Crisis Simulation: Your Best Defense Against Risk

You open the binder in front of you.

There’s been an accident at one of your factories. Details are scarce — all you know is that production lines have stopped, people are evacuating and police and firefighters are on their way. You need to convene a small group of internal stakeholders and gather enough information to make a series of very important, very fast decisions right now.

How do you physically account for your employees, partners and customers at the factory? Has anyone been severely injured, or worse? What is the immediate impact to the environment? Can you begin to calculate financial losses, both immediate and long-term? How much information do you need to release to investors today? What do you say internally? What do you tell journalists? Do you shut down the factory? If so, for how long? Do you launch an internal investigation?

Luckily, the accident occurred only on paper as part of a crisis simulation exercise.

Forward-thinking companies routinely run crisis simulations like these to prepare for the major categories of risk they face. Here, we’ll explore best practices around crisis simulations and how you can better prepare for your company’s next crisis.

Time Is Golden

It’s virtually impossible to avoid your next corporate crisis.

In a 2019 survey from PwC, seven out of 10 senior leaders said their company had experienced at least one major crisis in the past five years. The risk of a company experiencing a crisis grows with its size; that same survey suggests companies with 5,000 employees or more experience an average of one corporate crisis per year.

After a crisis, the one thing that leaders consistently say is that they wish they had more time to make key decisions.

That’s not always possible, however. Physical events, like industrial accidents, workplace shootings and natural disasters, happen immediately and without warning. Other risks grow over time and develop in the popular zeitgeist for hours, or even days, before a company realizes they’re facing a crisis.

For example, there are numerous recent examples of consumer brands that face a slow burn of criticism for launching a culturally offensive product, providing terrible customer service or launching an insensitive ad campaign. By the time the crisis dominates the public discussion, the company can find itself on its back foot already.

The fundamental lesson of crisis simulation is understanding how important it is to be notified of a crisis as soon as possible, via internal and external channels, to drive sound decision-making. During unpredictable, kinetic events, that means receiving accurate, detailed information quickly about the situation on the ground – as it unfolds. For brand crises, that means investing in the tools to catch crises while they’re still nascent, to give leaders more time to build a response plan.

There are solid building blocks for formulating and running a meaningful crisis simulation, as practiced by leading risk management practitioners around the world.

Understand Your Risk Exposure

In a previous era, where information flows were slower and less frequently updated, risk was more confined to a centralized risk management team. Today, risk is more broadly dispersed across multiple, disconnected departments, occupying significantly more “space” across the organization.

For example, the operations team is responsible for the physical security of locations and assets; marketing and communications teams protect the brand; employee protection capabilities are often tucked away within physical security teams; and IT mitigates cybersecurity threats and protects virtual assets.

Consider a direct threat against a retail store location. This would trigger an operational response to secure the site and protect its employees and customers, but it could also threaten reputational risk and business risk. It might even elevate the risk of a cyberattack.

Make a Baseline Risk Assessment

Every company should build a baseline risk assessment, identifying the most common types of risk scenarios they face. Here, it’s helpful to look at corporate crises in the company’s recent past and whether those risks continue to exist.

Continually test your assumptions, particularly as new risks emerge. Here, it’s helpful to stay informed about the corporate crises occurring elsewhere in your industry and asking, are we prepared if we faced a similar crisis? Examining how competitors handled certain crisis scenarios is helpful.

Build Small Response Teams with Wide Latitude

After identifying common risk vectors, pull together a small team of internal stakeholders who sit in decision-making functions across the business. The exact mix will depend on the type of risk you’re testing against — decision-makers commonly include people from operations, legal, communications, security and risk management.

Empower this group to make quick decisions without a lot of corporate red tape. In the middle of a crisis, your rapid response team will be responsible for protecting human life and limiting damage to the environment, the company’s reputation and its brand. In certain risks, the leaders your company typically relies on to make decisions might be directly implicated or affected by the crisis themselves.

Under a “hub and spoke” model of crisis management, this team forms the “hub” of activity and decision-making, assigning out tasks and communicating to the wider team sitting along the “spokes.”

Perform Inconvenient Simulations

Do your best to replicate complex, real-world conditions during your crisis simulation sessions. A crisis can occur in the middle of the night or in a corner of the world where your team doesn’t speak the native language. It could occur over a holiday, when the members of your primary response team are out of the office and unable to physically convene a meeting. It could also affect a much wider swath of your employees or customers around the world than anticipated.

Indeed, some of the most extreme scenarios that unfold in real life seem unimaginable when conducting risk simulations. Consider the current pandemic caused by the coronavirus, leading the global spread of the COVID-19 disease. Impacts to businesses and individuals are taking unexpected twists and turns as countries and cities adopt very different approaches to managing the spread of the disease and operating businesses safely as some employees return to their customary workplaces. Public health and economic outcomes will vary widely around the world – an especially important consideration for global enterprises operating in multiple countries

Use Technology to Your Advantage

Finally, you’ll want to have the right technology in place to help capture an advantage in any crisis, complementing the work of risk analysts, security professionals and others who monitor external communications channels for signs of high-impact events. For example, AI solutions that process enormous volumes of public data in real time can help synthesize relevant signals across social media, blogs, information sensors and more – and deliver critical, early warnings to companies.

Integrating real-time information into your crisis workflows, across response teams and functions, will enable each team to gain a common understanding of what is happening and provide a few extra minutes or even hours to craft an appropriate response.

The most effective crisis simulations bring together disparate teams and diverse expertise to foster a common perspective and action plan for how to respond when a real crisis takes root. But they also help build confidence in the information flows and decision-making processes that underpin sound crisis management.