If you run a business, you’ve learned – and perhaps the hard way – that you don’t get what you ‘expect,’ you only get what you ‘inspect.’ The same can said for your crisis response platforms. Successfully mitigating the impacts of any emergency or crisis event depends upon routine testing, audits and updates of current plans. Plans cannot be expected to work properly unless they have been tested prior to their actual implementation in an emergency or crisis. Don’t wait until an emergency unfolds to see if the plans and procedures you’ve implemented are effective in responding to and recovering from a crisis event.
Decision-making during a crisis is critical to the outcome. Because of this, the following holds true:
- Practicing emergency response helps assure that the response can proceed predictably during a crisis event.
- Participation in exercises familiarizes everyone with the vulnerabilities, mitigation strategies, incident management and crisis communications.
- Testing allows problems or weaknesses to be identified and used to stimulate necessary and appropriate changes.
- Errors committed, and experience gained, during testing provide valuable insights and lessons learned that can be factored into the planning/updating process.
A test exercise serves several purposes:
- Allows management to use and assess plans and procedures to determine their feasibility and determine whether they will work under actual conditions.
- Assesses and measures the degree to which personnel understand their emergency response functions and duties.
- Enhances coordination, communication, and proficiency among response staff.
- Increases the ability of management and staff to respond to emergencies.
- Identifies areas for improvement.
Test exercise strategies should detail the conditions and frequency for testing applications, business functions, decision-making, communications, and overall response efforts. The frequency and complexity should be based on the risks to the organization. The strategy should include test objectives, scripts, and schedules, as well as provide for review and reporting of test results. Industry best practices support testing at least annually, or more frequently, depending on the operating environment and criticality of the applications and business functions.
Tests can be as simple as testing a departmental call tree or can involve an integration of multiple business areas, the IT environment, and link to outside vendors and clients. The complexity of tests should vary to ensure that all components of plan(s) being tested are adequately exercised.
The objective of a testing program is to ensure that the plan(s) being tested can remain accurate, relevant, and operable under adverse conditions. Organizations must clearly define what functions, systems, or processes are going to be tested and what will constitute a successful test.
The scope of the exercise is determined by what is required to ensure the learning objectives are achieved by the participants. For example, if the objective is to test the ability of senior management to make decisions as specified in a crisis plan, a tabletop exercise would be appropriate, although the same objective could be tested during a full-scale exercise.
Organizations should also participate in tests with their core service providers and test other critical components of their preparedness program.
Continually expand the scope and complexity of exercises to eventually encompass enterprise-wide testing, including vendors and key market participants.
As general guidelines, test exercises should:
- Include realistic scenarios.
- Not jeopardize normal business operations.
- Gradually increase in complexity, level of participation, functions, and physical locations involved.
- Demonstrate a variety of management and response proficiencies, under simulated crisis conditions, progressively involving more resources and participants.
- Uncover inadequacies, so that configurations and procedures can be corrected.
- Consider deviating from the test script to interject unplanned events, such as the loss of key individuals or services.
- Inform participants of the objectives and goals of the test exercises.
TYPES OF TEST EXERCISES
Testing methods should vary from minimum preparation and resources to the most complex.
- Orientation/Walkthrough – Briefing or low stress training to familiarize participants with team roles, responsibilities, and expectations. Provides a good overview of new or revised emergency response plans. This type of exercise helps orient new staff and leadership. Planning cycle: one month; Test time: 60-90 minutes.
- Drill – Test of individual emergency response functions that involve actual field responses. Examples include fire drill, tornado test, etc. Planning cycle: one month; Test time: 10-60 minutes.
- Tabletop – Limited simulation or scenario of an emergency situation to evaluate plans, procedures, coordination, and assignment of resources. Advanced tabletops will introduce messages and test assistants who can answer questions. Planning cycle: two-three months; Test time: 90-120 minutes; Debriefing time: 30 minutes.
- Functional – Limited involvement or simulation by field operations to test communication, preparedness, and availability/deployment of operational resources. Planning cycle: three-six months; Test time: 90 minutes – 4 hours.
- Full-scale – Evaluates the operational capability of systems in an interactive manner over a substantial period of time. Conducted in an environment created to simulate a real-life situation. Planning cycle: three-six months; Test time: 2 – 8 hours.
SUMMARY: KEYS TO A SUCCESSFUL TEST EXERCISE
Having a clear objective, management support, a realistic scenario, and active involvement are key to an exercise success. In evaluating a robust test exercise program, look for:
- Top level support and involvement
- Test design team expertise
- Realistic test scenario
- Thorough preparation and attention to detail
- Clear introduction and instructions
- Participant feedback at debriefing
- Follow-up to lessons learned
EXPERIENCE YOU CAN TRUST
Odin Enterprises has produced and tested a wide variety of scenarios ranging from joint military and public safety operations to simple corporate communications checks. Whether crafting a full-field, vignette, command post, tabletop, or communications exercise, each is well within the scope of our experience and capabilities.