Exercises are where BCM intent becomes BCM capability. A documented BCP is a hypothesis; an exercise is where the hypothesis is tested against reality. An untested BCP is a liability, not an asset, because it represents a capability that the organisation has not verified actually works. ISO 22301 Clause 8.5 requires organisations to conduct exercises and tests of the BCMS; the requirement is not optional, and it is not satisfied by training or documentation alone.
The exercise programme is the quality assurance mechanism for the entire BCMS. Exercises discover gaps: inaccurate contact lists, procedures written for staff who have left, alternate sites that are unavailable when called upon, resource assumptions that prove unrealistic under exercise conditions. These gaps, once discovered in an exercise, can be corrected before they are encountered in an actual disruption. Finding a gap during an exercise costs nothing; finding it during an actual disruption costs everything.
This article describes the exercise types that ISO 22301 recognises, the methodology for designing exercises that find real gaps, the roles of the exercise controller and observers, the debrief process, and the mechanisms for converting exercise findings into BCMS improvements.
Why Exercises Are Non-Negotiable in ISO 22301
ISO 22301 Clause 8.5 requires the organisation to conduct exercises and tests of its BCMS to assess the effectiveness and capability of the system. The requirement is unambiguous: exercises must be performed, results must be documented, and findings must be acted upon. An organisation without an exercise programme is not compliant with ISO 22301. More importantly, an organisation without an exercise programme does not have a BCMS that actually works; it has documentation that describes a capability that has never been tested.
Exercises test things that documentation cannot test: whether staff actually know their roles and can execute them under stress, whether contact lists are current and people actually answer when called, whether resource assumptions (""we will have 5 people in the command centre"") are realistic when staff cannot get to the office, whether communication procedures actually reach all required stakeholders within the required time, whether alternate procedures can actually be executed without system support, and whether the organisation can recover within its stated RTO.
Auditors during the Stage 2 certification audit will review exercise records, interview staff about exercises they have participated in, and assess whether the exercise programme is rigorous enough to have found gaps and ensured they are corrected. An organisation with three years of tabletop exercises with no findings and no follow-up actions will be viewed with suspicion; either the exercises are too easy or the organisation is not looking hard enough. An organisation with exercises that regularly find gaps and that tracks those gaps to resolution demonstrates a serious BCMS.
Exercise Types and Their Purpose
Different exercise types serve different purposes, and an effective exercise programme uses a mix of exercise types. Orientation and awareness sessions reach the widest audience and ensure that all in-scope staff understand the BCMS and their personal roles. Tabletop exercises are the most efficient way to test plan logic and decision-making. Walk-throughs ensure that procedures are actually known and followed. Functional exercises test specific capabilities (e.g., can we actually activate the alternate site?). Full simulations are the most rigorous test of end-to-end capability. Technical recovery tests verify that IT systems can actually be recovered to specification.
The choice of exercise type depends on what the organisation is trying to test and what resources are available. A first exercise programme might include an annual tabletop for each BCP, supplemented with walk-throughs for high-risk areas and occasional functional exercises. A mature exercise programme might include tabletop exercises covering all BCPs, two or three functional exercises per year for critical activities, annual technical recovery tests for critical systems, and a full simulation every two years.
| Exercise Type | Format | What It Tests | Participants | Frequency |
|---|---|---|---|---|
| Orientation / awareness | Briefing and Q&A session | Awareness of BCP existence and personal roles | All in-scope staff | Annual; whenever new BCP published |
| Tabletop exercise | Discussion around a scenario — no physical deployment | Plan logic; decision-making; communication flows; role clarity | BCM team; department heads; crisis management team | Minimum annually per BCP |
| Walk-through | Step-by-step review of BCP with responsible team | Procedure accuracy; contact list currency; resource availability assumptions | BCP owners; operational teams | Annually or after significant BCP change |
| Functional exercise | Partial deployment — staff relocated or systems switched | Operational procedures; resource availability; team coordination; activation timing | Operational teams; IT; facilities | Annually for high-criticality activities |
| Full simulation | Full BCP activation against a declared fictional event | End-to-end capability; RTO achievement; communication under pressure; decision-making authority | All BCP-activated teams | Every 2–3 years |
| Technical recovery test | IT system restore from backup | RPO/RTO for technology systems; backup integrity; recovery procedure accuracy | IT and ICT continuity teams | Annually per critical system; after infrastructure change |
Exercise Design: Building Scenarios That Find Real Gaps
Exercise design determines exercise value. A scenario where everything goes right, all systems recover on schedule, all staff are available, and all suppliers respond confirms the plan works under ideal conditions — which are never the conditions of an actual disruption. Effective exercise design includes specific “injects” that stress the plan: a key person is unavailable, the primary alternate site is also affected, the backup server fails to restore, the regulatory notification deadline is approaching. Finding these failures in an exercise costs nothing. Finding them during an actual disruption costs everything.
Exercise scenarios should be derived from the risk assessment. If flooding is a high-likelihood, high-impact threat to the Jakarta headquarters, an exercise scenario should test the flooding response: premises are inaccessible, staff must work from home or alternate site, documents are at risk, and clients are impacted. If ransomware is a top-3 threat, an exercise scenario should test ransomware response: systems are encrypted, offline backups are used for recovery, manual procedures are activated, regulators are notified.
Injects are the events that happen during the exercise that force participants to respond. A tabletop exercise might start with the baseline scenario (""the Jakarta office is flooded"") and then include injects: (Inject 1, T+10 min) ""the alternate site is reporting that their power is also affected and they cannot receive staff""; (Inject 2, T+20 min) ""OJK is calling asking about the incident status""; (Inject 3, T+30 min) ""the IT backup recovery is taking longer than expected and will not be complete until 12 hours instead of 4"". Injects force participants to adapt their response and make decisions under uncertainty, which is realistic.
| KEY IDEA | Exercise design determines exercise value. A scenario where everything goes right, all systems recover on schedule, all staff are available, and all suppliers respond confirms the plan works under ideal conditions — which are never the conditions of an actual disruption. Effective exercise design includes specific ”injects” that stress the plan: a key person is unavailable; the primary alternate site is also affected; the backup server fails to restore; the regulatory notification deadline is approaching. Finding these failures in an exercise costs nothing. Finding them during an actual disruption costs everything. |
Running the Exercise: Observer Roles and Facilitation
An effective exercise requires three distinct roles: the exercise controller (who injects events and controls the pace of the exercise), the facilitator (who asks questions to surface reasoning and understand how participants are thinking), and observers (who document what happens and what gaps are identified). These roles should not be combined; the exercise controller cannot also be the facilitator, because controlling the scenario pace requires stepping outside the conversation to inject events and track timing.
The exercise controller manages the timeline and injects. At predetermined times, the controller introduces injects: ""It is now 09:30. You have activated the alternate site. The IT team is reporting that the system restore is taking longer than expected. What do you do?"" The controller also tracks how long it takes for participants to execute key steps (how long from incident notification to first client contact, how long from activation to staff reporting to alternate site) and documents these timings for later analysis.
The facilitator asks questions that surface how the team is thinking. When a participant says ""we will notify all clients"", the facilitator asks: ""How will you reach them? Are you assuming email? Will that be available in the scenario we described? How long will it take?"" The facilitator’s role is to push the team to think deeply about how they will actually execute the plan, not to accept vague statements.
Post-Exercise Debrief and Improvement
Post-exercise debrief is where most exercise programmes fail. A hot debrief (immediately after the exercise, while events are fresh) takes 30–45 minutes and covers: what went well, what was surprising, what was difficult, and what needs to be fixed. The hot debrief is not formal; it is a quick conversation to get initial feedback. A formal after-action review (within two weeks) is more structured: it systematically reviews each section of the BCP against exercise performance, identifies gaps and inaccuracies, and assigns improvement actions.
Exercise findings must be logged in an improvement action register. Each finding is logged with: a description of the gap or inaccuracy, the severity (critical: the gap prevents plan execution; major: the gap significantly degrades capability; minor: the gap has limited impact), the root cause, the corrective action required, the owner of the action, the due date, and the closure evidence. The improvement action register is tracked in the management review; items should not remain open for more than 60–90 days (unless there is a documented justification for extended timelines).
| Exercise Finding Type | Example | Improvement Action |
|---|---|---|
| BCP procedure inaccuracy | Step 4 refers to a system that was replaced 8 months ago | Update BCP to reflect current systems; add system change as BCP review trigger |
| Contact list inaccuracy | Three key contacts had changed mobile numbers; calls went unanswered | Update contact directory; add contact verification to quarterly review process |
| RTO not achieved | Critical activity recovery took 6 hours against 4-hour RTO | Review resource shortfall; increase pre-positioned resources at alternate site; revise RTO upward if 4 hours is unachievable |
| Role confusion | Two people thought they had authority to declare the event closed | Clarify stand-down authority in BCP; add to next exercise scenario |
| Communication gap | Clients were not notified for 5 hours; no client communication template was in the BCP | Add client notification procedure and template to BCP; add to exercise scenario for next cycle |
| Resource unavailability | Alternate site had insufficient laptop inventory for required staff | Pre-position additional equipment; review BCP resource requirements against actual inventory |
| Manual procedure failure | Staff could not process transactions manually; no one knew the procedure | Conduct manual processing training; add to annual exercise programme |
| IMPORTANT | Exercise findings must be tracked to closure. An improvement action log that grows with every exercise cycle and never shows items as closed is evidence of an exercise programme that generates findings without improving the BCMS. ISO 22301 Clause 10 requires corrective action for nonconformities — and exercise findings that identify BCMS deficiencies are nonconformities. The BCM programme manager is responsible for tracking every improvement action to verified closure before the next exercise of the same BCP. |
| BITLION INSIGHT | The most consistent pattern in Indonesian BCMS exercises is underestimation of communication time. In scenario after scenario, the time taken to notify all required stakeholders — internal leadership, operational teams, clients, regulators — significantly exceeds the plan assumptions. A cascade that looks like 30 minutes on paper takes 90 minutes under exercise conditions because contacts are unavailable, calls go to voicemail, and notification hierarchy is unclear. Building communication drills into every exercise, measuring actual notification time against plan assumptions, and treating communication timeline failures as serious findings is the most reliable way to improve BCMS communication capability. |