August 2015 · For Training, Exercise and Scenario Development and Exercise Facilitation ... cyber...
Transcript of August 2015 · For Training, Exercise and Scenario Development and Exercise Facilitation ... cyber...
Corpress LLP Exercise Checklist ©corpress 2015
For Training, Exercise and Scenario Development and Exercise Facilitation
www.corpress.uk email [email protected]
People
Capability
Skills
Governance
Risk
Awareness
Response
Mitigation
Opportunity
Awareness
Resilience
Adaptability
Culture
Drills
Tabletops
Simulations
Live exercises
Plans
Procedures
Facilities
Emergency and Continuity Exercise Checklists August 2015
Discount Voucher see final page:
Exercise Design & Development Course 30/9/15
Corpress LLP Exercise Checklist ©corpress 2015
www.corpress.uk email [email protected]
SUMMARY
Corpress LLP recognises the important role that exercise programmes play in establishing effective response arrangements. The investment of time and resources required to create meaningful simulations and scenarios, the importance of accuracy and reality and the need to provide maximum benefit to the participating managers and executives. In response to conversations with clients we have introduced a number of new ideas and approaches to exercises and simulations, which are designed to engage senior executives, reduce development time and maximize engagement across the business.
Executive immersive sessions;
o time focused simulation exercises with intellectual challenge and defined objectives.
Access to an issues and risk library;
o allowing scenario development and realism to be achieved at lower costs.
Engaging with staff;
o through pre and post communications programmes.
Linking capability and confidence;
o through defined learning objectives
Corpress partners offer a wealth of experience to help you develop, run and observe exercises. Allowing you to explore the full potential from simple desktop environments to full immersive simulations. We tailor the service to meet your needs.
We develop exercises in line with established standards.
Our exercises are designed to meet
your objectives including the provision of individual and team training, demonstration of capability and understanding of risk impacts.
We offer individual and team
training in advance of an exercise to ensure participants are confident of their individual role and process to be followed.
Our objective is to develop exercises
that deliver value to our clients.
CONTENT
Summary
Checklist 1. Preparation for Exercises
Exercise Format
Checklist 2. Exercise Conduct
Checklist 3. Exercise Analysis and Close
Exercise Strategy
Capability and Confidence
Making Exercises Real Discount Voucher
Hundreds of successful exercises run by the Partners across all industry sectors Including some of the worlds’ largest commercial exercises Full spectrum of risks from cyber through legal to HR, continuity, security and physical incidents Interfacing with regulators, investors, media Exercises for training and awareness Exercises for testing plans and procedures Exercises for checking capability and capacity Executive team facilitation Crisis Leadership
Corpress LLP Exercise Checklist ©corpress 2015
For Training, Exercise and Scenario Development and Exercise Facilitation
www.corpress.uk email [email protected]
Checklist 1. Preparation for Exercises The following checklist uses PD 25666:2010 and ISO 23989 as the basis for the key components of exercises, it also contains observations and points noted by Corpress partners who have extensive experience of running exercises., which means that it extends beyond the scope of the BSI and ISO documents but we hope benefits from this. Corpress has experience of preparing exercises across all business sectors, geographies and scale; covering local and global, small to exceedingly large, in both simple and complex settings, for training and testing purposes. The BSI document suggests that: exercises should, over time, seek to validate in full any continuity or contingency capability. It also contains the warning that a less demanding exercise scenario might not provide an accurate level of validation of the plans.
Phase Component Element Corpress Comment
Preparation Objectives Clarity over the exercise directives
- Is the requirement for training or exercises?
- What will be gained by running an exercise?
- Who should participate?
- What facilities need to be used?
- What plans are to be used?
- Are the plans up to date?
- Check if the people involved have sufficient knowledge and experience to get the most
out of the exercise proposed
Programme Long term programme
- Ensure it benefits the business
- Aim to improve the competence and confidence of people progressively through the
programme
- Develop exercise specific elements which target the incident response capabilities to
ensure that these work as expected
- Promote the integration of incident response elements into a combined response
- Identify any necessary improvements to the contingency or continuity strategy and
response arrangements
- Ensure a close linkage with the risk registers
- Don’t ignore strategically important projects
- Maintain a record of the programme, its objectives, deliverables and remedial actions
Corpress LLP Exercise Checklist ©corpress 2015
www.corpress.uk email [email protected]
Phase Component Element Corpress Comment
Preparation Planning Risk, issues and impacts
- Examine objectives against the wider business case
- Look for opportunities to build storylines around current risks and issues
- Identify stakeholders
Planning Constraints - Analyse what the constraints are for running an exercise
o Management commitment
o Resources
o Time
- Recognise which constraints can be overcome
Planning Budget - What are the financial constraints on exercising?
o Better to conduct training in advance to ensure value from expenditure on a major
exercise
o Look at a 3 year budget for exercising to get maximum value from investment.
Planning Select the method
- Consider:
o Drills
o Workshops and seminars
o Tabletops
o Simulation
o Live play
Planning Scenario, storyline and documentation
- The following points are captured from Corpress experience:
o Does the storyline which describes the event and the implications, feel relevant
and possible?
o Has the storyline been used to create a detailed scenario? Note: there is a high
level link with the scenario but the scenario is more complex
o Has the storyline been analysed to identify the full range of issues, risks and
impacts which could arise from the event?
o Have the needs and expectations of all stakeholders been taken in to account?
o Is the supporting documentation comprehensive?
Corpress LLP Exercise Checklist ©corpress 2015
For Training, Exercise and Scenario Development and Exercise Facilitation
www.corpress.uk email [email protected]
Phase Component Element Corpress Comment
o Have training modules been prepared for role players and observers?
Communication Embedding knowledge
- Now is the time to start communicating with the business; use the opportunity to raise
awareness, discuss issues and focus attention on business objectives.
o Communicate across the business not just with those involved in the exercise
Preparation
Risk Security and safety
- Has an assessment been conducted of the impact of conducting an exercise to identify:
o The exposure of people?
o If facilities or assets could be harmed?
o How reputation could be damaged?
o If sensitive information could be released, damaged or lost?
- How sensitive is the information contained in the scenario and have precautions been
taken to control such information?
Procedure Exercise Conduct
- Appoint Exercise conduct roles:
o Director
o Controller
o Observers
o Umpires
Corpress LLP Exercise Checklist ©corpress 2015
www.corpress.uk email [email protected]
Exercise format
Selection of the most suitable format for an exercise must take into account a range of factors:
The target audience Maturity of the participating team(s) Exercise objectives and cost Available resources, including time of key personnel Security, safety and risk considerations
Corpress LLP will advise on the most suitable format to meet your objectives. Potential formats are illustrated opposite, Corpress LLP create tailored solutions designed to develop resilience and protect organisations.
Our focus is the strategic integration of governance and risk management with real time business processes. We achieve this by placing a priority on people; our firm belief is that effective systems, policies and procedures are there to support highly capable individuals and teams. Simulation and exercise programmes deliver enhanced response capability but also form a key part of risk communication, governance and organisational resilience.
Complexity Exercise Process Variants Good
Practice
Frequency
Simple Desk Check Review /challenge BCP Desk top
exercises to
understand
emerging risks
Frequent
exercises to
maintain
familiarity.
Medium Walk through
Simulation
IT DR
Challenge BCP
Familiarise users
Test single components
Proof of capability
Depts or single
capability
Eg callout
Programme
over period of
time to test
every
component and
train teams
Complex Live exercise
with multiple
teams
Scenario plus real time
responses
Integrate with other
agencies
Focus can
change during
the exercise from
Incident
response
through
business
recovery to crisis
management
Every 2-3
years.
Ultimate
demonstration
of capability
Exercise Complexity
Corpress LLP Exercise Checklist ©corpress 2015
For Training, Exercise and Scenario Development and Exercise Facilitation
www.corpress.uk email [email protected]
Checklist 2. Exercise Conduct
Phase Component Element Corpress Comment
Exercise Conduct
Documentation Quality - Check accuracy of information
- Ensure good document control
- Ensure if appropriate that:
o All role players have been briefed and provided with scripts and injects
o Multi-media material is available
o Instructions have been issued to control staff
o Security arrangements for information control have been checked
- Make it real
Final check Control - Have exercise briefings been prepared for role-players, controllers, observers and umpires?
- Final check on safety and security issues and communications at locations
- Check access for role players, observers and participants
- What controls are in place for third parties who are likely to become aware of the exercise (own
staff, outsiders or media)?
- Review briefing material for all participants on the exercise communications protocols and
processes
- Ensure arrangements are in place for suspending or stopping the exercise to respond to real life
events
- Are records maintained of the content of the briefing and the details of all participants and
stakeholders who receive/attend the pre-exercise briefings?
- Ensure all key personnel are aware of how the exercise will start
- Check all communication links
- Check points of exposure between exercise and real life are monitored
Exercise Conduct
Observation Exercise Coordination
- Ensure observers are trained and competent in their role
- Check the instructions for observation of the exercise
- Review the timeline and injects for agreed trigger points and actions and check these have been
Corpress LLP Exercise Checklist ©corpress 2015
www.corpress.uk email [email protected]
Phase Component Element Corpress Comment
met
- Prepare additional inputs to reinforce the scenario if required to ensure objectives will be met
- As appropriate monitor and record actions, activities, decisions, facilities and human factors etc.
- Ensure arrangements are in place for the Exercise Director to maintain contact with exercise
controllers and observers during the exercise
Team performance
- The team is aware of and uses the relevant sections of the response manuals and guides
- Information is captured and displayed correctly
- Information sharing is good between members of the team
- Problem solving is effective
- The team supports individuals
- Following updates and briefings the questions are relevant and team members listen and
participate
- Arrangements are in place to hand over the next shift teams
Leadership and Individual performance
- At all times there is clarity over objectives set by the leader and acted on by the individuals
- The leaders voice is heard
- Team updates are provided in a timely and effective manner
- Decisions are made and acted upon
- Individuals who may be overloaded are supported
- Disputes and conflicts are managed effectively
- Individuals work effectively and maintain good records
- Adequate rest periods are provided
- Individuals display competence (and confidence) in their roles
- Problems are solved effectively and solutions communicated.
Exercise Conduct
Observation Facilities - There is good lighting and adequate space
- Noise levels are satisfactory and do not detract from individuals working
- Security is provided to limit entry to the room and protect confidential information
- IT works effectively and support is available
- Information can be captured and displayed
Corpress LLP Exercise Checklist ©corpress 2015
For Training, Exercise and Scenario Development and Exercise Facilitation
www.corpress.uk email [email protected]
Phase Component Element Corpress Comment
- Administration support is provided
- Team members know how to use the equipment (and/or briefings are available)
Simulation and exercise programmes deliver enhanced response capability but also form a key part of risk communication, governance and
organisational resilience. Corpress LLP scenarios have addressed: Cyber security IT software failures IT Hardware failures Loss of critical suppliers Utility failures Media, Public affairs
Whistleblowers NGO pressure Financial losses Fraud Human rights Liquidity Relatives Response
Floods Explosions Terrorism Strikes CSR Disease Community and social issues
Building collapse Anti trust legislation Regulator action Environmental incident Product recall Bribery and corruption
Corpress LLP Exercise Checklist ©corpress 2015
www.corpress.uk email [email protected]
Checklist 3. Exercise Analysis and Close
Phase Component Element Corpress Comment
Analysis Administration Information - Ensure an accurate record is kept of all participants in the exercise
- Gather all documents, photographs and electronic references
- Implement a secure policy for retaining/disposing of sensitive documents
Feedback - Gather observations from the participants as soon as practicable
- Request observers to submit reports
- Interview role players and collate their records
Assessment - Create a timeline against the scenario
- Check for exercise irregularities
- Match actions and decisions with communications
- Assess timelines
- Review impacts, issues and decisions taken against the timeline
- Check for actions and process against procedures
- Review the use of procedures
- Check how effective facilities were
Close Documentation Report - Create exercise report
- Communicate with key stakeholders
- Communicate internally
- Plan next exercise
Action Plan - Prepare an action plan
- Capture feedback on live issues and risks and share with compliance and risk department.
Corpress LLP Exercise Checklist ©corpress 2015
For Training, Exercise and Scenario Development and Exercise Facilitation
www.corpress.uk email [email protected]
Phase Component Element Corpress Comment
Reminder Exercise documentation can be discoverable in legal cases and may be subject to review
by regulators. They need to be controlled documents.
Exercise strategy Achieving a successful response to any incident or emerging or potential issue depends on having in place a response structure and procedures which have been exercised to validate the plans and to familiarise all potential response team members with the process to follow. Exercising can follow a range of formats; choosing the most appropriate depends on the objectives of the exercise, the scale of the potential risks facing the organisation and the resources available to support the exercise programme including time and funding. Corpress LLP consultants have wide experience of developing and conducting exercises in a wide range of business sectors. Exercise design in line with the model illustrated here is straightforward. Delivering a successful exercise which meets the objectives however does benefit from previous experience to recognise and manage the challenges and deliver value for money.
Corpress LLP Exercise Checklist ©corpress 2015
www.corpress.uk email [email protected]
Capability and Confidence Alongside the testing of plans and facilities, exercises provide tremendously strong learning environments where the experiences, the practice and the skills learnt build the competence and capability of individuals and teams. Not only when implementing a response to
an incident or continuity based events but in day-to-day business. Our approach delivers the link between exercises, training and staff development to achieve the maximum benefits from your investment. Knowing how to effectively handle problems, to manage risks and to work in challenging circumstances is a key component of staff development.
Developing realistic scenarios, based on the organisation’s risk profile and using current exposures, allows the lessons learnt during the exercises to be instantly translated back to the work place. To achieve this means that care must be taken to ensure the learning objectives tie in with staff development and that the scenarios are realistic and training/exercise environments provide the opportunity for experiential learning. Our approach of reinforcing learning through communications before, during and immediately after the exercises helps to embed the knowledge, ensure engagement with risks and reinforce the organisations compliance with regulatory, governance or internal standards.
We offer a well established approach to exercise design and delivery which aligns with established standards ISO 22398 and BSi PD 25666 which give guidance on exercise and testing. Working with your team Corpress Consultants will develop a detailed project plan to deliver the exercise in line with your objectives.
Making the exercises real It is important that the exercise creates the right environment for learning the right lessons. Who knows, tomorrow you could be faced with a very similar set of circumstances and problems and the last thing you want is a response based on false lessons gained from ineffective past exercises. Our approach is to ensure the scenario feels realistic. We recognise
that in the real world nothing works perfectly so use this to build in a
random element, which engages participants. When appropriate and
possible we use live inputs delivered by role players who understand
Corpress LLP Exercise Checklist ©corpress 2015
For Training, Exercise and Scenario Development and Exercise Facilitation
www.corpress.uk email [email protected]
the input and can answer questions confidently. We prepare
additional inputs to guide the response team towards a full
appreciation of potential impacts of events to the organisation.
Working with you we tailor the exercise to meet the objectives:
Team training? o Requires a progressive programme of different styles
of exercises which allows time for team members, and nominated deputies, to learn their individual roles, understand the process and recovery capabilities available, work out their departmental strategy.
o The exercise is preceded by briefings/training for team members to give them individual confidence.
A rehearsal of a specific recovery strategy?
o A technical exercise to test a capability probably assessable as success or failure.
o Also requires a progressive programme to move from detailed testing to a large scale exercise to prove that the recovery strategy does scale up to protect the business.
o Audience is both the participants and the external stakeholders – regulators, customers and suppliers.
Designed to challenge the ability to recover when faced by emerging threats?
o This is about making the response and recovery capability real.
o Work with risk to identify potential scenarios relevant to the organisation, which means the scenario is on the risk horizon with a level of impact that engages executive thinking.
o Output is new areas of work to provide continuity management for emerging risks; better understanding of impacts which feeds back into the risk profile; senior management engagement because the outcome is relevant to their current concerns.
Corpress LLP Exercise Checklist ©corpress 2015
www.corpress.uk email [email protected]
For more details on Corpress programmes including training, exercises and workshops please visit our web site at www.corpress.uk or email us on [email protected]
David Evans [email protected] Lynne Donaldson [email protected] Duncan Ford [email protected]
EXERCISE
Design and Development Course Next London Session: September 30th
Make it Real
For course details: http://www.corpress.uk/?page_id=471 Or [email protected]