We often remind you of the importance of having resilience plans (emergency measures, business continuity, crisis management, IT disaster recovery, etc.) for your company, so as to be prepared for any eventuality. In one of our previous articles, we talked about testing and exercising, an essential step in validating business continuity capabilities. However, during these simulations, the unexpected can happen at any time, without you even expecting it. This fact may seem obvious at first glance, but it is often a blind spot in their planning.
The aim of this article is to make you aware of the importance of having a contingency procedure to help you manage an emergency during a test or exercise with your employees. We’ll provide a few ideas to guide you through the process.
Difference between contingency and business continuity
A contingency plan is a specific, highly-targeted procedure or workaround, whereas a business continuity plan is a more comprehensive approach that includes all the aspects to be considered in developing, maintaining and validating business continuity capabilities following a major indicator or crisis.
Some real-life cases…
As part of our services, we organize and run tests and exercises of all kinds with many companies and organizations. To demonstrate that emergency situations can indeed arise in such contexts, here are a few examples of cases we have experienced in the past:
- An employee of the company for which a tabletop exercise was in progress suffered a heart attack on the job. The exercise was naturally suspended and postponed.
- During a crisis management exercise, aggressive individuals attacked employees at the entrance to the building, disrupting the exercise.
- Following an evacuation exercise, employees had to return inside the building, but at the same time, a real fire broke out inside the building.
- During an IT disaster recovery exercise, which involved a technology switchover during the weekend, the IT recovery sites were not functioning as they should. The exercise was therefore interrupted to return to normal. However, that didn’t work either. The team found itself at a major impasse, caught between “normal” and backup technologies, both of which were no longer working.When migrating an update to computer servers, they were supposed to be restarted at the end of the process. However, several remained stopped and would not restart.
- During an exercise involving the complete loss of one floor of an office tower, essential employees had to head to the business continuity site. Once there, they were unable to access the other building, and once inside, more than half the computers were out of date.
- During a communications exercise, more than a quarter of the role holders in the crisis management plan were no longer employed by the organization.
It’s also possible for a major unforeseen event to occur after your organization’s business continuity plan has been activated, when you’re operating in degraded mode and from an alternative site with fewer resources to maintain critical operations. This is a situation we already experienced on June 23, 2010, when an earthquake measuring 5 on the Richter scale struck Montreal (Quebec, Canada). At the time, an associate’s business continuity plan had already been activated for 2 days, following the loss of access to his usual building. Fortunately, this had no additional impact. Even so, the team was afraid that it might force the company to suspend operations completely.
So what should you do?
As you can see from the situations described above, no one is immune to incidents, whatever the time or context.
Here are a few things to consider when putting such a plan in place:
- Determining a code word: during exercises, a code word is used to signal that a piece of information or an event is not part of the exercise or simulation but is a real situation requiring immediate action. This word is communicated to those involved before the exercise begins and ensures clear understanding and appropriate reaction on their part when the unexpected occurs. The expression No Duff is often adopted as a code word.
- Plan a fallback: in the context of software updates or configuration changes, be sure to plan a fallback. This consists of a planned fallback strategy that allows you to quickly revert to a previous version of software or restore a previous system configuration if the changes cause unexpected problems.
- Communicate actions: make sure you communicate upstream with management, alerting them to the exercise that will be taking place so they can anticipate any disruption it may have on company operations.
- Obtain approval to hold the exercise: it’s important that senior management be informed of, among other things: the objectives of the exercise, the inherent risks, the measures planned in case of glitches, the participants and the date they approve the exercise.
- Plan a contingency procedure: it is essential to develop such a procedure, which will be used specifically to deal with various contingencies during tests and exercises.
- Consider improvisation: as in any emergency, it’s important to leave some room for improvisation to enable employees to adapt quickly to changing circumstances, make quick and effective decisions, and deal flexibly with the unexpected. To find out more, read this article.
Conclusion
In the corporate world, the unexpected can happen at any time, even during tests and exercises. That’s why it’s crucial to have a contingency plan specifically designed for them. By adopting a comprehensive and flexible approach, companies can be better prepared for the unexpected and maintain their ability to bounce back under any circumstances.
Do you have a business continuity question you’d like us to answer? Write to us at [email protected] and we’ll be happy to include them in an article dedicated to questions from our community, coming soon! Please note, however, that no personalized advice will be given by e-mail. Thank you in advance for your participation!