Testing and practisingTesting helps us to assess how fast and resilient we are...
Testing and practice – background
We all know tests – from school, university and vocational training, for example. Or also from sports, when the coach stands next to the 200-metre track with a stopwatch and a clipboard and documents the runners' times. Among other things, results and the time factor are also at stake when testing BC boards. Among other things, mind you, because here tests are naturally somewhat more complex to plan (and implement!). And yet there is a connection to the comparison with sport: testing provides a statement about how fast and resilient one is – at 200 metres or even in getting a company up and running again after a (simulated) event.
Why is testing so important? This can be answered briefly and compactly: Through testing you gain confidence in your actions – you know what works, where the concrete performance capability lies and you find out what you can do better before you stumble into the next real event. The aim is to set up practicable, stable and (at best) with the option of further development. A good result in both cases is supported by good preparation and targeted training.
Tests and exercises come in different levels of difficulty. The first level is a basic assurance. For example, it may be a question of checking whether the framework conditions are suitable so that the employees concerned can work in a goal-oriented manner and whether an individual plan works. Once the basic safeguards are in place, the level of maturity of the subsequent tests is gradually increased and it is checked on an ongoing basis whether what has been planned actually works in practice in the company.
Standards, regulations & Co.
The various standards and ISO norms focus on the basic idea that testing should be done to ensure the effectiveness of plans and procedures. The BSI standards (BSI, German Federal Office for Information Security) and the ISO standards (ISO, International Organization for Standardization) describe certain test categories, the implementation of which must be proven as a regulated company. However, there are hardly any regulations on the organisation of such tests. The regulations also state, among other things, that tests should be carried out regularly, but there is, for example, no statement describing what is meant by regularly.
BaFin (Bundesanstalt für Finanzdienstleistungsaufsicht), which, for example, supervises financial institutions, also prescribes regular tests, but without going into more detail about regularity. But it also says that you should have a training plan. Financial institutions must be able to prove structurally, for example, that the tests follow a more demanding maturity level. They have to be structured in a progressive way, so that the level of development of the test subject keeps increasing. And this involves the requirements of the test itself as well as the test category. Standardised templates for the test categories are then also available in the ISO standards and in the BSI standards. For regulated companies, it is advisable, for example, to draw up a 5-year test/evaluation plan that represents a clear development of maturity through its annually varying test categories.
The goal of the test itself is to be able to provide a clear picture of the test's effectiveness.
The goal to achieve: what I have planned works!
The Controllit AG pursues its best-practice approach on this topic, which states that one should test annually. It doesn't matter whether it's BCM, crisis management or ITSCM – you should test annually because these topics are (hopefully) not part of everyday life. Because something you do (too) rarely works extremely well. You can only mentally and functionally anchor things that you deal with regularly. And it is the same with tests and exercises.
Test and exercise categories – a look at test depths and designations
In BCM, ITSCM and crisis management, the designations for the various test and ¨bation categories are pretty much agreed upon, except for a few minor things – there are only minimal differences in the designations. This also reflects well the idea of corresponding and/or even common tests and exercises.
The first category is the Desktop Test or Walkthrough Test. This is a kind of logic test for completeness and feasibility. The desktop test is usually carried out by only one tester and the person responsible for the test object. The question is: Is the test object logically and reasonably structured and coherent? In the walkthrough test, the entire team described in the plan takes part in the test. Based on an incident (e.g. fire in the administration building), the team members talk through the tasks that each team member would carry out in such a case according to the plan. The question here is: Are there tasks that have been forgotten and are the tasks clear to the team members? Such tests can be carried out with BC and IT recovery plans, but also, for example, with checklists in crisis management.
Number two: the functional test. Now the test objects are tested with regard to their practical and technical effectiveness. In this test format, several contact persons of the emergency or crisis team are required. For example, telephone numbers and the availability of work equipment are tested. Can Mrs. Mustermann and the service provider actually be reached? Is the required form available at the described location? Do the members of the emergency team know their alternative workplaces and, above all, does working there work practically? Also, the Überpruefung der Wiederanlaufzeit plays a role in this test class.
Process Chain Test or Team Test: This test is more complex, because it is about testing teamwork and the functionality of the overall process. The core question is: Can the team members all achieve the goal in interaction with the test object? This means, for example, that the BCPs of different departments are tested, all of which are required for a time-critical business process. It has to be checked whether everything works together on the basis of what was developed in the individual plans. In other words, whether the previously created processes, checklists and individual tasks also work together on a large scale.
Simulation or Scenario Exercise: In this exercise, the strategic and tactical level (crisis management team and situation centre) is confronted with a concrete scenario (i.e. a very specific event). The content of this scenario develops further during the exercise. There is always a script for scenario exercises. A bomb disposal, for example, turns into a bomb explosion that destroys half of the building, then a staff member suffers a shock and falls out, later the fire brigade puts all the files under water and all this is followed in the social media. The script tries to challenge the assembled members with different aspects in order to see how the current situation is managed together.
Full or Live Exercise: In a full exercise, the entire response structure is actually exercised live. For example, a data centre is switched off – depending on the customer's request in the daytime business or not. A live swing of a data centre in daytime business is always associated with risks, so backup mechanisms should always be in place. Full shutdowns are partly required by regulations, e.g. for airlines and airports. These airlines and airports often carry out these – operations together, as if they were allies. For example, if an airport has to operate a full-scale operation, an airline provides an aircraft and a crew. Both parties ramp up their crisis teams and test together. The airport fire brigade, police, rescue teams and support teams are usually also involved. Often, such tests also include a few simulated injured and uninjured passengers in order to involve the paramedics and attendants in the test.
Other test and exercise variants: Something very basic, short and above all profitable can be, for example, an alerting test for the crisis management team. This test checks whether the relevant staff members receive the information and whether they (can) react accordingly. It checks whether everyone is equally informed and reachable, whether the contact details are up to date and whether everyone concerned can get to the place where work is to be done quickly enough. If this test does not work perfectly, at least you know how long all employees actually need. In principle, training and tests can be announced or unannounced. The company decides here depending on its level of maturity, its willingness to take risks and its available resources (a full implementation really ties up a lot of capacity).
Preparing for tests and exercises
Whatever the test or assessment format, it all starts with basic preliminary considerations: What kind of test/assessment needs to be done? How elaborate should it be? How long should/can it take? What resources are available? Should the test/exercise be announced or unannounced? All points should or must be coordinated with superiors. If, for example, an unannounced test is planned with a crisis management team, it is advisable to obtain the agreement of the managing directors beforehand and to clarify whether there are any no-go dates in order not to burden daily business too much.
Once the budget and the framework parameters are known, the test/exercise can be prepared. If a scenario is to be tested, a script with a horizon of expectation is written. The latter is about recording which decision-making possibilities are foreseeable. So you go through everything yourself step by step and prepare thoroughly. Even with a simple walkthrough test, preparation is important: you have to examine the test object carefully beforehand in order to determine whether there are any logical breaks that need to be clarified with the person responsible.
It is advisable to report tests in advance at least to the head of the department, depending on which team you are working with.
Planning tests and exercises
When it comes to testing and testing, Controllit AG recommends five-year plans that show what kind of perspective one has and how the maturity development is planned. When planning for the company, it is also important to take into account, for example, that the dates of annual tests with the specialist department are set in such a way that they fit in with the original daily business of the departments. Once these dates have been set, a good annual plan can be drawn up showing what is done when and with whom.
Good planning is also characterised by the fact that the output of the upcoming test/exercise is taken into account. In this way, the processes that have not yet been perfect, where there have been adjustments and which are to be optimised, can be assessed and secured in terms of content and on an ongoing basis. Without long-term planning, such a targeted approach is not possible.
Who should monitor and document tests and implementations?
Ideally, one works with a mixture of internal and external staff or consultants when it comes to conducting, observing and documenting. Many companies are very fond of contracting out their crisis management team (or other functions) year after year. One could actually say that after two or three years, companies know how to do it, so that they can completely manage their own crisis management. However, one should not forget the effect that an external expert, who also accompanies projects in other companies and thus has the corresponding experience and ideas, is listened to differently than the employees in one's own company.
So: You can carry out these Übungen internally alone, if everything works and you do not need an external view from outside.
But: An experienced external consultant always brings valuable added value, a different spectrum of ideas and a new perspective.
A company with a BCM, ITSCM or crisis management organisation has defined functional managers and deputies. In the case of a planned &Uml;bungung, all of them should actually üben, but this is not possible in the implementation – or could lead to chaos.
The approach: One übts with a team of functionaries/principals or deputies. Ideally, the team is a mixture of managers and deputies, i.e. of experienced and less experienced staff. This leaves a pool of employees who are basically concerned with the issue or are in the emergency team, but who are not allowed to work at the moment, but are interested in the processes. These staff members can be excellently integrated into the &Um;bungalow in all the functions that exist in a crisis management team.
The constellation: The crisis management team works in its crisis management room. In addition, there is the director, who controls the production on the basis of the script. It is a great advantage if an employee of the company sits in the control room and provides technical support for the (perhaps surprising) developments in the meeting. If situations are introduced into the test via the control room, the crisis management team reacts via the control room in order to control measures. These reactions of the crisis management team must be answered and processed in the control room. If there is someone from the company there who can say what is realistic or who can see how the interaction works, it is a gain for both sides, professionally and structurally. There are (one to three) observers in the crisis team room who monitor the leadership, communication and teamwork as well as the understanding of roles. The internal and external perspective is also useful for the observation of the meeting in the crisis management room: An external observer, for example, evaluates the cooperation independently of the people (whom he hardly knows), but the internal observer knows the company culture and can be more sensitive to interpersonal differences. This gives you results from two different perspectives, and it is precisely this combination that leads to very valuable end results.
Testing and practice - best at full throttle
In a simulation, for example, it is good to choose a situation that gets the participants involved. You should choose a topic that affects the company and especially the crisis team representatives in some way, so that they can consider it realistic. The more realistic and interesting the set-up, the more energy and adrenaline is involved – and it can even get really high during ¨bouts within the staff!
Immediately after the exercise, the so-called Hot Debriefing takes place. This first part of the discussion serves on the one hand to get out of the session and to really conclude it. In addition, the participants talk about what went well and what went less well. An evaluation does not take place at this point, it is only about the very first impressions. It is most effective when the participants reflect on their behaviour and can tell why certain things worked well or not so well. This way of gaining knowledge is so valuable because it anchors best (learning by reflection). What has been internalised in this way (especially successful activities) is best retrievable later in a possible emergency.
Once the emotional distance to the exercise has been restored and the heartbeat has returned to normal, there is a break and a feedback sheet with structured questions, for example on teamwork, communication and leadership behaviour and the like.
This is followed by a second structured feedback, the so-called formal debriefing. This may reveal that people evaluate a situation in a more differentiated way with a little distance than directly after the exercise. In addition, the second feedback includes initial input from the observer(s) and the director. It is also very important to address and emphasise the strengths of the participants. If only the negative reactions are discussed, this can be counterproductive under certain circumstances.
Conclusion - the great advantage of tests and exercises
It can be said that there is nothing better than testing and exercising regularly (with external support). This is the only way to get open-ended, honest and goal-oriented feedback. It should also be borne in mind that a crisis management team, for example, which is made up of people from a wide range of specialist areas, must know and understand each other as a team so that communication and work can take place at eye level and on the basis of functions and roles. Thus, Üben is always worth its weight in gold for team building. Another positive aspect is that you can just try things out and if they go wrong, you haven't caused any major damage.
Even an experienced organisation or an already tested and coherent Business Continuity Plan (BCP), can still be optimised further. However, it is not only about improving, because it is just as important to secure the processes that are already working well and to regularly transfer them into action. Because a plan is only as good as its weakest individual section. And: learning through success is better than learning through pain.