You should conduct testing and exercises to evaluate the effectiveness of your preparedness program, make sure employees know what to do and find any missing parts. There are many benefits to testing and exercises:

• Train personnel; clarify roles and responsibilities
• Reinforce knowledge of procedures, facilities, systems and equipment
• Improve individual performance as well as organizational coordination and communications
• Evaluate policies, plans, procedures and the knowledge and skills of team members
• Reveal weaknesses and resource gaps
• Comply with local laws, codes and regulations
• Gain recognition for the emergency management and business continuity program

Testing the Plan

When you hear the word “testing,” you probably think about a pass/fail evaluation. You may find that there are parts of your preparedness program that will not work in practice. Consider a recovery strategy that requires relocating to another facility and configuring equipment at that facility. Can equipment at the alternate facility be configured in time to meet the planned recovery time objective? Can alarm systems be heard and understood throughout the building to warn all employees to take protective action? Can members of emergency response or business continuity teams be alerted to respond in the middle of the night? Testing is necessary to determine whether or not the various parts of the preparedness program will work.

Exercises

When you think about exercises, physical fitness to improve strength, flexibility and overall health comes to mind. Exercising the preparedness program helps to improve the overall strength of the preparedness program and the ability of team members to perform their roles and to carry out their responsibilities. There are several different types of exercises that can help you to evaluate your program and its capability to protect your employees, facilities, business operations, and the environment.

Tests should be conducted to validate that business continuity recovery strategies will work. Tests should also be conducted to verify that systems and equipment perform as designed. Tests can take several forms, including the following:

Component – Individual hardware or software components or groups of related components that are part of protective systems or critical to the operation of the organization are tested.

System – A complete system test is conducted to evaluate the system’s compliance with specified requirements. A system test should also include an examination of all processes or procedures related to the system being tested.

Comprehensive – All systems and components that support the plan are tested. An example of a comprehensive test is confirming that IT operations can be restored at a backup site in the event of an extended power failure at the primary site.

Tests of information technology systems and recovery strategies should be conducted in a manner that resembles the everyday work environment. If feasible, an actual test of the components or systems used should be employed. Since tests can potentially be disruptive, tests may be performed on systems that mimic the actual operational conditions.

Inspection, testing and maintenance of building protection systems including fire detection, alarm, warning, communication, employee notification, emergency power supplies, life safety, fire suppression, pollution containment and others should be conducted in accordance with manufacturers’ instructions and regulatory requirements. If a critical warning system or protection system fails, the consequences could be significant.

A test schedule should be developed in accordance with applicable regulations, standards and best practices and designed to meet performance objectives. Records should be maintained.

Guidance on evaluating the need for testing; creating a test plan; and designing, developing, conducting and evaluating tests is provided in the Resources for Testing.

Resources for Testing

Businesses should improve the effectiveness of their preparedness programs through review of policies, performance objectives, program implementation and changes resulting from preventive and corrective actions.

TRIGGERS FOR PROGRAM REVIEWS

Reviews of the preparedness program should be conducted periodically and whenever the effectiveness of the program is questioned. The goal of program reviews is to provide assurance that the program meets the needs of the business and complies with regulations. Changes that should trigger a review of the program include the following:

• Regulatory changes
• New or changed processes
• New hazards identified; vulnerability to hazards changes
• Tests, drills or exercises identify weaknesses
• Post incident critiques identify issues
• Funding or budget level changes
• New product or service launched or withdrawn
• Company, division or business unit acquired, integrated or divested
• Significant changes to critical suppliers or supply chain
• Significant increase in the workforce population on-site
• Significant changes to site, buildings or layouts
• Changes to surrounding infrastructure

If any of these changes or triggers occurs, the program coordinator should initiate the appropriate program review.

SCOPE OF PROGRAM REVIEWS

Program reviews should assess compliance with policies; determine whether performance objectives are being met; assess the adequacy of program implementation; and determine whether preventive and corrective actions have been taken on previously identified deficiencies.

The following should also be reviewed:

• Plans and procedures have been reviewed and are up-to-date
• Team rosters have been updated to ensure membership is current
• Contact information for team members, public agency contacts, contractors, vendors and suppliers
• Resources (e.g., systems, equipment, and supplies) are in place and properly maintained

Resources for Program Reviews

Gaps and deficiencies identified during program reviews should be recorded and addressed through a corrective action program. Gaps or deficiencies in the program may be identified during training, drills, exercises, post-incident critiques, regulatory compliance audits, insurance surveys and from lessons learned.

CORRECTIVE ACTION PROGRAM

The corrective action program should document information on deficiencies. A table similar to the one on this page can be used. Include a full description of the deficiency; the action that should be taken; the resources required to address the deficiency; and justification for the need to correct the deficiency. Action on deficiencies should be assigned to the person or department best able to address the issue. A due date should be assigned and the corrective action database reviewed regularly to track progress. The status column should be updated until the deficiency has been addressed.

All program gaps or deficiencies are not equally important. Prioritization of corrective actions is helpful because funding and time are usually limited. Prioritization can also identify significant deficiencies that should be reported to management and corrected as quickly as possible. Criteria or categories for corrective action may include the following:

• Hazards to health and safety
• Regulatory compliance
• Hazards to property, operations, the environment or the entity (e.g., image or reputation)
• Conformity to national standards
• Following industry best practices

MANAGEMENT REPORTING

Significant deficiencies should be reported to management along with appropriate information to explain the problem, how to correct it and the reasons it needs to be addressed in order to gain management support for action. Management should also be periodically informed of the status of corrective actions until deficiencies have been resolved.