Author: Dennis Flynn
ISBN No: 978 0 580 4258
Review date: 15/12/2025
No of pages: 100
Publisher: Published by British Standards Institution, London W4 4AL
Year of publication: 11/09/2012
Brief:
Actually doing a crisis simulation to test your business continuity is only half the work, judging by a new book.
How well can your organisation manage an incident? Would top execs rather find out during an exercise, or when there is a major incident? So asks Dennis Flynn, the consultant who has written a guide to business continuity exercises, along the lines of the British Standard on the subject, BS 25999-1: 2006. It’s striking that hardly half the book is devoted to the actual delivery of an exercise. The sandwich to that meat, if you like, is the planning before, and reporting after, or as Flynn puts it, the principles are ‘a strong planning process, meticulous attention to detail and actionable reporting’. Why bother? Flynn answers: “In our increasingly uncertain times your organisation needs to be ready to respond to disruptive challenges and demonstrate prepardeness to employees, clients, customers, regulators and shareholders.” A couple of recent articles in Professional Security come to mind – the Association of University Chief Security Officers’ (www.aucso.org.uk) guide to emergency management; and dealing with the media (Call off the dogs, August issue cover story). The book does stress handling the media – one scenario in the book being an animal freedom movement ordering a bank to break with an animal testing company. How to deal with a white powder package, staff rumours, journalists not taking ‘no comment’ for an answer? An exercise is not the same as training, Flynn says; and you need management to endorse the exercise (and free time in their diaries). Rather than try to offer any more digest of the book, to give some examples of attention to detail. What do you want to achieve. If you set aside three hours, and most of the time you are stuck in traffic going to your disaster recovery site, what is the point?! And something as simple as the time of day. If you start the exercise at 9am, you don’t have to pretend it’s morning in the virtual world of the exercise. But have all those taking part been briefed the same? Might an observer of a (maybe high-pressure) exercise be a distraction? “Players and executives should be made aware of who is visiting and why.” To sum up, the content of an exercise – a product contamination scare, a fire – may not be strictly speaking a security manager’s affair, but security can (and should) expect to be around the table. And a word of praise too about how well the book is laid out, step by step, easy on the eye.
