Sign up to save your podcasts
Or
Share Managing Uncertainty – Episode #40: Why we exercise our plans
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Managing Uncertainty – Episode #40: Why we exercise our plans
Why do crisis or business continuity exercises?
Are exercises really that valuable to maturing a crisis management or business continuity strategy?
In this episode of the Managing Uncertainty podcast, Bryghtpath Principal & CEO Bryan Strawser takes on that topic and more. Topics discussed include effective exercises, table top exercises, simulation exercises, integrated exercises, business continuity, crisis management, information security, data breaches, and the need to build muscle memory for crisis teams.
Episode Transcript
Hi, folks. Bryan Strawser, Principal and CEO at Bryghtpath, and welcome back to the Managing Uncertainty Podcast. Today we’re going to talk about why we do crisis management exercises. Why do we exercise our plans?
One question that we get a lot here at Bryghtpath from prospective clients is about coming in and running crisis exercises of some type. It could be a tabletop exercise. It could be a full simulation exercise, where you’re actually working through and doing some of the things that are in your plans, or all of the things that are in your plans, or some variation on the exercises. It could be a virtual tabletop instead of an in-person tabletop, so on and so forth.
Now there’s a number of reasons that you want to exercise your crisis management plans. The first one is, is to see if it works.
If you create the exercise scenario correctly, and you set the type of exercise that you’re doing, correctly, for what your goals are, you can test and see if your plan would actually work in the crisis situation that you intend it to work it in.
And what I mean by that is, not that necessarily, you’re going to be successful in managing the crisis and testing that in your plan, but you’re testing the processes that you put into place in your plans.
For example, we do a number of data breach exercises, or other crisis exercises, where there’s a significant internal and external communications component. And we’ve often found in the plans, and exercises that were involved, that one of the challenges is actually working through that communications process.
Think about the number of moving parts in a data breach. When it comes to what, and how, and when, and where you’re going to communicate what has happened. And particularly if you’re in a regulated business, you have to balance the need to communicate internally, communicating with your customers, your stakeholders, your vendors, your regulators, and of course, your employees and leaders, and your institutional investors.
So, there’s a number of audiences that really come into play as you’re thinking about crafting that communication, and you will likely have, most companies would have, relatively robust communications review and approval process.
If you think about your typical large scale communications campaign within a company, if you’re not time pressed, if you’re not being forced to communicate something due to external threats and influences, well, you have all the time in the world to create your communication strategy and publish the communications on your timetable.
But in a data breach, you don’t have that. You are balancing the challenges of regulation, which might require you to disclose within a certain period of time. You’re balancing the challenge of notifying your stakeholders that that communication is coming from you and not from a third party. You have the issue of the press finding out that something has happened, whether through their own investigation, or because of a leak of some type inside your company. And then, law enforcement, particularly federal law enforcement, may know about the data breach, and are pressuring you to communicate or not communicate what’s going on.
View all episodes
By Bryghtpath LLC
5
99 ratings
Why do crisis or business continuity exercises?
Are exercises really that valuable to maturing a crisis management or business continuity strategy?
In this episode of the Managing Uncertainty podcast, Bryghtpath Principal & CEO Bryan Strawser takes on that topic and more. Topics discussed include effective exercises, table top exercises, simulation exercises, integrated exercises, business continuity, crisis management, information security, data breaches, and the need to build muscle memory for crisis teams.
Episode Transcript
Hi, folks. Bryan Strawser, Principal and CEO at Bryghtpath, and welcome back to the Managing Uncertainty Podcast. Today we’re going to talk about why we do crisis management exercises. Why do we exercise our plans?
One question that we get a lot here at Bryghtpath from prospective clients is about coming in and running crisis exercises of some type. It could be a tabletop exercise. It could be a full simulation exercise, where you’re actually working through and doing some of the things that are in your plans, or all of the things that are in your plans, or some variation on the exercises. It could be a virtual tabletop instead of an in-person tabletop, so on and so forth.
Now there’s a number of reasons that you want to exercise your crisis management plans. The first one is, is to see if it works.
If you create the exercise scenario correctly, and you set the type of exercise that you’re doing, correctly, for what your goals are, you can test and see if your plan would actually work in the crisis situation that you intend it to work it in.
And what I mean by that is, not that necessarily, you’re going to be successful in managing the crisis and testing that in your plan, but you’re testing the processes that you put into place in your plans.
For example, we do a number of data breach exercises, or other crisis exercises, where there’s a significant internal and external communications component. And we’ve often found in the plans, and exercises that were involved, that one of the challenges is actually working through that communications process.
Think about the number of moving parts in a data breach. When it comes to what, and how, and when, and where you’re going to communicate what has happened. And particularly if you’re in a regulated business, you have to balance the need to communicate internally, communicating with your customers, your stakeholders, your vendors, your regulators, and of course, your employees and leaders, and your institutional investors.
So, there’s a number of audiences that really come into play as you’re thinking about crafting that communication, and you will likely have, most companies would have, relatively robust communications review and approval process.
If you think about your typical large scale communications campaign within a company, if you’re not time pressed, if you’re not being forced to communicate something due to external threats and influences, well, you have all the time in the world to create your communication strategy and publish the communications on your timetable.
But in a data breach, you don’t have that. You are balancing the challenges of regulation, which might require you to disclose within a certain period of time. You’re balancing the challenge of notifying your stakeholders that that communication is coming from you and not from a third party. You have the issue of the press finding out that something has happened, whether through their own investigation, or because of a leak of some type inside your company. And then, law enforcement, particularly federal law enforcement, may know about the data breach, and are pressuring you to communicate or not communicate what’s going on.