With the help of Confucius, Dr. Steve Goldman discusses the importance of testing your business resiliency and related response plans.
I wrote about this many years ago. With the recent COVID-19 events, it is time to look at it again.
An exercise of the elements of a Business Resiliency, Crisis Management, Crisis Communications or IT Disaster Recovery (BR/CM/CC/DR) plan is an important aspect of an organization’s emergency preparedness. A BR/CM/CC/DR plan exercise validates the plan and procedures, tests/trains responders in simulated real conditions and provides feedback to the plan developers and responders. An exercise also can explore the ramifications of the crisis on the organizations involved. More importantly, an exercise helps answer the question: “Will my response plan actually work?”
What would Confucius say?
There is another important reason why you must test your BR/CM/CC/DR Plans. As the Chinese philosopher/reformer Confucius (551 BC - 479 BC) stated so well:
I hear and I forget.
I see and I remember.
I do and I understand.
Think about Confucius’ wisdom when you learned how to ride a bicycle or how to use a new app. You can hear about how to ride a bike (or use the app); you can even see someone ride a bike (or use the app). But until you actually do it - get on the bike and ride it yourself (or truly use the app), you will not truly understand how to ride the bike (or use the app). People need hands-on experience, which might occasionally involve falling down (or crashing the iPhone). But that is how we learn best.
The same philosophy applies to crisis response. Hearing about (or simply reading) the BR (etc.) plan in a classroom is worthwhile; observing training and drills is valuable. However, when your responders are in the throes of a crisis, you want them to understand what they are doing and why they need to do it. In the middle of an emergency - that’s not the time for your responders to be learning or questioning what to do; they should instinctively know. Yes, they should refer to their procedures, but responders need to understand why the policies, plans and procedures are the way they are, and what is expected of them.
The Importance of Drills and Exercises
There are tangible reasons why drills and exercises are important.
For your responders: A properly designed and conducted exercise provides training and understanding of your response program. Responders will see the effects of their actions and decisions; they can even stop and ask questions about their response. They will develop competence in their response and confidence in your program. An exercise should also clarify each responder’s role/responsibilities, and pinpoint inappropriate responder actions and decisions.
For your response program: An exercise can validate your plans and program: yes, it will work! An exercise should identify weaknesses, gaps, and areas for improvement before a crisis hits. You may discover deficiencies in resources, personnel or equipment. You will also be able to demonstrate the value (or not) of new software, supplies and equipment in real time.
For your organization: A good exercise will build teamwork within the company. Further, it will give responders an appreciation of what the other departments do, and what resources and assistance each department can bring to the table during a crisis. This also applies to external agencies participating in your exercises. I have conducted literally dozens of workplace violence exercises worldwide and successfully asked local police and other agencies for their involvement. The company and the local response agencies learn much from each other. It is always a great learning and response experience. Each understands what the other will do in such an event.
For you: If done well, a successful exercise can earn you excellent recognition, visibility, trust and respect.
An Example
For you IT aficionados, this is a true story: One of my clients hired me to develop and conduct an IT Disaster Recovery Plan drill, to be run parallel with the annual BR/CM exercise. The IT department had a Recovery Time Objective (RTO) of returning all critical applications in 24 hours; at every DR drill, they claimed they met the RTO. However, I designed the combined BR/CM/DR exercise such that actual users (representatives from all departments) were to go to the backup data center, log in to their applications and demonstrate that each department could perform its critical functions. On the exercise day, we simulated the destruction of the data center on a Wednesday afternoon. The IT DR responders said that they would work all night and recover all applications by 8:00 AM Thursday. And that they did. When the actual department users logged in on Thursday morning, all their applications were indeed ready and available for use. Most excellent!
“Be not ashamed of mistakes and thus make them crimes.”
However – and this turned out to be a rather large however – the users could not access their apps’ data! When the users asked IT about how to retrieve their applications’ data, IT said (and I am not making this up), “You want the data drive? No one told us that users would want the data drive. We were told to recover applications and we did. What’s the problem?” After a rather interesting management-user-IT “exchange of opinions,” IT determined that it would take 1 to 2 weeks to recover the users’ data! So much for the 24-hour RTO.
In this example, the IT DR responders clearly did not understand the purpose of the DR Plan. It took a realistic test of the DR Plan to demonstrate this. I am pleased to report that within a month of this exercise (and by following Confucius’ advice, “Be not ashamed of mistakes and thus make them crimes”), the IT staff revised their DR to recover all applications and data within the 24-hour RTO. They then conducted a drill with application users to prove they could do it, and they did. Bravo!
COVID-19
Often I am asked by a company or agency if it should conduct pandemic drills in the future now that the current situation is (hopefully) abating. After all, they say, “We have been in an 18 month-long response!” True, of course. But what did we learn? More importantly, did we capture what we learned, and did we update our plans/processes? Either way, I recommend you conduct at least an annual 1- to 2-hour tabletop refresher/drill of these pandemic lessons learned and revised processes, in addition to our usual crises such as ransomware, workplace violence, natural disasters and supply chain failures. Although this is the perfect time to quote George Santayana’s “Those who do not remember the past are condemned to repeat it,” we look to Confucius for “Success depends upon previous preparation, and without such preparation there is sure to be failure.”
What Confucius advises
Someone who has committed a mistake and does not correct it, is committing another mistake.
This leads to another point: there is no sense in conducting an exercise and compiling a large “to do” list if nothing is improved. Imagine if your responders identify the same improvement items year after year. Not only will they lose confidence in you and your program, but they will also be unprepared when a real crisis hits. When exercise items are identified, it is your fiduciary responsibility to address them. Management may make the decision not to implement an exercise recommendation, but that decision needs to be made and then communicated to your responders. Confucius would advise you that “Someone who has committed a mistake and doesn't correct it is committing another mistake.”
In other words, make progress! Develop an Exercise Findings Action Plan, assign and track responsibilities, and improve, improve, improve. Confucius once wrote, “It does not matter how slowly you go so long as you do not stop.” While I do not agree that you have all the time in the world to complete the action plan, you must show your responders and your management that you are making progress in improving your plans.
Our greatest glory is not in never falling, but in getting up every time we do.
Drills and exercises are one of the few activities where falling down is actually a good thing. We learn from our errors and improve; we become better prepared for a real event. As Confucius said: Our greatest glory is not in never falling, but in getting up every time we do.