Learn Practice Implement Challenge

 

Here at the Erwood Group, we’ve created a new exercise methodology. A new paradigm for the way a business exercises, trains, and prepares for a crisis. It is called Learn, Practice, Implement, Challenge™ – The new exercise methodology to Increase Your business endurance. 

I’m sure you’ve heard the phrase “crawl, walk, run” before, right?

Now, go ahead and tell me what you mean by that exactly, and I bet you’ll have some trouble.

“Crawl, walk, run”is a phrase I commonly hear especially around exercises. It’s a phrase that I hate. It’s just too vague, overly simplified, and completely nondescriptive, leaving out key details about just how we are supposed to progress through to something bigger and better. Can you tell me what you’re supposed to be trying to achieve?

Of course, you can’t.

That’s why many years ago I came up with the phrase Learn, Practice, Implement, Challenge™ which provides not only the descriptive details but the overarching goal of what we’re trying to accomplish with each stage of our exercise progression.

First and foremost, we have our Learning stage:

Learn

Sounds simple enough. At this stage, we teach our new plan owners and participants what they should be doing. Learning. It is designed to get everyone in the same place. As a team. They learn they have a plan, what is in the plan, where to find the plan, how to update and maintain the plan (and who is responsible for that maintenance), and we go through the plan, especially the strategy section and steps based on the strategies.

At this point we walk the participants through each strategy, asking questions about the strategy validity, any potential for this not to work, dependencies required for the strategy to work, and any additional strategies or sub-strategies we can add.

Next, we walk through each step required to implement the strategies. Making sure details needed are captured and not left too vague makes the information impractical at best and unimplementable during a crisis at worst. For instance, if a recovery strategy calls out the reliance on a secondary vendor that vendor should be called out by name. And then tertiary vendors and so on. Think in terms of, if someone else other than my main team members had to implement this plan, what information would they need? 

At the end of this exercise, we still conduct an after-action review and collect all the appropriate data such as lessons learned, what went well, what worked, what didn’t and how can we improve. We’ll also ask if they would like to add any additional input and what kinds of other disruptive events have, they experienced in the past. All of this is done to create familiarity and training for future exercises as well. The entire process is about having the participants learn new skills and improving their current existing plans. 

Once these learning stage exercises are conducted and the plans updated to reflect the exercise outcomes and additional strategies the work begins to set up the next round of future exercises for the practice stage.

Practice

Usually taking place about a year after the learning stage, the practice phase starts to get a little bit more intense. Still, in a tabletop setting in most cases, the participants are expected to know how to access their business continuity plans, how to access information within the plan, and how to walk through the steps to invoke the plan successfully. This is usually done and presented as part of a scenario impacting the business and forcing the plans to be activated.

At this practice stage, the idea isn’t to do anything too hard but to present the exercise, have the team attempt to achieve a predetermined set of goals, and even guide them into the next steps through a series of questions or injects. They may do so exceedingly well or may fail and learn a series of lessons. The idea though is to allow them to practice their plan in a controlled environment where they can feel safe and make mistakes. But not to push them to the brink where it becomes a stressful overwhelming event where they learn nothing and feel defeated.

In some cases, it may be necessary to hold several practice sessions with the team before moving on to the next stage of maturity in the exercise progression. Perhaps twice a year or more. More on this later in another post. 

The point is some teams will need to practice a few times before their comfort and confidence levels allow them to move onto the implementation stage. As with the learning stage, we hold an after-action review session immediately following each exercise.

Implement

Next, will be to implement the plans during an exercise. Here we start with what is the overall purpose of the exercise, as in, what are we exercising? Are we testing the ability to send notifications? Implement strategies? Can the steps be followed that are needed to initiate and complete the strategy? Can vendors be notified and coordinated with? Can customers be notified and coordinated with as expected? Can key personnel go to and work from an alternate location or remotely?

For all these implementations and more, are they successful? Did they fail? If so, why? Can the cause of the failure be easily determined? What worked well? What didn’t? Where is there room for improvement? How were internal communications? Were there errors? What were they? Did we use alternate applications to access information? How did that go? Are we tracking things manually? Did it work effectively? Where are there stumbling blocks and bottlenecks?

So, to summarize this section, Implementation exercises are exactly that, implementation of parts of the plan such as a select strategy, communications internally or externally, notifications to team members or other teams, or the implementation of the whole or parts of the plan that would be needed to fit the scenario.

Once teams have had the opportunity to implement their plans, we will start to Challenge them.

Challenge

The challenge phase is exactly what it sounds like, we create a scenario or series of scenarios that begin to challenge the plan owners and participants. This is done to expand the teams’ capabilities, build massive confidence, and the capability to learn and improvise based on what they know and the strategies available to them within the plan.

This challenge phase is never done with the idea of forcing the team to the brink and forcing failure, but to provide a safe learning environment to expand their capabilities. In other words, don’t make it so impossible that they do fail, but challenging enough that it forces them to think, act, and improve upon what is there so they can be ready for real incidents should they arise. Put another way, the challenge level exercises should elevate the team involved and make them better for participating in the exercise.

I’ve seen some exercise designers and facilitators develop exercises where they knock-off (kill) many or all key personnel, make it impossible to contact vendors, and inject failure at every turn. Not that some of these things can’t happen. They do. But the idea is to provide a positive learning experience for the people involved.

If they aren’t learning at every stage or phase along the way and are just placed in a stressful situation where failure is the only or main outcome, they will walk away unhappy, discouraged, with less confidence, and less likely to look forward to or participate in another exercise.

In fact, if this has been the case, you may need to reinitiate the exercises at the learn or practice phase level again just to build up your team. 

So, get out there, and Learn, Practice, Implement, and Challenge your business continuity, disaster recovery, and crisis management teams.

As part of our challenge phase as businesses mature in the exercise phase to improve their preparedness, we offer world-class training and exercise to take their endurance to the next level. We have partnered with an academy award-winning special effects team to create real-world events and scenarios in a safe and controlled environment.

 

Keith Erwood is the COO, Co-Founder, and Principal Managing Consultant of the Erwood Group. The Erwood Group focuses on business preparedness, business continuity, disaster recovery, and crisis management. We create enduring businesses that Prepare, Prevent, Profit through planning, mitigation and exercising. #Endurance>Resilience

Are You Up to the Challenge?

 

Introducing the View 360 Report

The View 360 Report is our weekly subscriber-only Business Intelligence Report. Designed to provide the reader with Situational awareness of emerging threats that could impact their business and personal lives. Unlike other reports that just bring you the potential threats and risks, we provide direct actionable measures to mitigate the impact to your business and life.

View 360 is also designed to supplement our yearly Emerging Threat Report (sold separately) published in January of each year.

The contents of each View 360 Report are sent out to subscribers each week in an easy-to-read PDF text-based format. It includes a Situation Awareness Points Overview where we highlight each threat in bullet point form, below that we go through each bullet point highlighting the details of the threat including our opinion on the topic and what to expect, along with an occasional deeper insight providing additional comments, then finally actionable measures where we provide details on mitigations that can be implemented. Then we provide a Cyber Event update on cyber events that have occurred since the last View 360 Report. Next, we bring you information surrounding planned protests around the United States detailing the cause, the place and time the event is happening and the latest intelligence on how many are planning to attend or how many are interested in the protest. Finally, we bring you our weather outlook for the week.

We have also started a private Facebook-based group for subscribers only where we can provide additional updates on key events daily as well as host discussions.

Currently, subscribers can try the View 360 Report for free for 14 days and then will be charged $49 per month thereafter. You can subscribe directly to the View 360 Report here. Cancel at any time.

Grab a free sample copy of a previous View 360 report and be sure to subscribe so you don’t miss any emerging threats in the future.  

 

 

Yesterday, I shared some Golden Nuggets on the benefits of exercising your Crisis Teams and why we exercise. Today, I am going a little deeper on another major hidden and often overlooked benefit that exercises create.

Confidence.

Whether this is for Crisis Teams, Incident Management teams (or whatever you like to call your team), Business Continuity Teams, and especially Information Technology Disaster Recovery (ITDR) teams. Frequent, repeated exercises build confidence.

Confidence among the team(s) themselves, confidence in managers and executives of the business, and confidence from your customers and business partners. The most important place to build this confidence is among the teams that are doing the recovery work.  

As you might expect, a lack of conducting exercises among your teams has the opposite effect. It can cause your team to break down and literally destroys their confidence, which also negatively impacts recovery times and overall recovery.

Let me provide some deeper insight by using an example from some previous work I did.

Several years ago, I was consulting for a major airline assisting some of the IT teams to develop Disaster Recovery Plans, getting them to move beyond tabletop walkthroughs and doing “functional” exercises, as well as documenting the exercise to get credit during an audit.

It is important for me to state here that this was a project based on an internal audit outcome. I was working with the bottom performers on remediation based on that audit. These were groups that either:

  • Had zero plans in place
  • Never conducted an ITDR exercise beyond a tabletop walkthrough
  • Conducted a functional exercise but didn’t document it properly and received no credit for doing the exercise

I want to talk about a particular group within that project that I worked with and why they never conducted anything more than a tabletop walkthrough, and why they lacked confidence and were afraid to even think of doing anything functional.

During my first meeting with this group, I specifically asked the simple question:

Why haven’t you done a functional failover exercise in the past?

The reply may come as a surprise to many of you but didn’t surprise me at all. The response they provided to me was that they weren’t allowed to do anything beyond a tabletop walkthrough.

My follow-up question to them was, who said that they were not allowed to conduct a functional exercise?

The Response: “The Business” (specifically operations).

After some discussion, I learned that the “business side” in the operations leadership felt that the systems and application were too critical to do a functional failover exercise while the application was running in production.

However, the systems and application weren’t deemed or signed off as an application that was too critical to for such an exercise. Yet, every time the team submitted a request to conduct a functional failover exercise operations would reject it and say it was too critical.

Normally, with a set of systems and or applications that the business deems too critical to complete these failover exercises they elevate them as such, and the business signs off on it as well as accepting the risk of not having these exercises done.

Not really the best decision as there are ways to do these exercises even while in production. But that is not the purpose of this story.

You see, this team not only lost confidence but felt a distrust in their capabilities from business leadership. So much so. that after working with them in both the development of a runbook and tabletop walkthrough that when I proposed having them submit permission to conduct a functional failover exercise, I was told, “there’s no point, they’ll never sign off on it.”

I told them, let me worry about that, you just pick a date and submit the request.

Behind the scenes, I was working with my engagement manager to either get the business to approve the request, or bump the criticality up to properly accept the risk, and sign off on it.

We got the approval.

Over the next 30 days, I worked with that team on their runbook to ensure that every step was in there and that they knew how to properly document and track the failover exercise, including backout procedures.

When the day of the exercise came, they performed wonderfully and did everything right.

They hit a glitch late into the exercise and couldn’t do a 100% successful failover. But did achieve the following:

  • They learned a lot. They ran into several issues during the exercise and were able to overcome them and move forward
  • They properly documented what they were doing. Conducting log capture, taking screenshots of before and after states, taking notes as they moved through the process for later use
  • Completed an after-action and discussed lessons learned, things that went wrong, and things that went well

All of this, even though the outcome wasn’t a successful failover during the exercise. They learned immensely during the exercise. They learned they could depend on one another to complete their assigned tasks. And the business learned they could trust the team to do the failover exercise, without disrupting the production environment.

The most important part. They were happy as a team and gained massive confidence in their own capabilities. This allowed them to continue to conduct exercises, gain further confidence and learn new skills.

In the end, a successful exercise isn’t always about a successful failover or other such success. In fact, you can learn a great deal when you fail. And when you learn and build the lessons into your plans, that is when the real success comes.

That, and the confidence you gain will boost you and your team during the next exercise or incident.

So. Get out there. Exercise and build confidence in yourself and your team.

 

The reasons why we exercise are often varied yet sometimes misunderstood by many. Below I will share some of the many reasons why we exercise and perhaps you’ll gain some insights into Why We Exercise.

Let me let you in on a little secret – A Golden Nugget – even the professionals make mistakes.

This is at all levels, in all industries, it even holds true in sports.

But what I am talking about specifically here are first responders and emergency managers. We all make mistakes.

Why am I telling you this? Perspective!

First Responders and Emergency Managers consistently drill, practice, and run exercises regularly. Yet they still make mistakes. They also have great outcomes, but they do make mistakes.

After each exercise, drill, or real incident they hold a debriefing. This is done whether it was a tabletop or a large-scale multi-agency functional exercise or a real incident.

The debriefing covers:

  • What went well
  • What went wrong
  • How can we do better
  • This worked great and we should implement it more
  • What did we learn – Lessons Learned
  • What are your takeaways
  • Let’s revisit and have a conversation on what we need to improve on

The reason why they exercise so often is because  make mistakes. It’s also part of training and educating. Taking corrective action and using criticism and critique in a positive way. The repetition of doing assists both actual memory and muscle memory. Some actions also become habit. These habits can be both good and bad. It’s also an excellent way of highlighting bad habits so they are corrected.

When it comes to businesses, crisis teams don’t exercise nearly enough. Many will do this once, maybe twice per year. And if they do, that’s a lot.

But more than just frequency alone crisis teams in the business world need to also take a different approach and outlook. Every exercise should be looked at as an opportunity to learn, expand skillsets, stepping beyond comfort zones, and training for the future.

Additionally, every exercise does not need to be disruptive. It can be as simple as getting in a room, conference call, or zoom/teams/insert your other favorite video conference provider and having a discussion that asks:

  • What do we do when (insert event or impact)
  • How will we handle (insert event or impact)
  • Are we prepared for (insert event or impact)
  • Have we considered (insert event or impact)

In fact, this can be done far beyond crisis teams. Each of your departments and teams that hold regular team meetings or get-togethers can take 3, 5, 10, or even 15 minutes to discuss topics depending on what is on the regular agenda. This can be done every meeting, every-other meeting, or even quarterly.

You’ll see changes to your planning and preparedness levels. You might even see changes to your long-term culture. Trust me that’s a good thing.

This is why we exercise.

 

Over the past few years, business leaders have been reminded repeatedly of the unpredictability of doing business in an uncertain future. This has certainly been the case for the past two years as business owners faced devastation from both humanitarian and natural disasters.   

As the world gets riskier, being prepared for disruptions and disasters impacting your business is extremely important. Why? In addition to preventing severe financial losses, it can prevent companies from “closing their doors”.   

To celebrate April’s Financial Literacy Month, I will share examples of what happens when you do not have a plan and outline strategic steps on how to build a resilient organization during the next crisis.  

NOT PLANNING FOR THE UNEXPECTED 

Even seemingly small events can have major impacts on a business. Consider the following events causing major impacts to businesses:  

  • A car hit a fire hydrant in front of an antique bookstore causing damage to 1,500 antique books costing $300,000 in restoration and repairs. 
  • A bad database upgrade and upload resulted in the database transaction processing idled for seven days; resulting in the loss of two major clients.  
  • Even a trader was impacted by a power loss at his home.  Due to the outage, he was unable to execute a trade to exit a position and lost $70,000.00 in a single day.  

Tessco Technologies 

Let’s look at what happened with Tessco Technologies, a supplier of wireless communications products for network infrastructure, site support, and fixed and mobile broadband located in Baltimore, Maryland.  The business was not in a flood, fire, or earthquake zone.  In this case, the culprit was a faulty fire hydrant, which caused several hundred thousand gallons of water to be blasted through a concrete wall leaving the company’s primary data center under several feet of water.  It also left 1400 hard drives, and 400 SAN disks soaking wet and caked with mud and debris. 

PREPARE, PREVENT, PROFIT

Businesses don’t need to be located in a disaster zone to be impacted by a disaster.  The key to protecting your business is to prepare with a plan that is well documented and has strategies you can rapidly put into place.  

Below are five reasons why business leaders should prepare: 

  • Quickly respond and adjust to a disaster or disruption with strategies that allow you to shift and pivot your business for a more expedient recovery 
  • Reduce or even eliminate financial losses by implementing strategies that reduce the impacts 
  • Obtain better insurance rates and coverage for instant Return on Investment (RIO) 
  • Meet government, regulatory, and customer requirements calling for contingencies 
  • Maintain business reputation and share price 

A well-documented plan can help you quickly respond, adjust, and pivot to alternative strategies. As part of proper planning, it is important to know what the delayed and lost revenue to your business will be as well as the potential for increased expenses and other recovery-based costs that will impact your business.  

The first step is to calculate what your downtime costs would be. This is usually directly representative of lost revenue. It is important to note that even delayed revenue can have a significant impact on a business’ cash flow, whether daily, weekly, or monthly. Even if all your income is only delayed, having a reduction to cash flow can shut a business down quickly.  

By taking the time to do even basic downtime calculations you can begin to take steps to protect your revenue-generating processes. 

ASSESSING THE FINANCIAL IMPACTS OF BUSINESS DISRUPTIONS 

Many organizations skip the Financial Impact Analysis.  This is a mistake. Conducting a Financial Impact Analysis is critical to helping a business understand the actual financial impact a disaster or disruption can have on a business. With this process, businesses can select strategies to enable a recovery that makes sense financially and gives leaders peace of mind that no matter what uncertainties the future may bring, organizations will thrive and even profit for years to come.  Let’s take a look at the top five: 

  • Providing insight into Business processes and Applications that when impacted by disruption will cause the business to have lost or delayed revenues 

This first step will allow a business to determine estimated or in some cases exact dollar amounts in lost and delayed revenue from a disruption. Even a basic calculation of these lost revenues can quickly inform a business where they can and should focus their preparedness efforts. Notice this is preparedness, not recovery efforts. This is because a large part of getting this right is done during the preparedness phase pre-disaster.  

  • Allows for proper cost-benefit-analysis of (to implement) right-sized recovery strategies 

This calculation then allows the business to focus its strategies on key critical core functions that are most likely to be impacted by revenue losses and cash flow issues. This deeper insight helps the business to focus resources, time, and money on these critical functions with better data backup, record retention, and manual recovery strategies rather than through resources in business areas randomly that may not need as much or any strategies.  

  • Potentially reduced insurance premiums along with increased insurance coverage 

Additionally, presenting your insurance company with a well-thought-out preparedness plan in many cases can reduce your insurance coverage premiums, provide you with increased coverage, or both. Just recently I helped a large Biotechnology company obtain an additional $500M in coverage for a total of $2B in total Property and Casualty Insurance Coverage with zero additional increase to their premiums.  

  • Better insight for the selection of Recovery Time Objectives (RTOs), Recovery Point Objectives (RPOs), and Maximum Allowable Downtime (MAD) 

Another key benefit is rather than selecting arbitrary Recovery Time Objectives (RTOs) for your business processes or Information Technology Disaster Recovery (ITDR), you can tie these to your financial impacts and set clear goals that are meaningful to your business.  

This would allow you to implement a preparedness or IT recovery strategy that enables you to recover in the time you need and more importantly, save money. 

  • Greater ability to measure effective Return on Investment (ROI) of Business Preparedness Measures 

When you take the time to do even basic financial impact calculations, it also becomes much easier to measure and obtain better ROI. Yet, many do not take the time to do these calculations because they believe it is too difficult, they don’t know where to start, or even how to apply the outcome of these calculations.  

MAKE YOUR BUSINESS MORE RESILIENT  

At the Erwood Group, our business is helping your business stay up and running after and ideally during a crisis or disruption. Whether you need help with business continuity planning, crisis, and incident management, or need better disaster recovery options, we’ve got programs and services to make your business more resilient so that you can prepare, prevent and profit even in a disaster.  

To celebrate April’s Financial Literacy Awareness month, I am offering a free consultation to help your business survive the next disaster and provide critical strategic steps to prepare, prevent and profit in an uncertain and unpredictable future.   

Contact Keith Erwood, Business Preparedness Expert, ERWOOD GROUP.