What the guidance and good practice says

Why Readiness Programmes Matter

People remain both the greatest strength and one of the biggest vulnerabilities during crises and incidents.

Whether organisations are pursuing ISO 22301 certification, strengthening operational resilience or improving governance, readiness programmes help ensure teams can respond consistently and effectively when disruption occurs.

ISO 22301:2019 places clear requirements on competence, awareness, exercising and continual improvement across clauses 4–10 of the standard.

Training and exercising are not administrative add-ons. They are essential operational safeguards.

The muscle memory developed through rehearsing plans and procedures improves confidence, communication, decision making and coordination during real incidents.

Delays, uncertainty or poor coordination during an incident can increase operational disruption, reputational damage, financial losses and regulatory exposure.

Training Before Exercising

A structured readiness programme should always begin with training before progressing into exercises and simulations.

Clause 7 of ISO 22301 requires organisations to ensure that personnel performing roles within the BCMS are competent based on education, training or experience.

This means individuals should:

• Understand the organisation’s continuity arrangements
• Know their specific roles during disruption
• Understand escalation and communication pathways
• Recognise the consequences of non-conformity
• Understand relevant plans, policies and procedures

Awareness is equally important.

Teams should be able to explain key continuity documents including:

• Business Continuity Policies
• Business Continuity Plans
• Crisis and Incident Management Plans
• Communication Procedures
• Recovery Priorities

Competence should not be assumed purely because someone holds a leadership position or operational role.

Effective readiness programmes often include:

• Training needs analysis
• Role mapping
• Competency assessments
• Awareness campaigns
• Scenario discussions
• Operational briefings

Building Maturity Over Time

Developing an effective Business Continuity Management System is rarely a rapid process.

Most organisations evolve through phases of maturity.

Foundation plans are developed first, followed by layered improvements in governance, exercising, communications, leadership engagement and operational integration.

Readiness programmes help organisations progressively strengthen capability rather than attempting to achieve maturity through documentation alone.

The Importance of Exercising

Once teams understand their plans and responsibilities, exercising becomes the next critical phase.

Clause 8.5 of ISO 22301 requires organisations to implement and maintain programmes of exercises and tests designed to validate:

• The effectiveness of plans and procedures
• Operational coordination
• Decision making
• Communication arrangements
• Leadership capability
• Team competence

Exercises should involve realistic scenarios aligned to organisational risks and continuity objectives.

Importantly, exercises should involve the correct internal and external stakeholders and test the interactions between teams, partners and leadership structures.

Exercising should never become a simple “tick box” process carried out solely for audit purposes.

Real value comes from exposing weaknesses, validating assumptions and improving organisational confidence.

Debriefing, Evidence and Governance

ISO 22301 requires organisations to maintain evidence of readiness activities.

For audits and governance purposes, organisations should retain:

• Training attendance records
• Competency assessments
• Exercise plans and objectives
• Facilitator and observer reports
• Exercise logs and timelines
• Debrief reports
• Corrective action trackers
• Governance and management review outputs

Outputs from crisis and incident management platforms can also provide valuable evidence of operational decision making and information management during exercises or incidents.

The critical point is that learning must feed back into organisational improvement.

Without action tracking and governance oversight, readiness programmes lose much of their long term value.

How Often Should Organisations Exercise?

A common question within resilience programmes is how frequently organisations should test their arrangements.

As a minimum, exercising should occur annually and whenever significant organisational changes occur such as:

• Office relocations
• Structural or leadership changes
• New products or services
• Technology changes
• Major operational growth
• New risk exposures

Higher risk organisations may require more frequent testing and validation activities.

Readiness Is About Confidence Under Pressure

Ultimately, ISO 22301 readiness programmes are not about producing documentation for auditors.

They are about preparing people to operate effectively during uncertainty, disruption and operational pressure.

Strong readiness programmes improve consistency, confidence and resilience across the organisation while also providing evidence of due diligence, governance and continual improvement.

What good looks like

• Structured training and exercising programmes documented and approved
• Clear role specific training and competency assessments
• Regular awareness campaigns and communications
• Realistic exercises aligned to operational risks
• Leadership participation in readiness activities
• Exercise outputs linked to governance and improvement actions
• Evidence and audit trails retained appropriately
• Regular review and continual improvement processes
• Strong integration between crisis, incident and continuity arrangements
• Teams confident in their roles and responsibilities under pressure

Common mistakes we see

Treating readiness as purely a compliance exercise

Certification evidence is important, but operational capability should remain the primary focus.

Exercising teams before training them

Teams require foundational understanding before meaningful exercising can take place.

Failing to document evidence properly

Attendance records, competency evidence and debrief outputs are often incomplete or inconsistent.

Not involving leadership teams

Senior decision makers must also rehearse crisis and continuity responsibilities.

Exercises without structured debriefs

Without lessons identified and tracked actions, exercising loses long term organisational value.

Allowing plans to become static

Business continuity arrangements should evolve as risks, operations and organisational structures change.

Practical checklist

Mandatory Documentation Checklist

• Competency records
• Business continuity plans
• Exercise reports

Training & Awareness Checklist

• Role specific training
• Competency assessments

Compliance Matrix

FAQs

How often should organisations exercise their business continuity arrangements?

As a minimum, organisations should exercise annually and whenever significant operational, structural or technological changes occur.

What evidence do ISO 22301 auditors typically expect?

Auditors commonly expect training records, competency assessments, exercise reports, debrief outputs, corrective action tracking and evidence of continual improvement.

Why is exercising so important?

Exercises validate plans, strengthen confidence, improve coordination and help teams rehearse decision making under pressure before a real incident occurs.

What is a competency assessment?

A competency assessment evaluates whether individuals have the knowledge, skills and awareness required to perform their roles effectively within the Business Continuity Management System.

Does ISO 22301 require leadership involvement?

Yes. Leadership involvement is essential to governance, decision making, continual improvement and demonstrating organisational commitment to resilience.

Can organisations achieve compliance through documentation alone?

No. ISO 22301 focuses on operational effectiveness as well as documentation. Organisations must demonstrate that people understand plans and can apply them effectively.

What types of exercises are commonly used?

Common exercise formats include tabletop discussions, simulations, walkthroughs, communication drills and live operational exercises.

Why is debriefing important after exercises?

Debriefing identifies lessons, validates improvements and creates a structured feedback loop to strengthen future resilience arrangements.