The steps are:
1- Define exactly what you want to check and be precise in your formulation: An example would be: What is the response time of the security department for identifying the presence of a suspicious object?
2- Define the parties which will be involved in the exercise and make sure they include the same functions that would be involved if such a scenario would take place. This will allow you to measure the results from all functional rresponsibilities
3- Select the organization which will carry the simulated attack. It is better to use an organization which specializes in adversary based scenarios
4- Inform the relevant parties of the exercise- Unless you want to perform a complete clandestine exercise
5- Prepare an observation report where you measure the different components pertinent to a crisis such as but not limited to: Time of response, Operational Behavior, Efficiency of Procedures, Motivation of the Security Guards, Alertness Level, Logistics, Communication, Ability to think rapidly under stress, Division of Roles , etc..
6- Film the exercise so that you can show it to participants, analyze all components and make necessary changes in your security alignment
7- Be humble about the findings and be prepared to accept bad results, including procedures that don't work, lack of speed, etc..
8- Involve the management in the findings
9- Understand the real findings and their impact on the organization
10- Prepare the required operational, strategic and tactical changes and take help from professional entities
Following these steps is important and perform such exercises at least 6 times a year. Whatever the findings, you will be smarter about your real time security and be in time to make changes. Remember, do not pick the exercise according to what you feel comfortable with! Instead, do it according to the opponent