It happens all the time: Organizations invest huge amounts of money, time, and effort into designing a top-notch business continuity program and then half-heartedly train employees to carry out recovery plans. Their assessment of this process: Mission accomplished.
I would argue it’s an incomplete victory. Without an effective training program followed by the right level of business continuity testing, there’s little chance that your employees would know enough to successfully carry out your plan. It’s like having enough life jackets to save everyone—but not telling people where to find them or how to use them.
Business continuity training and testing go hand-in-hand. Skip these entirely and your plan is guaranteed to fail. And implementing one without the other—training without testing—is risky business, too; how can you be sure the training worked? Both must be used in concert to ensure the overall success of your plans.
Are your business recovery plans test-worthy to begin with? Get this free guide to make sure your plans have all the essential components.
Business Continuity Training
The only way you can be sure your employees will do what they’re supposed to do in the event of a disruption is to teach with the end result in mind. Think through what you need them to do, train them to do it, and test them to be sure they can perform. To do that you’ll need to set appropriate learning objectives.
In the case of business continuity training, learning objectives are set based on what you want your employees to do if a disruption were to occur. Because training encompasses all levels of your organization, learning objectives will vary based on different audiences. In general, however, good learning objectives have these two characteristics:
They focus on specific performance skills employees should have in order to carry out business recovery plans.
- They may include as much detail as is necessary to do the task as required. (For instance, “Call the Incident Commander at 123-456-7890” or “Log in to each critical system and validate ability to perform key tasks.”)
- They should not include words like “know” or “understand,” because these words don’t define a specific action.
They are written in a clear, non-ambiguous way, so they can be easily tested and assessed.
For an incident management team training class, for example, attendees may be required to learn how to do the following:
- Talk to the basic concepts of incident management and its application at your organization.
- Explain his or her team role, responsibility, and associated action steps.
- Identify the steps to notify and escalate the occurrence of an incident to designated personnel using the Emergency Notification System.
- Travel to the appropriate Incident Command Center and/or use the conference bridge line.
- Complete the required Incident Action Forms for his or her area of responsibility.
Train general employees yearly, focusing on basic directives, such as who to call in case of a disaster, contact information for the parties in charge, and how to evacuate the building. Senior executives usually play a more critical role in recovery, requiring them to learn crisis management skills. Their training should be more frequent and in-depth to ensure that they can meet expectations in a time of need.
I always recommend in-person training over methods like emailing material to a group, for example. Live training is more impactful, as long as you don’t waste people’s time. Training sessions should be focused and to the point, covering only those things people need to do and remember. And find someone capable of delivering the material in a way that catches the audience’s attention—otherwise, you’ll lose people quickly.
Business Continuity Testing
Start testing shortly after training. If the test aligns with your learning objectives, you’ll know definitively if your employees can execute recovery plans—or if you need to provide further training. Again, keep in mind that testing is an opportunity for your employees to practice what they are learning.
Two types of testing should be used in succession:
- Desktop testing, where employees talk through what their actions would be in various disruptive scenarios. It’s a good way to test people in a less stressful environment, where mistakes don’t cost money or time.
- Live testing, where employees demonstrate their learning by physically carrying out the necessary recovery actions, like going to an alternate site, sending out the required messages, performing tasks using workarounds, etc. The difference between talking about something vs. doing it is like night and day, so while a desktop test might go well, it’s not a true indication of how employees will actually perform. For that, you need a live test.
Some organizations add to (or, in some cases, replace) the tests above with knowledge testing—multiple choice tests on paper. As someone who maneuvered through one too many grade school tests using the sheer power of memorization, I can tell you that memorization doesn’t have anything to do with real learning. (Plus, giving written tests isn’t likely to boost your popularity among coworkers.) Desktop testing followed by live testing delivers the best results.
Implement Business Continuity Testing & Training At Your Organization
Effective training and rigorous testing are critical components of all business continuity programs. For more information and resources that can help support your BC program—including tools for measuring compliance and residual risk, as well as conducting a Business Impact Analysis—visit BCMMetrics.