Suite testing module is a Homeland Security Exercise and Evaluation Program (HSEEP) compliant tabletop exercise, focused on business recovery efforts in the wake of a broad spectrum of threats. Examples of operational disruptions included are hurricanes, earthquakes, ice storms, and blackouts. The goal of the exercise is to improve overall recovery capabilities, actions, and collective decision-making process. Such an open, thought-provoking exchange of ideas is designed to develop and expand existing knowledge of policies and procedures within the framework of an organization’s BCP implementation.
Additional training for the design, execution, and review of disaster exercises is provided by the Federal Emergency Management Agency Emergency Management Institute (FEMA EMI) and the FEMA HSEEP YouTube Channel. Used together, this FEMA training and the above DHS BCP testing module allow businesses and organizations to test their newly implemented business continuity and disaster recovery plans before challenging them with real-world events.
The disaster/business continuity planning cycle is an annual event that should not take more than one day a week each September during National Disaster Preparedness month. Using resources and tools already paid for by your tax dollars, the process is inexpensive and can lead to improvements in operational efficiency and business alliances that actually save money.
After-Action Reviews (AARs) are documents that list the strengths and weaknesses, opportunities and threats, as well as the insights and short-sights (SWOT-IS analysis) of the BCP at the time of the exercise or disaster event. Distilling a list of Lessons Learned that can become Lessons Applied in the revised BCP is the main objective of the AAR. By applying the SWOT-IS version of a standard business SWOT analysis, businesses and organizations can evaluate and improve their BCP using the tools and resources discussed in this series of articles.
This concludes your disaster/continuity planning cycle for the year. Repeating this 4-step process each September will help you to evaluate, improve, and keep your plan current for true all-hazards deployment.
To recap the series,
Step 1: Collate an All-Hazards list of planning scenarios
Step 2: Use free government software to help you identify risks, mitigations, and write your plan
Step 3: Set up mutual aid relationships with your staff and vendors
Step 4: Conduct disaster exercises and after-action reviews
To access these resources, visit the Institute Training Library Contingency Planning Section.
For more information, visit the Institute Planning4Good Page.
We are ALWAYS stronger together! The most accurate test of operational business resilience, and that of greatest risk, is through the experience of an actual disaster. Well-planned, well-executed, and well-reviewed disaster exercises, however, can provide most if not all of the same lessons.