What did we learn from our scenario testing?

If you want to test whether your organisation is prepared for a crisis, just ask “What did we learn from scenario testing our crisis response plans?” If you can’t answer, you are not prepared.

This post was sparked by two recent conversations. One was a request for a business continuity planning template that would satisfy the client’s auditor. The other was an IT auditor saying how most firms fail their IT audits as they have not tested or practiced their business continuity plans. Both these conversations – which were unrelated – highlighted that many businesses view crisis preparedness as a one-off exercise: get a template, fill it out, tick the box, done. Unfortunately, crisis response doesn’t work like that, no matter how good the template.

A risk register or the existence of a plan is not enough. Being prepared requires response capability across the organisation and the ability to adapt, whatever the crisis. It is the ongoing process of planning, practicing, and updating your crisis plans that achieves this.  Practice is critical for everyone involved in the response, including senior leaders and the back-up staff for when key people are unavailable. It helps everyone learn the plan, grows adaptive capability, and will identify unseen weaknesses, giving you the opportunity to address them before a crisis.

Being ready to respond to a crisis need not be hard, but it does require some thought and a commitment to ongoing practice and learning before an event. If you are unsure where to start, want fresh perspectives to make existing plans even better, or want someone to script and run scenario practices to test your plans, then by all means ask for help. But until you can say what you have learned from practicing your plan, no auditor, board, or shareholder should be assured that you have prepared for a crisis, regardless of how good the plan looks.