The value of exercising for resilience
For this blog, I’m sharing the importance of exercises for Resilience and why the effort aids in crisis prevention and mitigation. If you are in the profession, you know that an exercise component is one of the foundational elements of Resilience or a Business Continuity Management program. So, I won’t focus on convincing you why because I know you get it. Instead, I will focus on the value of exercising to build and maintain a resilient organization.
Additionally, I realize I am not the first practitioner to discuss the topic. Where I may be helpful is to add arguments and considerations to your elevator pitch and report up to leadership. Minimizing the impact of disruptive incidents is the desired focus of a mature business continuity program. To achieve this, ISO 22301 indicates the implementation of exercising and testing to be leveraged to validate the effectiveness of business continuity strategies and solutions over time.
Risks, snow leopards, and crisis
The ISO for Organizational Resilience, ISO 22316:2017, even references the ISO for exercising as part of a well-rounded approach. Scanning ISO 22398:2013(en) Exercise Guidelines will provide a high-level approach to planning, conducting, and improving exercise programs. It’s worth a read if you aren’t already familiar with it. Although not groundbreaking, it provides solid arguments for why an organized system is advantageous. For example, a robust program increases awareness, supports learning, increases intra-organizational cooperation, and enables an environment for experimentation and evaluation.
And that’s the point in a nutshell. Companies must prepare organizations for various hazards by investing time and resources in activities that advance resilience. In Risk and Snow Leopards, I affirmed that horizon scanning is helpful, but unplanned events are still the basis of crisis response. Sometimes, leadership loses sight of the fact that crisis events are unanticipated or not easily identified beforehand.
Risk and exercises
With the rising focus on risk and horizon scanning post-COVID, executives desire to predict events. Much of the world’s companies felt woefully underprepared for the realities of the pandemic. However, many organizations did participate in pandemic planning before the event. Now, boards and executives want to limit exposure by predictive analysis. However, we know that black swan and snow leopard events will occur.
I advocate a solid foundational knowledge of resilience to counteract this understandable behavior. An approach with this mindset leads to an understanding that incidents are foreseeable. Yet, it accepts that by their very nature, crisis events are not. Anne Hayes, Head of Governance and Resilience at BSI, said: “We define a crisis as any unprecedented or extraordinary situation, or event that threatens an organization. Then, it is an awareness that crises are on the side of the Blind Spot Framework outlined in Kenton Friesen’s Measuring The Maturity Of Your BCM Program article. Since we can’t know every hazard that could threaten us, we must acknowledge impactful disruptions will occur—investing in exercising aids an organization by preparing it for uncertainties and developing skill sets for a successful response.
Never enough exercises
The importance of exercise to resilience is in the experience. We want to capture the essence of a well-coordinated response or build future capabilities. And although an exercise session tells us how to respond to an event, the value is in the preparedness it teaches. It is less critical for the exercise participants to know how to respond to the exact scenario.
Resilience comes in the learning process, understanding of roles, and the ability to practice in static conditions. Boards expect that we learn from exercise sessions and incorporate learnings or gap analysis into our improvement efforts. What’s most important is to vary your exercise experiences and formats. A business that continually tests scenarios for their top risks or in a tabletop format is not well-prepared. For companies to become resilient, they must develop thinking outside the box, enabling expedited problem-solving.
Resilience as an end-goal
Moving forward, this is what I perceive boards will expect. No longer will simple compliance or adherence to regulations be gold standards. These will be the minimum expectations of functioning programs. Instead, organizational leadership will demand that governance include resilience scoring, where we prove the ability of the company to survive and thrive after catastrophes. Business resilience today is an understanding of the continuum of threats from Business as Usual (BAU) through crises.
Ideally, the business, regulators, customers, and third parties will want us to strive for a steady state of affairs despite difficulties or disturbances. So, exercising is a valuable part of a resilience-building system to protect and enable the continuation of services. Companies will expect interruptions, but adopting a survivor mentality and skills will mean an organization can bounce back faster and have less severe impacts. Even better, some events may not cause disruptions, instead averted through continuity strategies or real-time problem-solving.