Organizations are required by law to conduct a fire drill at least once a year. Why? Because everyone needs to know the emergency evacuation procedures by heart in case an actual fire happens, instead of panicking or scrambling for the exits. But what if instead of a fire, your organization is faced with a serious incident of a different nature, such as a ransomware attack? Does everyone know what the emergency response plan is then? In most cases, people do not have the same “muscle memory” in responding to such incidents as they would when responding to a fire. Yet, there are countless of possible incidents that could threaten the continuity of your organization, such as cyberattacks, system outages, data breaches, supply chain disruptions, natural disasters, etc.
We believe that, just like fire drills, it is important to regularly test your emergency response plans to such crises and train your employees on their role within this response. This way, you increase your organization’s resilience and improve your chances of coming out of a crisis unscathed. One effective way to do so is through crisis simulations, which we will discuss more in depth in this blog post.
While there are a few different ways a crisis simulation might look in practice, this blog will delve deeper into the most common and simple way to conduct a crisis simulation: a tabletop exercise. In such an exercise, participants gather in one room and discuss their response to real-world events or possible risks relevant to the organization. Usually, these participants involve various key stakeholders, such as the management team, security personnel, the IT team, public relations professionals, etc., who are tasked with making decisions and coordinating responses as they would in a real crisis situation.
A simulation like this is typically facilitated by a moderator who guides the participants through the exercise. The role of this moderator is important, as they responsible for feeding new information throughout the simulation and facilitating discussion when necessary, simulating the dynamic nature of a crisis. At the same time, they are in charge of creating a safe and controlled environment for the participants to test their crisis management skills, making sure the participants will not be afraid to ask questions or make mistakes. After all, this only helps identify areas of improvement afterwards. Therefore, a good moderator of a crisis simulation should possess the following skills:
Subject matter expertise: it is important the moderator understands the context and subject matter of the crisis scenario.
Communication skills: the moderator should be able to clearly and concisely convey instructions, new information and feedback to the participants.
Time management: be able to make sure the simulation will remain on schedule.
Quick and critical thinking: the moderator has to be able to provide realistic consequences to unexpected answers from participants.
Some people believe that crisis simulations are by definition long, complicated and expensive exercises, which is not the case! A tabletop simulation can be as simple as using only a whiteboard and a marker, or as complicated as using a completely dedicated digital platform, and anything in between. This also means that it’s completely up to you to decide the duration of the simulation. As long as you follow our tips listed further down in this blog, you will be equipped to host a successful crisis simulation, regardless of the tools or platform you decide to use.
So, do you want to host your own crisis simulation, but don’t know where to start? We got you! We have listed the most important steps in preparing for and conducting such an exercise below.
Before starting to develop your crisis simulation, you need to decide on one central question: what is the objective of the simulation? Why are you conducting a simulation and what is it that you are trying to achieve. Is it meant to be a fun and educational team building exercise, or a thorough test of your emergency response plan? Who or what are you trying to test? Naturally, the objective of the exercise influences the way it will look in practice. Make sure that everyone is aware of the purpose before you actually start the simulation to prevent any confusion.
If the objective of the simulation is defined, you can start to develop your crisis scenarios. The more realistic your scenario, the better. What processes or services are absolutely vital to your organization? What if something happened to them? What stakeholders would be involved. What could be a realistic scenario where these processes or services are affected? If you take these questions as the central starting point when developing a crisis scenario, you will have the most important elements covered. Don’t be afraid to think outside of the box: a real crisis is often a combination of several unlikely events happening at once.
Once you have defined the objective and developed your scenario(s), you need to identify the stakeholders that need to participate. Let’s say the objective of your simulation is to test your emergency response plan. Who are the people involved in this plan? Is it feasible to train all these people at once, or do you only want to focus on the management, for instance? This is important to keep in mind when designing your simulation.
It is important to establish clear ground rules. How long will the simulation take? Who is responsible for what role? What are the voting mechanisms for deciding important decisions? Is there a structure in the discussion and communication process? It is important that everyone is on the same page when it comes to these rules before starting the simulation.
Finally, and most importantly, you need to implement a way to evaluate people’s performance during the simulation. What were the overall strengths and weaknesses? Was there anything still unclear? Did you find gaps in the emergency response plan? A thorough evaluation is an essential part of a successful crisis simulation. You need to facilitate a debriefing session where all participants are free to share their own experiences and identify the lessons learned. At the same time, participants have to be able to share their feedback on the simulation itself, so you can continuously improve the experience for participants.
If you take all of these steps into account, you will have all the tools necessary to conduct a successful and effective crisis simulation.
So, now you know how to prepare and execute a successful crisis simulation. But the most important question still needs to be answered: what do you gain from doing them? Below, we have listed some of the most important benefits of doing crisis simulations that show why you should consider including them in your organization’s security policy.
Testing incident response plans
First and foremost, crisis simulations help test your organization’s incident response plans. Writing an incident response plan is one thing, to put them into practice is another. Does everyone know their role during an incident? What parties should be involved and when do you contact them? Who coordinates the emergency processes? Who makes the final decisions? All of these questions and more will come to light during a real crisis simulation, while the answer might not always be obvious. This ties in nicely to the next benefit of crisis simulations.
Identifying vulnerabilities
A crisis simulation is a great way to reveal possible gaps, weaknesses, or uncertainties in your organization’s response to a crisis. These insights are extremely valuable in addressing gaps and making improvements, so you are better prepared when faced with a real crisis.
In fact, throughout history there have been countless examples of crises where later investigations revealed that the existing incident response plans were insufficient or improperly tested, hindering the emergency response and worsening the crisis. Some well-known examples include the response to hurricane Katrina or the Fukushima nuclear disaster. With more and better training (crisis simulations!), it is likely that the crisis response would have been better and the impact of these disasters could have been reduced.
Skill development and increased awareness
A crisis simulation can be a great tool to train your employees about their roles and responsibilities during a crisis, while also stimulating critical thinking under pressure. The more simulations an employee has done, the more familiar they become with their tasks during an emergency and the better the chances that they’ll respond in the proper manner during an actual crisis. Furthermore, a crisis simulation will show employees the possible damage if things go wrong, highlighting the importance of good security measures. In turn, this will increase their security awareness and stimulate secure behavior in the future.
Team building
Crisis simulations are not only a useful training tool, they are also a fun team building activity. They require proper coordination, communication, and decision-making under pressure, all of which promote team cohesion and confidence.
In this blog, we have shown why we believe that crisis simulations are an effective, fun and interactive way to improve the security and resilience of your organization. By regularly conducting crisis simulations, you make sure that people develop a “muscle memory” in responding to serious incidents that threaten your organization. Because if you have never practiced something, why would you expect everything to go well the first try? And remember: just like with fire drills, conducting a crisis simulation once is not enough. The more you train, the better your response will be once a real crisis arises.