Tornado season in the U.S. typically runs from March through June, but destructive twisters can strike at any time of year — and they often arrive with little warning. For businesses, a single tornado can disrupt operations, damage critical infrastructure, and result in thousands (if not millions) of dollars in losses. Without a proactive plan, recovery becomes a race against time.

The Cost of Tornadoes to Businesses

Tornadoes are among the most violent and unpredictable weather events. In 2023 alone, the U.S. experienced over 1,150 confirmed tornadoes. According to the National Oceanic and Atmospheric Administration (NOAA):

• The average commercial tornado claim is $45,000–$100,000, depending on the industry and size of the business.
• Tornado-related damage in the U.S. caused over $1.6 billion in insured losses in 2022.
• Business downtime can range from days to weeks, with small and medium-sized businesses being the most vulnerable to permanent closure after a major disaster.

If you operate in Tornado Alley — or even on the fringe of high-risk zones — preparing ahead of time is essential.

5 Ways Businesses Should Prepare for Tornado Season

1. Assess Facility Vulnerability

Start with a walkthrough of your physical locations. Identify areas where your facility is most at risk — such as large glass windows, roof structures, or equipment stored outdoors. Consider retrofitting or reinforcing key areas, especially in tornado-prone zones.

2. Update Your Business Continuity Plan (BCP)

Your BCP should include specific steps for tornado response:

• Shelter-in-place protocols
• Emergency communication plans
• Remote work contingencies
• Vendor and supplier backups

Ensure all team members know their roles during a severe weather emergency.

3. Back Up Critical Systems

Tornadoes often result in power outages and damage to on-site IT infrastructure. Secure off-site or cloud-based data backup to preserve records, customer information, and operational systems. Agility Recovery offers secure data backup and recovery services to make sure you can bounce back quickly even if your servers go offline.

4. Establish Emergency Power Solutions

Power loss is a common side effect of tornadoes, and restoring power to your facility can take days. With Agility’s backup power solutions , including generator delivery and fuel replenishment, you can avoid costly downtime.

5. Conduct Tornado Tabletop Exercises

Running a tabletop test with your team helps you simulate a real-world tornado event — uncovering gaps in your plan before a storm ever hits. It also ensures that your leadership team, IT staff, and facility managers know how to act quickly and cohesively under pressure.

The Cost of Downtime

Unplanned downtime from tornado damage can devastate a business. According to FEMA and the U.S. Chamber of Commerce:

• 25% of businesses never reopen after a major disaster
• The average cost of IT downtime is approximately $5,600 per minute for mid-size businesses
• Even short-term closures can result in lost customer trust, missed SLAs, and long-term revenue impacts

How Agility Recovery Helps

Agility Recovery offers turnkey business continuity solutions that reduce your vulnerability to tornado-related disruptions. Our services include:

• Backup Power & Fuel Delivery – Keep critical systems running during outages
• Mobile Office & Workspace Recovery – Set up temporary operations fast if your facility is damaged
• Data Backup & IT Recovery – Minimize data loss and restore business systems quickly
• Satellite Connectivity – Maintain communication even if local infrastructure goes down
• Business Continuity Testing & Tabletop Exercises – Prepare your team with expert-led training

Next Steps for Tornado Season Readiness

1. Schedule a Business Continuity Assessment with Agility to evaluate your tornado readiness.
2. Run a Tabletop Exercise focused on a severe weather event.
3. Ensure You Have a Generator Solution in place for emergency power.
4. Review Your Data Backup Protocols with Agility’s cyber resilience experts.

Be Ready Before the Sirens Sound

You can’t prevent a tornado — but you can prevent it from shutting down your business. With the right plan, partners, and technology in place, you can weather the storm and keep your organization running.

When deciding between hosting tabletop exercises internally or using a professional facilitator, businesses need to consider factors like expertise, cost, realism, and the learning outcomes they hope to achieve.

Here are the primary pros and cons of each approach:

Internally Facilitated Tabletop Exercises

Pros

1. Cost Savings

Conducting exercises internally is often less expensive, as it eliminates facilitator fees and associated costs.

2. Customization and Familiarity with the Business

Internal teams understand their company's specific risks, culture, and business processes, allowing them to tailor scenarios closely to the organization’s unique needs.

3. Comfort

Employees may feel more comfortable discussing vulnerabilities and risks when managed by colleagues, fostering more candid conversations.

4. Scheduling Flexibility

Internally facilitated exercises can be scheduled with greater flexibility, allowing the organization to fit sessions around busy periods or hold additional sessions as needed.

Cons

1. Limited Expertise

Internal facilitators may lack experience or specialized knowledge in crisis management and emergency response, leading to less effective scenario design and facilitation.

2. Potential Biases

Internal facilitators might unintentionally bring biases or overlook critical weaknesses, as they are accustomed to existing processes and may miss areas needing improvement.

3. Resource Demands

Conducting and preparing for an exercise requires significant time and effort from internal staff, potentially diverting focus from other priorities.

4. Reduced Realism and Pressure

Internal exercises may lack the high-stakes feel of a professionally led exercise, potentially leading to a less rigorous or engaging experience.

Professionally Facilitated Tabletop Exercises

Pros

1. Access to Expertise and Best Practices

Professional facilitators bring specialized knowledge in business continuity, risk management, and crisis response, often gained through extensive industry experience.

2. Objectivity

External facilitators provide an unbiased view of the business and can objectively assess vulnerabilities , often identifying issues internal teams might overlook.

3. Enhanced Realism and Scenario Complexity

Professionals can create complex, realistic scenarios that incorporate industry-specific threats and emerging risks, resulting in a more impactful learning experience.

4. Structured and High-Impact Debriefs

Professionals are skilled in leading debriefs, helping participants extract meaningful insights and ensuring actionable takeaways are identified and documented.

Cons

1. Higher Cost

Professional facilitation can be costly, particularly for smaller businesses with limited budgets, as it may involve consulting fees and travel expenses.

2. Less Familiarity with the Business

External facilitators may lack specific knowledge of the company’s internal processes, culture, or industry, which can make scenario customization more challenging.

3. Potential for Reduced Comfort Among Participants

Employees may be less comfortable speaking about weaknesses in front of an outsider, potentially impacting the depth of discussion and analysis.

4. Scheduling Constraints

Professional facilitators are often booked far in advance, making scheduling the exercise more difficult and reducing flexibility around company needs.

Key Considerations

When choosing between internal or professional facilitation, consider the following:

• Risk Complexity: Highly regulated industries or businesses with complex risk environments may benefit more from a professional facilitator.
• Budget: Internal exercises may be more feasible for businesses with tighter budgets, though investing in a professional facilitator could pay off in terms of risk mitigation and preparedness.
• Experience Level: Companies with little experience in crisis planning often find that an initial professional facilitation is invaluable for gaining knowledge that can guide future internal exercises.
• Objective Needs: When the goal is a highly realistic, pressure-tested environment, professional facilitators often create scenarios that push teams more rigorously.

Businesses can also consider a hybrid approach, in which they host some exercises internally and invest in professional facilitation periodically, especially for more complex scenarios.

Testing your business continuity plan allows you and your workforce to exercise how to approach an incident and find gaps in the plan to address where it needs improvement. Even though a developed business continuity plan provides your organization with the tools to predict, drafting a plan is only half the battle. Businesses face myriad threats , from a rodent infestation to a planned renovation. A developed business continuity plan provides your organization with the tools to predict, prevent, and respond to risk efficiently. The strategy ensures that the organization and its clients will remain operational with minimal to no downtime or threat to operations. However, drafting a plan is half the battle. What’s most important is ensuring your business continuity strategy is sound, useful, and practical. This is where testing your plan comes into play. Testing business continuity allows you and your workforce to exercise how to approach an emergency and find gaps in the plan to address where it needs improvement.

Types of Business Continuity Tests

Plan Review

A plan review is much like an audit of the BCP. The BCP team and the C-level management or department heads get together to review the plan and decide if any components are missing or need revision. This type of test is beneficial for training new members of the BCP team or in regular onboarding. Among other aspects reviewed during a meeting are contact information, the validity of recovery contracts, and coverage of applicable business continuity and disaster recovery scenarios. A plan review may also include training new managers on plan details so they can pass that knowledge down to their teams.

Tabletop Test

This is a more involved way of reviewing and testing a BCP. Employees participate in an actual exercise during a tabletop—a scenario-based, role-playing exercise. Everyone involved practices their roles and responsibilities during an emergency, such as an earthquake, hurricane, or active shooter.

Walk-Though/Simulation Test

A BCP simulation test is a more hands-on type of tabletop exercise. While a tabletop test, as the name suggests, typically consists of discussing plan details around a table, a simulation test combines real recovery actions. It can be data loss and restoring backups, live testing of redundant systems, network outage, physical recovery, emergency notification, and other relevant processes. In addition to critical personnel, all employees would be involved in this BCP event testing process.

Frequency of Business Continuity Plan Testing

The frequency of testing your BCP depends on your company. We recommend evaluating each of your emergency preparedness plans, such as business continuity, disaster recovery, incident response, and other plans, during a year. Testing would typically include an annual tabletop exercise or a walk-through test of all individual EPP plans, including testing various scenarios for threats that are a high risk to your organization. Make sure to continually test those scenarios of higher priority to your organization. Many factors can help you determine how often your organization needs to test its EPP plans.

• – Employee count changes
• – Changes in clients/vendors or their contact information
• – Department changes
• – Employee job function updates
• – Structural changes to the building

The size, location, and how often your company goes through changes are typically the most significant factors in determining how often you should test your BCP. Enterprise companies and employees who experience regular turnover should be updating and testing their BCPs twice a year. For small to mid-sized organizations, it is recommended to do a run-through test once a year to make sure that the plan is still effective and all staff is refreshed on what to do in the event of an emergency.

Involving Vendors in Your BC Testing

In the course of your testing process, whether you’re doing a plan review, tabletop test, or simulation test, you need to make sure your critical vendor partners are included in your testing. Verifying that your vendors are prepared for the unexpected and have a contingency plan is essential, as it allows for greater accuracy and usability of your strategy. It also allows your vendors to provide feedback that may be valuable to your plans or testing process.

Document the Testing Process

Finally, it’s necessary to document the results of any testing conducted, along with any actionable findings from those tests. Doing so will help your workforce learn what can and should be improved and visualize progress that’s been made. Following up on these items and consolidating recommendations from tests is the most crucial process in the BCP testing lifecycle. Testing, registering your testing results, and executing methods to improve your BCP is the most reliable way to strengthen your organization’s response processes.

2024 has seen a significant uptick in ransomware attacks, affecting organizations across various industries. These cyber incidents have caused substantial financial losses, operational disruptions, and reputational damage.

Here’s a look at some of the major ransomware attacks this year and how cyber resilience solutions can help businesses both mitigate these risks and recover swiftly.

Notable Ransomware Attacks in 2024

1. Ascension Health System

In May 2024, Ascension, a major health system, experienced a ransomware attack that disrupted clinical operations across 140 hospitals. The attack resulted in compromised patient data and significant operational downtime.

2. Change Healthcare

A February attack on Change Healthcare, a leading healthcare platform, exposed sensitive patient data. This breach highlighted vulnerabilities in healthcare IT systems and the critical need for multi-factor authentication (MFA).

3. UnitedHealth Group

In early 2024, UnitedHealth Group faced a ransomware attack that disrupted its pharmacy services. The attack, attributed to the BlackCat ransomware group, caused widespread service interruptions and exposed critical data.

4. Schneider Electric

Schneider Electric, a global leader in energy management, was targeted by the Cactus ransomware group. The attack disrupted operations and exposed sensitive corporate information.

Solutions to Boost Your Resilience Against Ransomware Attacks

Agility Recovery offers comprehensive cyber solutions designed to enhance your business's resilience against ransomware attacks. Here’s how our solutions can help mitigate risk and ensure quick recovery:

1. Penetration Testing (PEN Testing)

Regular penetration testing is essential to identify and address vulnerabilities in your systems before cybercriminals can exploit them. By simulating real-world cyberattacks, our PEN testing services help you stay ahead of evolving threats and strengthen your defenses.

2. Ransomware Impact Analysis (RIA)

A ransomware impact analysis evaluates your business’s susceptibility to ransomware attacks and helps you develop effective mitigation strategies. This proactive approach ensures that you can identify weaknesses, prepare response plans, and minimize the impact of potential attacks.

3. Data Backup and Recovery

Ensuring your data is regularly backed up and easily recoverable is vital for business continuity. Our data backup and recovery solutions enable you to restore critical information quickly, minimizing downtime and financial losses in the event of an attack.

4. Cybersecurity Tabletop Exercises

Conducting tabletop exercises allows your team to practice responding to simulated cyber incidents in a risk-free environment. These exercises improve coordination, communication, and preparedness, ensuring your team can respond effectively to real-world threats.

5. Multi-Factor Authentication (MFA) Implementation

Implementing MFA adds an extra layer of security by requiring multiple forms of verification before granting access to sensitive information. This significantly reduces the risk of unauthorized access and enhances your overall cybersecurity posture.

Take Action

The major ransomware attacks of 2024 underscore the urgent need for robust cybersecurity measures. Agility Recovery’s comprehensive cyber solutions can help you mitigate the risk of ransomware attacks and ensure your business can recover quickly. Don’t wait for an attack to take action – talk to an Agility cyber resilience expert about how to proactively protect your business today.

When it comes to business continuity and disaster recovery planning, resilience professionals know that no plan is ready for the real world before it is tested.

There are different test types to choose from, including:

• – Tabletop tests: Employees participate in an actual exercise during a scenario-based, role-playing exercise. Everyone involved practices their roles and responsibilities during an emergency, such as an earthquake, hurricane, or active shooter.
• – Plan reviews: Similar to a business continuity plan audit. The BCP team and the C-level management or department heads get together to review the plan and decide if any components are missing or need revision.
• – Walk-through/simulation tests: A simulation test combines real recovery actions, like data loss, restoring backups, live testing of redundant systems, network outage, physical recovery, emergency notification, and other relevant processes.

In this blog, we'll focus on tabletop testing. With guidance from Agility recovery manager Alysha Hester, we will explore what a tabletop test is, what scenarios it's best suited to address, and how you can use tabletop testing to enhance your organization's resilience.

What Is a Tabletop Test?

A tabletop test is a walkthrough of an actual disaster scenario – like a hurricane , active shooter , or power outage – in real time. This walkthrough allows businesses to talk through reactions and strategies to ensure that department strategies are aligned with all areas of the organization. The walkthrough also allows organizations to gauge individual teams’ readiness levels if a disaster were to occur at that moment.

Think of this as a business continuity plan brainstorming session in real time, but in the safety of your office, outside of the actual disaster.

Alysha Hester Agility Recovery Test & Declare Manager

What Are Tabletop Tests Used For?

Organizations use tabletop tests to test for gaps in written continuity plans . They allow businesses to explore the scenario and identify any dark corners in those plans, providing the opportunity to answer any questions before experiencing an actual event.

Why Do Businesses Use Tabletop Tests?

Tabletop tests are useful for several reasons, including:

• – Identifying recovery gaps in plans, resources, and communication strategies
• – Implementing new training protocols for safety that are identified post exercise
• – Meeting compliance requirements

According to expert Alysha Hester, "I would say the main reason businesses use tabletops is to deep dive into a specific potential disaster to determine findings that could be further explored after the exercise. Once a post-event investigation has been completed, plans would be updated accordingly (and then the cycle of testing starts over so you can explore if these new adjustments provided greater resilience during a disaster."

Pros and Cons of Tabletop Testing vs. Other Types of Tests

Why implement tabletop exercises instead of other types of tests and exercises? Ultimately, we advise utilizing all types of exercises, but tabletop tests are a great place to start.

Pros:

• – Test the specific people and processes documented in your organization’s BCP
• – Can be done virtually to conveniently include all staff (including hybrid employees or third-party vendors/MSPs)
• – Low- to no-cost option

Cons:

• – Creating exercises internally can be extremely time consuming and take some creative thought.

For additional value, consider involving a 3rd party perspective in facilitation if you feel your tabletop exercises have become more of a check-the-box type of event or a BCP/incident response read-through.

Alysha Hester Agility Recovery Test & Declare Manager

• – Tabletop tests can’t test the physical components of the recovery, so it still may be unknown if some IT and manual processes will function as expected at the time of the disaster as discussed in an exercise.

After the Tabletop Exercise

So you've completed your tabletop exercise – now what? One of the most critical outputs of any test or exercise is identifying gaps and areas for improvement . These could include realizing there is no personnel redundancy, not knowing how to get in touch with remote employees , or not having enough people who know how to access important information. Document this information and use it to update your organization’s business continuity plan . Then, be sure to update your organization on any new plans and procedures. In doing so, you'll be more prepared for any interruption that may affect the business. Ready to get started? Agility provides free tabletop exercise templates ; we can also create a custom tabletop exercise and run it with your organization. Reach out to us today !

Why Tabletop Exercises?

Even the best-laid plans can go wrong with the simple introduction of the “human factor.” Introduce this in the emergency response planning, when the stakes are high, and even the most thorough plan can begin to fall apart. That is why tabletop exercises can be critical to ensuring the success of your scenario plans when they are put into action. Tabletop exercises are group activities that examine the response of your crisis team to a specific scenario and quickly detect previously undetected gaps in your plan or issues that need to be addressed. Such exercises also remind of small yet crucial details, for example, whose responsibility is to provide comments to the media if the VP of communications is on vacation. These are some of the essential tips for maximizing an outcome of a tabletop exercise:

Before deciding on a scenario, define a reasonable number (3-5) of objectives. For example, if you choose to test your organizational response to an Active Shooter incident, first determine what aspects of the response you need to focus on. Then, develop a scenario that aligns with the objectives.

Choose a Realistic Scenario

A successful tabletop exercise should resemble the real world as closely as possible. This means choosing threats that are viable to the organization, as well as designing a scenario that includes realistic threat behavior. Examples of real-world cybersecurity threats include a network infrastructure breach with data exfiltration, website-hosted malware, denial-of-service (DoS) or distributed-denial-of-service (DDoS) attacks, rogue wireless access points, or something as commonplace as a lost laptop that contains sensitive data or passwords. The type of threat chosen for a tabletop exercise will vary by industry and from one organization to another, but it must mimic a threat that’s likely for that specific environment.

During the Tabletop Exercise: Have Clear Objectives and Follow the Schedule

Make copies of your emergency response and business continuity plans and a whiteboard to track the progress. Before you begin, the moderator needs to review the objectives and scope of the exercise. Note that the crisis leader has the final say if there are conflicting opinions. It’s also important to keep track of time; the moderator needs to set time limits for each action item. Once the imaginary threat has been set into motion, each member of the group should perform – in real time – the actions they would take were that threat actually playing out. These will be based on the organization’s security plan that should be already in place. These actions include sending specific organizations to talk to the press, communicating to employees within the organization, and notifying clients and third parties. They also include making decisions about whether to shut down systems and collecting information and utilizing forensic software to identify the type of threat at play before working to remediate it. After the exercise is complete, review the process to understand what worked and what needs improvement. The rules of any successful meeting or a tabletop are: start on time, finish early, and offer refreshments.

To improve the effectiveness of a tabletop exercise, FEMA recommends for all potential players to complete Incident Command System 100 and National Incident Management Systems 700A-level training, which is a quick, easy and free course.

After the Tabletop Exercise: Act on What Was Learned

In addition to allowing the entire team to practice their response in real time, the value in tabletop exercises is that they can help identify weaknesses and gaps in an organization’s response. Confusion about responsibilities, poor decisions, identifying new vulnerabilities, and finding weak points in the processes don’t indicate failure; rather, these are precisely what tabletop exercises are designed to weed out.

“The tabletop exercises with Agility are always a valued service. By providing fresh insights and opportunities for improvement, Agility has helped us grow and improve our BC Program immensely.”

Robert Behling, IT Systems Administrator, First FarmBank

After each exercise, it’s essential for the team to debrief and discuss any shortcomings in the response. They should also document what worked as well as what didn’t so the organization can identify vulnerabilities and missing links and work to patch and fill them. These recommendations will help the next exercise run more smoothly and ensure a more effective response when an actual threat strikes. Make sure action items are circulated after the exercise is complete and review and update your plans accordingly.

A business continuity program is no longer considered superfluous. Last year, businesses worldwide learned the importance of integrated business continuity testing and planning, especially when it comes to vendor management. In fact, 74 percent of surveyed organizations have faced a disruptive event with third parties in the past three years. A business continuity plan is a company's roadmap that helps navigate the unknown and unexpected, including natural disasters, communication issues, physical disruption, or other large-scale emergencies. However, having a plan in place is only half the battle. A business continuity strategy also needs to be continuously monitored and tested for gaps or obstacles.

Why Integrated Business Continuity Testing is Critical

Integrated testing moves beyond the testing of individual and isolated components. It includes testing with internal and external parties and supporting systems, processes, and resources.

1. Ensure your plans work

Testing business continuity allows you and your workforce to exercise how to approach an emergency and find gaps in the plan to address where it needs improvement.

2. Expose potential gaps before an incident occurs

Testing your business continuity plan allows you and your team to exercise how to approach an incident and find gaps in the plan to address where it needs improvement . This is a unique opportunity to practice your recovery strategy and update your incident management team on your business's latest changes.

3. Meet rising client expectations

Customer expectations are getting higher , and your business must keep up with the rising demand for impeccable customer service.

4. Continually validate and improve your plan

Your organization is continuously evolving. So should your business continuity plan. And what's a better way to improve your plan than through testing it?

5. Reduce recovery time objective and cost

With RTOs , costs increase the faster you want to recover your business after a disaster. For instance, recovering your business in 72 hours will be exponentially less expensive than recovering your business within 24 hours.

6. Preserve reputation

Business continuity management is more than just compliance. It is the foundation of a company’s reputation and stability.

7. Satisfy regulators

Regulatory scrutiny is projected to tighten even more in the coming years. Keeping your business compliant with industry regulations is key to its longevity. Besides, disobeying compliance standards will most likely lead to costly fines.

5 Testing Tips to Increase the Effectiveness of Testing

In striving to increase the effectiveness of test scenarios over time, an institution should, as appropriate, consider the following:

• – Perform integrated tests or exercises that incorporate more than one system or application and external dependencies to gauge the effectiveness of continuity plans for a business line or major function.
• – Test interdependencies where two or more departments, business lines, processes, functions, and/or third parties support one another.
• – Conduct end-to-end exercises to demonstrate your organization’s ability to recover a business process from initiation (e.g., customer contact) through process finalization (e.g., transaction closure).
• – Conduct full-scale exercises that involve the recovery of systems and applications in an interactive manner in a recovery environment, including all critical functions and modules.
• – Perform exercises that include third-party providers’ subcontractors, vendors, or services.

Core Elements of a Business Continuity Testing Strategy

The test strategy should encompass at least three elements: staffing, technology (data, systems, applications, and telecommunications), and the facilities that house the staff and technology environments.

1. Testing elements: Staffing

• Testing strategies should include demonstrations of the staff’s ability to support business processes, including the processing of transactions, communication with key internal and external stakeholders, and any other industry-specific processes.
• Strategies may need to address staff’s ability to support increased workloads resulting from the transfer of processing to alternate sites for extended periods of time. For institutions that have implemented split processing business models, any aspects of the client relationship model that present challenges or complexities to the transfer of workloads across sites, and related dependencies, should be identified and incorporated into testing strategies.
• Testing strategies should demonstrate the effectiveness of a company’s management succession plans.

2. Testing elements: Technology

• Testing technology strategies should include the data, systems, applications, networks, and telecommunications necessary for supporting business activities.
• In the event system recovery depends on retrieving data files, programs, and other items maintained at the backup facility, off-site testing procedures should only include the use of these backup items to properly replicate the loss of any master data files and programs maintained at the main facility.
• Backup data files should also be tested frequently to assess the integrity of the information, determine if the data is being saved in the correct format, and ensure that applicable files can be retrieved promptly.  Alternatively, institutions may employ other processes for data replication, such as synchronous and asynchronous data replication.  Regardless of the data replication process used, the process for demonstrating data consistency across different processing environments should be included in the testing strategy.
• Strategies should also test processes to recreate any data lost during a switch to alternate processing facilities, and periodic reviews of telecommunications services should be conducted to determine circuit diversity.

3. Testing elements: Facilities

• Testing strategies for business functions should encompass environmental controls, workspace recovery, and physical security to ensure continuity of facilities and environmental systems at primary and alternate processing sites.
• Testing strategies should include the adequacy of backup power generators and heating, ventilation, and air conditioning systems to meet business recovery objectives at operating centers.
• Workspace recovery test strategies should include assessments of the availability and adequacy of workspace, desktop computers, network connectivity, email access, telephone service, and physical security controls.  For institutions relying on the physical relocation of hardware, software, or data storage devices to recover the technology infrastructure and applications at alternate locations, the facilities testing strategy should address the secure transportation of these items.

Additional Plans for Business Continuity Testing

Test scenarios, plans, and objectives should include the institution's crisis management function to demonstrate your ability to respond effectively to contingency events. The crisis management program should be tested, with particular emphasis on the institution's capability to gather information about the threat or event, initiate the BCP, and communicate relevant information to the appropriate staff, customers, vendors, service providers, regulators, and other public authorities. Crisis management test plans should address crisis management team members' abilities and their alternates to carry out their designated responsibilities under various event scenarios. Depending on the type of industry, your organization may need to consider testing the following plans:

• Crisis or incident management plans (know how you’ll manage everything)
• Department continuity plans (maintain priority processes)
• Pandemic plan (tracking, planning, execution)
• Life Safety plans (ensure everyone knows what to do)
• Crisis Communications plans (internal and external)
• Service provider plans (validate partners and supply chain resilience)
  • Background and risk 
  • Vendor Due diligence 

Reliance on third-party providers, key suppliers, or business partners may expose your organization to points of failure that may prevent the prompt resumption of operations. The risks in outsourcing information include threats to the security, availability, integrity of systems and resources, confidentiality of information, and regulatory compliance. To ensure timely recovery of operations, management should routinely perform vendor due diligence . As part of this due diligence process, management should inquire about the service provider's physical paths to ensure that system redundancies have been properly implemented. Organizations should also review the service provider's BCP and ensure that critical services can be restored within acceptable timeframes based on the business's needs. The service provider's contract should address the service provider's responsibility for maintenance and testing of disaster recovery and contingency plans. Management should request a copy of the service provider's BCP test results and audit reports to determine the adequacy of business continuity plans and the testing program's effectiveness. If possible, the institution should consider participating in the service provider's testing process. If the service provider fails to perform satisfactorily during a service disruption, management should determine whether the institution has sufficient resources and capacity to perform these processes internally or if alternate vendor arrangements should be considered.

Active Shooter Statistics

To be able to properly respond to an active shooter situation, one must complete training and practice. Since FBI began releasing their report in 2000, the first seven years demonstrated an average of 6.4 active-shooter incidents, and that figure grew more than twofold to 16.4 the following seven years. The number lingered around 20 incidents every year since then, surging in the last two. Even though the previous year had a lower activity, last year’s results remained consistent with a troubling trend. According to the FBI, there have been 27 active shooter incidents in 2018 . 27 incidents in 16 states. 213 casualties – excluding the shooters. 85 killed: 2 law enforcement officers, 1 unarmed security officer 128 wounded, including 6 law enforcement officers.

Types of locations (2018):

• Sixteen of the 27 incidents took place in areas of commerce and business environment, resulting in 41 killed and 61 wounded.
• Five of the 27 incidents happened in education environments, resulting in 29 killed and 52 wounded.
• Two of the 27 incidents occurred in health care facilities.
• One of the 27 incidents occurred on government property.
• One of the 27 incidents occurred in a house of worship.

How to Respond

1. Run – Have an escape route and plan on where to go. – Leave your belongings behind. – Prevent others from entering the area. – Call 911 when it is safe to do so.
2. Hide – Shelter-in-place in an area out of the shooter’s view. – Block entry to your hiding place and secure the door. – Silence communications devices. – Remain quiet.
3. Fight – As a last resort and only if your life is in danger, attempt to incapacitate the shooter. – Act with physical aggression and throw items at the active shooter. – Commit to your actions.

When Law Enforcement Arrives

• Officers will usually be in teams.
• May be in uniform or tactical gear.
• First responders won’t help victims until the threat is neutralized.
• Remain calm and follow directions.
• Keep hands visible and avoid sudden movements.
• Avoid pointing, screaming, and yelling.
• Expect to be detained.

Get Prepared

• Establish a partnership with local law enforcement and first responders.
• Implement an action plan that addresses active shooter scenarios.
• Designate at least one (two recommended) “safe rooms” on each floor and ensure everyone is aware of the locations.
• Conduct awareness training for personnel to ensure everyone recognizes and understands the warning signs of potential violence.
• Test and drill on your plans.
• And remember, if you see something, say something.

Even the best-laid plans can go terribly wrong with the simple introduction of the “human factor.” Implement this in the emergency response planning, where the stakes are high, and even the most thorough plan can begin to fall apart. The best ways to eliminate the human factor is to test your plans during tabletop exercises.