august 2015 · for training, exercise and scenario development and exercise facilitation ... cyber...

Corpress LLP Exercise Checklist ©corpress 2015

For Training, Exercise and Scenario Development and Exercise Facilitation

www.corpress.uk email [email protected]

People

Capability

Skills

Governance

Risk

Awareness

Response

Mitigation

Opportunity

Awareness

Resilience

Adaptability

Culture

Drills

Tabletops

Simulations

Live exercises

Plans

Procedures

Facilities

Emergency and Continuity Exercise Checklists August 2015

Discount Voucher see final page:

Exercise Design & Development Course 30/9/15

http://www.corpress.uk/



SUMMARY

Corpress LLP recognises the important role that exercise programmes play in establishing effective response arrangements. The investment of time and resources required to create meaningful simulations and scenarios, the importance of accuracy and reality and the need to provide maximum benefit to the participating managers and executives. In response to conversations with clients we have introduced a number of new ideas and approaches to exercises and simulations, which are designed to engage senior executives, reduce development time and maximize engagement across the business.

Executive immersive sessions;

o time focused simulation exercises with intellectual challenge and defined objectives.

Access to an issues and risk library;

o allowing scenario development and realism to be achieved at lower costs.

Engaging with staff;

o through pre and post communications programmes.

Linking capability and confidence;

o through defined learning objectives

Corpress partners offer a wealth of experience to help you develop, run and observe exercises. Allowing you to explore the full potential from simple desktop environments to full immersive simulations. We tailor the service to meet your needs.

We develop exercises in line with established standards.

Our exercises are designed to meet

your objectives including the provision of individual and team training, demonstration of capability and understanding of risk impacts.

We offer individual and team

training in advance of an exercise to ensure participants are confident of their individual role and process to be followed.

Our objective is to develop exercises

that deliver value to our clients.

CONTENT

Summary

Checklist 1. Preparation for Exercises

Exercise Format

Checklist 2. Exercise Conduct

Checklist 3. Exercise Analysis and Close

Exercise Strategy

Capability and Confidence

Making Exercises Real Discount Voucher

Hundreds of successful exercises run by the Partners across all industry sectors Including some of the worlds’ largest commercial exercises Full spectrum of risks from cyber through legal to HR, continuity, security and physical incidents Interfacing with regulators, investors, media Exercises for training and awareness Exercises for testing plans and procedures Exercises for checking capability and capacity Executive team facilitation Crisis Leadership





Checklist 1. Preparation for Exercises The following checklist uses PD 25666:2010 and ISO 23989 as the basis for the key components of exercises, it also contains observations and points noted by Corpress partners who have extensive experience of running exercises., which means that it extends beyond the scope of the BSI and ISO documents but we hope benefits from this. Corpress has experience of preparing exercises across all business sectors, geographies and scale; covering local and global, small to exceedingly large, in both simple and complex settings, for training and testing purposes. The BSI document suggests that: exercises should, over time, seek to validate in full any continuity or contingency capability. It also contains the warning that a less demanding exercise scenario might not provide an accurate level of validation of the plans.

Phase Component Element Corpress Comment

Preparation Objectives Clarity over the exercise directives

- Is the requirement for training or exercises?

- What will be gained by running an exercise?

- Who should participate?

- What facilities need to be used?

- What plans are to be used?

- Are the plans up to date?

- Check if the people involved have sufficient knowledge and experience to get the most

out of the exercise proposed

Programme Long term programme

- Ensure it benefits the business

- Aim to improve the competence and confidence of people progressively through the

programme

- Develop exercise specific elements which target the incident response capabilities to

ensure that these work as expected

- Promote the integration of incident response elements into a combined response

- Identify any necessary improvements to the contingency or continuity strategy and

response arrangements

- Ensure a close linkage with the risk registers

- Don’t ignore strategically important projects

- Maintain a record of the programme, its objectives, deliverables and remedial actions





Preparation Planning Risk, issues and impacts

- Examine objectives against the wider business case

- Look for opportunities to build storylines around current risks and issues

- Identify stakeholders

Planning Constraints - Analyse what the constraints are for running an exercise

o Management commitment

o Resources

o Time

- Recognise which constraints can be overcome

Planning Budget - What are the financial constraints on exercising?

o Better to conduct training in advance to ensure value from expenditure on a major

exercise

o Look at a 3 year budget for exercising to get maximum value from investment.

Planning Select the method

- Consider:

o Drills

o Workshops and seminars

o Tabletops

o Simulation

o Live play

Planning Scenario, storyline and documentation

- The following points are captured from Corpress experience:

o Does the storyline which describes the event and the implications, feel relevant

and possible?

o Has the storyline been used to create a detailed scenario? Note: there is a high

level link with the scenario but the scenario is more complex

o Has the storyline been analysed to identify the full range of issues, risks and

impacts which could arise from the event?

o Have the needs and expectations of all stakeholders been taken in to account?

o Is the supporting documentation comprehensive?






o Have training modules been prepared for role players and observers?

Communication Embedding knowledge

- Now is the time to start communicating with the business; use the opportunity to raise

awareness, discuss issues and focus attention on business objectives.

o Communicate across the business not just with those involved in the exercise

Preparation

Risk Security and safety

- Has an assessment been conducted of the impact of conducting an exercise to identify:

o The exposure of people?

o If facilities or assets could be harmed?

o How reputation could be damaged?

o If sensitive information could be released, damaged or lost?

- How sensitive is the information contained in the scenario and have precautions been

taken to control such information?

Procedure Exercise Conduct

- Appoint Exercise conduct roles:

o Director

o Controller

o Observers

o Umpires




Exercise format

Selection of the most suitable format for an exercise must take into account a range of factors:

The target audience Maturity of the participating team(s) Exercise objectives and cost Available resources, including time of key personnel Security, safety and risk considerations

Corpress LLP will advise on the most suitable format to meet your objectives. Potential formats are illustrated opposite, Corpress LLP create tailored solutions designed to develop resilience and protect organisations.

Our focus is the strategic integration of governance and risk management with real time business processes. We achieve this by placing a priority on people; our firm belief is that effective systems, policies and procedures are there to support highly capable individuals and teams. Simulation and exercise programmes deliver enhanced response capability but also form a key part of risk communication, governance and organisational resilience.

Complexity Exercise Process Variants Good

Practice

Frequency

Simple Desk Check Review /challenge BCP Desk top

exercises to

understand

emerging risks

Frequent

exercises to

maintain

familiarity.

Medium Walk through

Simulation

IT DR

Challenge BCP

Familiarise users

Test single components

Proof of capability

Depts or single

capability

Eg callout

Programme

over period of

time to test

every

component and

train teams

Complex Live exercise

with multiple

teams

Scenario plus real time

responses

Integrate with other

agencies

Focus can

change during

the exercise from

Incident

response

through

business

recovery to crisis

management

Every 2-3

years.

Ultimate

demonstration

of capability

Exercise Complexity





Checklist 2. Exercise Conduct


Exercise Conduct

Documentation Quality - Check accuracy of information

- Ensure good document control

- Ensure if appropriate that:

o All role players have been briefed and provided with scripts and injects

o Multi-media material is available

o Instructions have been issued to control staff

o Security arrangements for information control have been checked

- Make it real

Final check Control - Have exercise briefings been prepared for role-players, controllers, observers and umpires?

- Final check on safety and security issues and communications at locations

- Check access for role players, observers and participants

- What controls are in place for third parties who are likely to become aware of the exercise (own

staff, outsiders or media)?

- Review briefing material for all participants on the exercise communications protocols and

processes

- Ensure arrangements are in place for suspending or stopping the exercise to respond to real life

events

- Are records maintained of the content of the briefing and the details of all participants and

stakeholders who receive/attend the pre-exercise briefings?

- Ensure all key personnel are aware of how the exercise will start

- Check all communication links

- Check points of exposure between exercise and real life are monitored

Exercise Conduct

Observation Exercise Coordination

- Ensure observers are trained and competent in their role

- Check the instructions for observation of the exercise

- Review the timeline and injects for agreed trigger points and actions and check these have been





met

- Prepare additional inputs to reinforce the scenario if required to ensure objectives will be met

- As appropriate monitor and record actions, activities, decisions, facilities and human factors etc.

- Ensure arrangements are in place for the Exercise Director to maintain contact with exercise

controllers and observers during the exercise

Team performance

- The team is aware of and uses the relevant sections of the response manuals and guides

- Information is captured and displayed correctly

- Information sharing is good between members of the team

- Problem solving is effective

- The team supports individuals

- Following updates and briefings the questions are relevant and team members listen and

participate

- Arrangements are in place to hand over the next shift teams

Leadership and Individual performance

- At all times there is clarity over objectives set by the leader and acted on by the individuals

- The leaders voice is heard

- Team updates are provided in a timely and effective manner

- Decisions are made and acted upon

- Individuals who may be overloaded are supported

- Disputes and conflicts are managed effectively

- Individuals work effectively and maintain good records

- Adequate rest periods are provided

- Individuals display competence (and confidence) in their roles

- Problems are solved effectively and solutions communicated.

Exercise Conduct

Observation Facilities - There is good lighting and adequate space

- Noise levels are satisfactory and do not detract from individuals working

- Security is provided to limit entry to the room and protect confidential information

- IT works effectively and support is available

- Information can be captured and displayed






- Administration support is provided

- Team members know how to use the equipment (and/or briefings are available)

Simulation and exercise programmes deliver enhanced response capability but also form a key part of risk communication, governance and

organisational resilience. Corpress LLP scenarios have addressed: Cyber security IT software failures IT Hardware failures Loss of critical suppliers Utility failures Media, Public affairs

Whistleblowers NGO pressure Financial losses Fraud Human rights Liquidity Relatives Response

Floods Explosions Terrorism Strikes CSR Disease Community and social issues

Building collapse Anti trust legislation Regulator action Environmental incident Product recall Bribery and corruption




Checklist 3. Exercise Analysis and Close


Analysis Administration Information - Ensure an accurate record is kept of all participants in the exercise

- Gather all documents, photographs and electronic references

- Implement a secure policy for retaining/disposing of sensitive documents

Feedback - Gather observations from the participants as soon as practicable

- Request observers to submit reports

- Interview role players and collate their records

Assessment - Create a timeline against the scenario

- Check for exercise irregularities

- Match actions and decisions with communications

- Assess timelines

- Review impacts, issues and decisions taken against the timeline

- Check for actions and process against procedures

- Review the use of procedures

- Check how effective facilities were

Close Documentation Report - Create exercise report

- Communicate with key stakeholders

- Communicate internally

- Plan next exercise

Action Plan - Prepare an action plan

- Capture feedback on live issues and risks and share with compliance and risk department.






Reminder Exercise documentation can be discoverable in legal cases and may be subject to review

by regulators. They need to be controlled documents.

Exercise strategy Achieving a successful response to any incident or emerging or potential issue depends on having in place a response structure and procedures which have been exercised to validate the plans and to familiarise all potential response team members with the process to follow. Exercising can follow a range of formats; choosing the most appropriate depends on the objectives of the exercise, the scale of the potential risks facing the organisation and the resources available to support the exercise programme including time and funding. Corpress LLP consultants have wide experience of developing and conducting exercises in a wide range of business sectors. Exercise design in line with the model illustrated here is straightforward. Delivering a successful exercise which meets the objectives however does benefit from previous experience to recognise and manage the challenges and deliver value for money.




Capability and Confidence Alongside the testing of plans and facilities, exercises provide tremendously strong learning environments where the experiences, the practice and the skills learnt build the competence and capability of individuals and teams. Not only when implementing a response to

an incident or continuity based events but in day-to-day business. Our approach delivers the link between exercises, training and staff development to achieve the maximum benefits from your investment. Knowing how to effectively handle problems, to manage risks and to work in challenging circumstances is a key component of staff development.

Developing realistic scenarios, based on the organisation’s risk profile and using current exposures, allows the lessons learnt during the exercises to be instantly translated back to the work place. To achieve this means that care must be taken to ensure the learning objectives tie in with staff development and that the scenarios are realistic and training/exercise environments provide the opportunity for experiential learning. Our approach of reinforcing learning through communications before, during and immediately after the exercises helps to embed the knowledge, ensure engagement with risks and reinforce the organisations compliance with regulatory, governance or internal standards.

We offer a well established approach to exercise design and delivery which aligns with established standards ISO 22398 and BSi PD 25666 which give guidance on exercise and testing. Working with your team Corpress Consultants will develop a detailed project plan to deliver the exercise in line with your objectives.

Making the exercises real It is important that the exercise creates the right environment for learning the right lessons. Who knows, tomorrow you could be faced with a very similar set of circumstances and problems and the last thing you want is a response based on false lessons gained from ineffective past exercises. Our approach is to ensure the scenario feels realistic. We recognise

that in the real world nothing works perfectly so use this to build in a

random element, which engages participants. When appropriate and

possible we use live inputs delivered by role players who understand





the input and can answer questions confidently. We prepare

additional inputs to guide the response team towards a full

appreciation of potential impacts of events to the organisation.

Working with you we tailor the exercise to meet the objectives:

Team training? o Requires a progressive programme of different styles

of exercises which allows time for team members, and nominated deputies, to learn their individual roles, understand the process and recovery capabilities available, work out their departmental strategy.

o The exercise is preceded by briefings/training for team members to give them individual confidence.

A rehearsal of a specific recovery strategy?

o A technical exercise to test a capability probably assessable as success or failure.

o Also requires a progressive programme to move from detailed testing to a large scale exercise to prove that the recovery strategy does scale up to protect the business.

o Audience is both the participants and the external stakeholders – regulators, customers and suppliers.

Designed to challenge the ability to recover when faced by emerging threats?

o This is about making the response and recovery capability real.

o Work with risk to identify potential scenarios relevant to the organisation, which means the scenario is on the risk horizon with a level of impact that engages executive thinking.

o Output is new areas of work to provide continuity management for emerging risks; better understanding of impacts which feeds back into the risk profile; senior management engagement because the outcome is relevant to their current concerns.




For more details on Corpress programmes including training, exercises and workshops please visit our web site at www.corpress.uk or email us on [email protected]

David Evans [email protected] Lynne Donaldson [email protected] Duncan Ford [email protected]

EXERCISE

Design and Development Course Next London Session: September 30th

Make it Real

For course details: http://www.corpress.uk/?page_id=471 Or [email protected]



mailto:[email protected]



http://www.corpress.uk/?page_id=471

august 2015 · for training, exercise and scenario development and exercise facilitation ... cyber...

Documents