How do we achieve Goldilock's level of exercise?
After the pandemic and other recent events, I began to ask if we were exercising too small. By that, I mean do we typically choose crisis scenarios — severe weather, location fire, or infectious disease outbreak that constrain our capabilities. I wondered if we inherently consider it is challenging to view global or geo-political events affecting us locally. However, in my recent experience, it is becoming clear that organizations must prepare at a macro level. Those working on supply chain and large-scale vendor reliance already think this way.
Obviously, after the September 11 Attacks, many companies began exercising for a wide range of crisis events, including terrorism, cybersecurity attacks, workplace violence, pandemics, or natural disaster. And although none of these hazard types are minor, I found that often business-specific scenarios are contained in scope. Indeed, we need preparedness for contained events like facility or workplace violence. Yet, we appear less prepared for enterprise-wide incidents.
Vulnerabilities keeping CEOs up at night
According to The Conference Board, The C-Suite’s 2023 Outlook On Crisis Preparedness report, CEOs believe their business is ready for wide-ranging cyber or global health crises. However, they are less convinced of readiness for events not yet experienced. I wrote about this in The C-suite’s 2023 Outlook On Crisis Preparedness and suggested focusing our time on catastrophic scenarios not yet tested.
Evidence suggests that the number of catastrophic events that companies need to respond to is increasing. Here are some examples:
Natural disasters: The frequency and intensity of natural disasters such as hurricanes, floods, wildfires, and droughts have increased in recent years due to climate change. These events can disrupt supply chains, damage infrastructure, and harm employees and customers.
Cybersecurity attacks: The number and sophistication of cybersecurity attacks have increased, with many companies experiencing data breaches, ransomware attacks, and other forms of cybercrime. These attacks can result in significant financial losses, reputational damage, and legal liabilities.
Pandemics: The COVID-19 pandemic has demonstrated the devastating impact a global health crisis can have on businesses worldwide. The pandemic has disrupted supply chains, forced companies to implement remote work policies, and caused significant economic losses.
Geopolitical instability: Political instability, trade tensions, and conflicts in different parts of the world can significantly impact global businesses. Companies need the ability to respond to these events, which can include supply chain disruptions, regulatory changes, and changes in consumer behavior.
The number of catastrophic events companies respond to is increasing, and companies must know how to counter them effectively. Such preparedness includes developing crisis management plans, conducting regular risk assessments, investing in cybersecurity and business continuity, and building a culture of resilience within the organization.
Why Enterpisewide exercising matters
Companies must exercise for enterprise-wide crisis events after COVID to ensure they are prepared to respond effectively to a crisis and minimize its impact on their operations and reputation. Here are some reasons why exercising for enterprise-wide crisis events is essential:
Testing the effectiveness of crisis management plans: Exercising for enterprise-wide crisis events enables companies to test their crisis management plans in a realistic scenario. This helps them identify gaps in their plans and refine their response strategies.
Identifying areas for improvement: During a crisis exercise, companies can identify areas for improvement in their crisis management plans, communication protocols, and operational processes. This allows them to make necessary changes and improve their overall preparedness.
Building team coordination: Large-scale crisis exercises allow different teams and departments to work together and coordinate their efforts during a crisis. This helps build a teamwork and collaboration culture, which can be invaluable during a real crisis.
Improving crisis communication: Crisis exercises can help companies refine their communication strategies and identify the most effective ways to communicate with different stakeholders during a crisis. This can help to prevent misinformation and build trust with customers and other stakeholders.
Ensuring compliance with regulations: Companies need to comply with various regulations and standards related to crisis management. Exercising for enterprise-wide crisis events can help ensure that they meet these requirements.
Overall, exercising for enterprise-wide crisis events after COVID is important for companies to improve their preparedness for future crises, protect their operations and reputation, and minimize the impact of an emergency on their stakeholders.
Some companies are going big with exercising.
Many companies conduct large-scale impact exercises after COVID to test and improve their crisis management plans. These exercises simulate a crisis scenario and test the company’s and its employees’ responses in real time. The goal is to identify areas for improvement and ensure that the company can effectively respond to a crisis. Indeed, the Operational Resilience rule in the UK forced financial firms to address high-impact events.
Large-scale impact exercises may involve multiple departments, teams, and external stakeholders to simulate a more realistic scenario. They may also apply various sites or locations to test the company’s ability to coordinate a response across different regions.
The exercises may be conducted in-person or virtually, depending on the company’s needs and the simulated crisis’s nature. To ensure a coordinated response, they may also involve external partners, such as emergency services. However, many businesses continuity to rely on testing themselves against their most likely risks instead of stretching to include black swan or enterprise-wide crises.
Overall, extensive scale impact exercises can be an effective way for companies to prepare for and respond to a crisis, and they have become increasingly important after the COVID-19 pandemic. By testing their crisis management plans in a realistic scenario, companies can identify areas for improvement and ensure that they are better prepared for future crises.
Exercising for events post-COVID
The COVID-19 pandemic has profoundly impacted businesses worldwide, and many companies have had to re-evaluate their crisis management plans. Here are some ways that companies are exercising for crisis events after COVID:
Conducting regular risk assessments: Companies are now more aware of the potential risks that could disrupt their operations and are conducting regular risk assessments to identify and mitigate them. This includes considering the impact of pandemics, natural disasters, cyberattacks, and other potential crises.
Developing remote work policies: Many companies have developed remote work policies to allow employees to work from home during a crisis. This includes providing the necessary technology and infrastructure to support remote work.
Strengthening supply chains: The pandemic exposed weaknesses in supply chains. Companies are now improving their supply chains to continue operating during a crisis.
Implementing crisis communication plans: Effective communication is critical during a crisis, and companies are now developing and implementing crisis communication plans to keep employees, customers, and other stakeholders informed.
Conducting crisis simulations: Companies are running crisis simulations to test their crisis management plans and identify areas for improvement. These simulations involve creating hypothetical scenarios and testing how the company responds.
Investing in digital transformation: Many companies invest in improving their agility and resilience during a crisis. This includes adopting new technologies and processes to streamline operations and reduce the reliance on physical infrastructure.
Overall, companies are taking a more proactive approach to crisis management after the COVID-19 pandemic, focusing more on risk management, remote work policies, supply chain resilience, crisis communication, crisis simulations, and digital transformation.
A good bet to go big with impactful scenarios
So, do I think we are exercising too small? No. It is vital to continue readiness at the local level. However, shifting focus to event scenarios that are business-wide is prudent. Additionally, taking down critical services across geographic jurisdictions to understand current capabilities will prepare you for future events. The recent targeted focus on cyber is good but not the only thing you should invest time exercising the c-suite on.
We must consider Black Swan and Snow Leopard events based on trends, some of which I experienced over the last several years. Sadly, the risk is not diminishing. I contend that hazards we once considered low-probability, high-impact events will become more frequent. It is on us as professionals to sound the alarm and convenience our organizations to invest the time and resources. The good thing is that many of our CEOs agree. So, don’t let the opportunity go by to prepare your business for significant and smaller-scale crises. You will be better prepared for the effort.
Let me know your thoughts in the comment section below.
Did you know?
Disaster Empire blogs contain embedded links to source materials, articles of interest, videos, books, and training I recommend. Just click on the blue embedded link to access the resource.