Types of tests and exercises

Some types of tests and exercises are presented in the following. The types range from the simple examination of individual measures to complex business continuity exercises. Simple examinations are often referred to in this document as tests, while more complex examinations of specific scenarios are referred to as exercises. Note, though, that it is impossible to strictly separate these terms. Many statements apply to both types of examinations.

Testing the technical preventive measures

To ensure the appropriateness and operability of the technical solutions, these solutions need to be tested. This includes, for example, tests of redundant lines, the power supply, the restoration of data from data backups, the reliability of clusters, the alarm technology used, the technical infrastructure, or individual IT components. Individual components and their function should be tested regularly and after making large changes to the systems or the corresponding system environment to check their interoperation.

Function test

In this type of exercise, the functionality of the procedures, subprocesses, and system groups specified in the various subplans of the business continuity handbook are examined. During the examination, the procedures, but especially the interoperation and dependencies of the various components or measures, are checked. This includes recovery plans, restoration plans, and the business continuity plans for immediate measures (e.g. for evacuating the personnel in case of a fire alarm).

Plan review

The goal of a plan review is to examine the individual plans for emergency or crisis response. The participants go through the plans theoretically in this type of test and examine the plausibility of their contents and the assumptions made in them. The functionality of the contents described is evaluated at that time.

Tabletop exercise

8 Tests and exercises

“on a table” – which is why it is called a tabletop exercise. In this type of exercise, a hypothetical scenario is given and then examined theoretically. This type of test is relatively easy to implement and is used for initial validation. Discrepancies and misunderstandings can be detected using this test before expensive and time-consuming operative efforts are required. This type of test should be repeated often during the business continuity management establishment phase.

Crisis team exercise

A special form of tabletop exercise is the crisis team exercise. In this case, the exercise is performed in co-operation with the crisis team.

Command post exercise

Another form of tabletop exercise is the command post exercises, which is basically an enhanced version of a crisis team exercise. It is used to examine and practice co-operation in the crisis team as well as to examine the level of co-operation between the crisis team and the operative teams. In general, the structures close to the command post are tested in practical exercises while the operative implementation is simulated theoretically.

Communication and alarm exercise

A critical point when responding to an emergency or a crisis is the reporting to and alarming of the crisis team and other people responsible. For this reason, the procedures for reporting, escalating, and alarming must be examined regularly. The scope of this test ranges from simple examinations of the communication resources to the assembly of the crisis team in the crisis team meeting room. In this test, the responsibilities and telephone numbers contained in the plans as well as the procedures, escalation strategy, ability to reach the corresponding people, and rules for substitutes are tested. The test also checks if the plans available are up to date, understandable, and manageable; if the procedures are practical; and if the technologies to be used (e.g. alarm system, emergency telephone, SMS, pager, Internet, radio or satellite communication device) are effective, appropriate, and ready for operation.

Simulation of scenarios

In a realistic simulation, the procedures and measures specified for responding to business continuity scenarios or events are tested in terms of their usefulness, appropriateness, and functionality. In this simulation, the alarming, escalation, business continuity response organisation, work done by the crisis team, and level of co-operation between all participating locations is tested. Such exercises can be organised as function or area tests, and in a further stage, they can be organised to cover all areas.

Business continuity or full scale exercise

The most complex type of simulation is the business continuity or full scale exercise. Depending on the scenario, it is necessary to include external organisations, for example the fire department, aid organisations, government agencies etc., in the exercise. This type following exercise can and should only be performed in the advanced stages.

The full scale exercise is based on a realistic situation and integrates all levels of the hierarchy, from management down to the individual employees, into the exercise. The time and expense required for preparation, execution, and evaluation should not be underestimated. In spite of this, full scale exercises should be conducted if the organisation places high requirements on business continuity management. Business continuity exercises should be performed regularly but with longer intervals between each business continuity exercise.

Comparison of the different types of exercises

Various criteria can be used to differentiate between the different types of tests and exercises. They can be classified according to the type of procedures, target group, scope, or extent.

The procedure followed can be based on discussions or actions. There are three areas of responsibility for the target groups: the strategic, tactical, and operative areas. Exercises at the tactical level examine the co-ordination, the level of co-operation between the individual areas, and the procedures for

assessing and evaluating the situation. At the operative level, the focus is on the procedures and the specific tasks to be performed to overcome the emergency (see Table 18).

Exercise type Target group Procedure Extent/ scope

Strategic Tactical Operative Discussion -based Action- based Low/ Medium/ High/ Very high

Test of the technical preventive measures X X Low

Function test X X Medium

Plan review X X X Low

Tabletop exercise X X X Low-medium

Crisis team exercise X X X Low-medium

Command post exercise X X X X X Medium-high

Communication and alarm exercise X X X Low

Simulation of scenarios X X X High

Business continuity or full scale exercise X X X X Very high Table 18: Types of exercises