Exercising and testing

Overview

What is exercising and testing?

Exercising is the structured rehearsal of a plan under realistic conditions to confirm that people, procedures and systems perform as intended. Testing is the narrower act of checking that a specific capability, such as an information and communications technology recovery process, meets a defined requirement. An exercising and testing programme brings the two together and repeats them, so readiness is maintained rather than assumed.

The Australian and international reference point is ISO 22398:2013, Societal security — Guidelines for exercises, which sets out good practice for planning, conducting and improving exercises and exercise programmes.¹ Its central value is that one method serves every plan type. A tabletop exercise can validate a business continuity plan in the morning and a crisis management plan in the afternoon, because both rest on the same questions: do the right people know their roles, are the decisions sound, and does the plan hold under pressure.

The case for exercising

Why do untested plans fail?

A plan that has never been exercised is a set of assumptions written down. The document may read well, yet the first time it is used under stress is the worst time to discover that a call tree is out of date, that two managers believe the other is in charge, or that a recovery step depends on a system that is itself offline. Exercising and testing surfaces these faults while the stakes are low, and they can be fixed.

Regulators and standards now treat exercising as a requirement rather than an option. ISO 22301 expects business continuity arrangements to be exercised and validated; the SOCI Act critical infrastructure risk management rules require plans to be tested; and APRA CPS 230 requires regulated entities to test their business continuity and operational risk arrangements through scenario analysis. The common message is that an unexercised plan does not demonstrate capability.

Types of exercise

What are the main types of exercise?

ISO 22398 groups exercises into two families. Discussion-based exercises talk through a scenario in a low-pressure setting, while operations-based exercises put people and systems into action. Realism, cost and disruption rise across the range, so a programme usually starts with the simpler forms and works up.

Business continuity

Exercising business continuity plans

A business continuity exercise checks whether an organisation can keep its critical activities running or recover them within the agreed timeframes in the event of a disruption. Useful scenarios include the loss of a primary site, the failure of a key supplier, and an extended technology outage. The exercise should test the recovery time objectives set in the business impact analysis, not just the plan’s existence. Exercising is a core part of the management system described on the business continuity and ICT resilience pillar.

Crisis management

Exercising crisis management plans

A crisis simulation places the crisis management team in a fast-moving, ambiguous scenario to test decision-making, delegation, and communication under pressure. The aim is not to follow a script but to rehearse judgment when information is incomplete and the situation is changing. Exercising the team and the plan turns a crisis framework into a capability, as set out in the crisis management pillar.

Emergency management

Exercising emergency and evacuation plans

Emergency exercises rehearse the immediate, life-safety response to a facility emergency, such as a fire, an evacuation or a lockdown. In Australia, these are shaped by AS 3745, which expects the emergency control organisation and its wardens to practise the emergency response procedures so that occupants can be moved to safety quickly. An emergency drill is one kind of exercise within the wider programme. The facility side is covered on the emergency management pillar.

Security incident response

Exercising security incident response

Security incidents such as an active armed offender, an intruder, or a bomb threat again demand a different response, one that must be practised before it is needed. Exercising these responses tests how staff recognise a threat, take protective action and work with police, and how a security incident is escalated to the crisis management team if it grows beyond the immediate response. The physical and security incident response measures are covered on the physical and facility security pillar.

The programme

How do you run an exercise programme?

A single exercise is useful, but a managed exercising and testing programme is what sustains readiness. ISO 22398 frames it as a repeating cycle, so each exercise builds on the findings of the last rather than starting again.

Exercising also supports wider obligations. Testing a critical infrastructure risk management plan is part of meeting the critical infrastructure and SOCI Act requirements, scenario testing supports the financial services and APRA obligations under CPS 230, and regular testing contributes to the maturity uplift expected under the Protective Security Policy Framework.

How Agilient supports you

How Agilient supports exercising and testing

Agilient designs and facilitates exercises across the full range, from a focused tabletop session for a single plan to a multi-team crisis simulation. Each exercise is built around a realistic scenario for the organisation and its sector, run by an independent facilitator, and followed by a clear evaluation that records findings and practical improvements. The work connects to the broader resilience services so that exercising and testing is part of a maintained programme rather than a one-off event.