William Comtois is managing director of Varicom Inc., and a regular contributor to SecurityInfoWatch.com.
With disaster exercises quickly becoming a common tool in managing the risks and uncertainty of today's environment, your organization may be looking at its first exercises or perhaps increasing the frequency and commitment of resources to an existing exercise program. In either case, the need to maintain a disciplined approach that follows sound practices is a must. This article lays out the essential steps and considerations that anyone planning and running a disaster exercise should strive to get right.
Clearly Define and Communicate the Purpose and Objectives
When asking ourselves "Why run a disaster exercise?," the two words most likely to come up are "training" and "testing". It goes to reason that by working through a simulation of a real disaster we can test ourselves and learn from our mistakes. On the other hand, if we think we are already prepared to the fullest extent possible, then an exercise can serve as a forum for proving it to others. And if turns out that we're not fully prepared, we can obtain "on the job" training by being confronted, sometimes harshly, with our inadequacies.
Whether we're out to train and test, or deliver a "show an tell" of sorts, the purpose and objectives of the exercise should be clearly set forth from the onset. Is the purpose to see how well our security force will respond to the discharge of a dirty bomb three blocks from our high-rise building housing senior executives and one of three data centers? Or, are we out to test the real-time decision making and collaboration among our executive team when they are away from the offices â€“ some on business travel and others on vacation? Perhaps the purpose may be far broader, such as to verify that the company's business continuity plan can and will be executed properly and in a timely manner for a wide range of possible disasters. The exercise might then be one element of a comprehensive risk management program that the company has in play.
Communicating the purpose of the exercise should not be overlooked. Like any activity that takes people away from their other duties, a key step in gaining their enthusiasm and full commitment is letting them know how the task serves the greater good. Of course, there is one exception to this rule: if by design, the exercise seeks to test participants without any prior notice, i.e., a surprise kick off.
Choose the Right Type of Exercise
Disaster exercises are classified by several variables. The exercise can be discussion-based and/or operations-based.
Discussion-based: Common exercise types of the discussion-based variety are table-top exercises (TTX), workshops and seminars including webinars. Discussion-based exercises are typically "kicked off" via the reading or recital of a narrative defining the initial state of the disaster and ground rules for the exercise. Table-top exercises are visually aided with a scale model of the disaster scene on a table or other board-like surface that the exercise participants gather around. The scale models may include buildings, vehicles, victims and other elements, that may or may not be moved or altered as the exercise plays out. Discussion-based exercises are commonly used when decision making, analysis, communication and collaboration are of primary interest. As such, discussion-based exercises are generally not used to test the physical deployment of resources or tactical skills such as operation of fire-fighting equipment, logistics or other action-oriented steps.
Operations-based: Operations-based exercises are generally centered around specific functions that may be performed in isolation (e.g., sealing off an HVAC system to outdoor contaminants) or as a collection of inter-dependent functions. An example of the latter is a full-scale exercise which engages multiple resources and operating units that, to varying degrees, interact with each another. Especially in the case of a full-scale exercise, there is likely to be a discussion-based aspect such as the joint-decision making that would be performed by the incident command team. Since operations-based exercises tend to mobilize more resources (equipment, supplies and people) they tend to be more costly and time consuming than discussion-based exercises.
Bigger Isn't Always Better
Another variable to consider when choosing the exercise is the number of participants. This number can range from one to many. The one-person exercise may be an effective way of testing an executive's decision making skills for specific disaster scenarios presented through a computer-based disaster simulation tool. In this case, the entire simulation could be conducted through the executive's computer, including recording and evaluation of his or her decisions and proposed actions.
Exercises comprising more than one participant are appropriate when the exercise's objectives call for joint decision making, activities that naturally involve groups of people (e.g., fire brigade), or the collaboration of otherwise independent groups (e.g., plant engineering and security). One important consideration for multi-participant exercises is location. Specifically, where will the participants be located during the exercise? If the exercise includes the company's executive team, one must determine if it will be practical (and realistic) to have them all in a single conference room or scattered across the company's offices, on vacation, at trade shows, in airports, and so on. In the non-colocated case, technology may be the key to success; For instance, presenting the disaster scenario through mobile devices such as personal digital assistants and pagers may be the only practical way of engaging the busy executives.
One final consideration in deciding on the type of exercise is the desired level of realism. If achieving the highest level of realism is your top priority then it is unlikely that a discussion-based exercise will suffice. Operations-based exercises, however, do not necessarily provide realistic disasters; Careful attention will surely be needed to create the "atmosphere" of a live disaster. As with many interactive experiences, the cost of achieving such realism may quickly become prohibitive. The cost-benefit should be weighed carefully.
The Scenario Makes a Difference
The disaster scenario defines the nature of the disaster, key events that occur during the disaster, the location or locations, and the time frame over which the disaster takes place. In effect, the scenario is the centerpiece of the exercise. And because of this, choosing the right scenario can make an otherwise mediocre exercise a memorable and valuable experience for its participants.
Some rudimentary criteria to consider when defining the scenario are:
(1) Should the scenario represent a disaster that is most likely to occur (in relation to other possible disasters) or should it focus on less likely disasters?,
(2) What level of impact, or devastation, should the chosen disaster present (e.g., a 2-hour power outage versus a tsunami hitting a coastal data center)?, and
(3) what time period should the disaster span (longer durations tend to be more taxing on participants)?
Collectively, these and other scenario design criteria can determine how relevant the exercise will be to day-to-day activities and how difficult the exercise will be for the participants.
Scheduling â€“ "Let there be no surprises, maybe!"
A well-orchestrated exercise would arguably have all people, facilities and activities lined up and communicated to in advance so that when the exercise starts, everything goes exactly as planned. While such perfection may be elusive, the importance of scheduling and properly communicating to all involved can't be emphasized enough. At the backbone of an exercise schedule will be a detailed timeline of events, resources involved (people, equipment, facilities, supplies, and information), roles and interdependencies between individuals and/or groups. Key roles would include participants and perhaps others such as an exercise director or coordinator, facilitator (if discussion-based), role-playing victims, observers and various other support personnel, depending on the size and type of the exercise. Analytical tools and visual aids (e.g., work break down structures, Gantt charts, task-on-arrow charts, resource loadings, etc.) can also assist in the scheduling process.
It is important to note that scheduling is not merely telling people where they need to be or what they need to do, and when. A variety of other "scheduling" tasks will likely be needed. For instance, in the case of operations-based exercises involving multiple organizations and vendors, participation agreements may be an essential document that not only addresses important legal aspects but also defines roles, scope of responsibilities, rights to access premises and so on.
A key exercise design decision that may surface during the scheduling is whether or not to notify the participants precisely when the exercise will take place. If the exercise calls for its participants to travel to a special location from which the exercise will be run, then advance notice with detailed logistical information will most likely be a hard requirement. However, starting the exercise by surprise may in some cases not only be feasible (e.g., sending a short text message to the participants' cell phones, PDAs, or pagers to kick off the exercise) but also offer an extra degree of realism.
Last but not least, notifications to the public, media and government officials should be given careful consideration. An exercise conducted by a single private-sector company on its own premises and indoors may not warrant notification outside of the company. On the other hand, if the exercise involves activities that are visible to the public, pose some form of inconvenience (e.g., traffic congestion at the plant's main entrance), or require use of or access to public property or infrastructure then advance notice outside of the circle of people involved in the exercise may be a crucial step.
In the second part of this 101 course on conducting an emergency exercise, we'll address the actual "running" of the exercise as well as the actions you'll need to take upon completion of the exercise.
About the author: William Comtois is managing director of Varicom, Inc., a consultancy and software company specializing in homeland defense and service logistics. He has over 20 years of experience in applying leading technologies and innovative process management practices to business and defense solutions. Over the past fourteen years, his work has focused on large service companies where he has lead numerous performance improvement, training and process management initiatives that have resulted in major breakthroughs in financial performance, service levels and disaster preparedness. He can be reached by phone at (212) 561-5782 or email at email@example.com.
(c) Varicom, Inc.