Once you’ve made the decision to hold a crisis management exercise, how should the exercise team and participants begin planning for the exercise? There’s a lot to do in order to ensure that the goals of the exercise are achieved!
In this episode of the Managing Uncertainty Podcast, Bryghtpath Principal & CEO Bryan Strawser along with Consultant Bray Wheeler discuss their experiences in crafting and preparing exercise material – but also how to coach participants through preparing for the exercise that you are developing.
Bryan Strawser: Hello and welcome to the Managing Uncertainty Podcast. This is Bryan Strawser, principal and CEO at Bryghtpath.
Bray Wheeler: This is Bray Wheeler, a consultant at Bryghtpath.
Bryan Strawser: We’ve decided that 90 days from now, we’re going to have a crisis exercise. We’ve scheduled it. We’ve sent out the invites. We’ve secured the room. Then it hits us. We have to prepare for this exercise. We just thought it was a good idea to have one. What are we going to do here? What do we do, Bray?
Bray Wheeler: Where to begin? Where to begin? Well, I think a couple of assumptions. We’ve identified the scenario. We’ve laid out our run of play, or our outline, for the exercise. We feel pretty confident in that. I think what we’re trying to drive at is-
Bryan Strawser: We know who’s participating and observing and evaluating and controlling, which might all be the same person.
Bray Wheeler: Right. All the finer points of the nature of the exercise and what we’re trying to accomplish has been laid out. But we have to get ready for it. I think there’s a couple of different pockets of things, activities, that have to be done. One is as players and one is as facilitators from that exercise. From just a pure participant player standpoint, there’s quite a bit that people can do that’s probably fairly obvious, but not everybody does it. We do surveys a lot with a lot of our companies, and it’s amazing to see that people, “Well, I brought the plan.” And that’s all they did.
Bryan Strawser: Bringing the plan is good. It’s good to have the plan with you.
Bray Wheeler: Right. It’s a good start, but they often don’t necessarily review that plan upfront. They’re not meeting as individual workstreams or things like that. There’s a lot that can be done. I think we’ve talked quite a bit about reviewing that plan is important, but it’s really looking at it from a, “I understand the general flow of how things go, that I could easily communicate that to somebody who doesn’t know.” Maybe that’s your participants, your members of your crisis group, whatever that is, should be able to walk up to a random employee in the company and be able to succinctly explain what the general process is for that and have that person understand what they’re talking about, because that means that participant gets it.
Bryan Strawser: Yeah. They understand what’s going on. They can speak to the context of the exercise. I think our standard practice has been, as you get closer to the exercise, seven to ten days out or maybe a little bit earlier, we’re having somebody, sometimes it’s us, sometimes the client’s main program person is sending out an email to participants. In the email, we always include a couple of things, like, “Here’s the goals or objectives for the exercise. More importantly, how you should think about preparing for the exercise.” To your point, it is to review the plan, talk about the plan with others. We have them look at previous after-action reports, to look at what worked well and what recommendations work. Sometimes those recommendations are about the participants, or about the interaction from the participants or knowledge from the plan, that kind of thing.
Bray Wheeler: Or a process, like accounting for-
Bryan Strawser: Or a process.
Bray Wheeler: … employees, or how to engage an HR partner or something like that, that having those workstreams, whether it’s communications or HR or security or something like that, get together and meet up in advance and just say, “Hey, we get into a situation where this exercise is coming up. Let’s talk through our roles and responsibilities, our process. Who’s going to have the ball? When do I need to pick the ball up? When are you going to pass me the ball, or when can I expect that the ball’s coming my way without knowing in advance?” That, I think, speaks to just being comfortable, just generally, not only with the process but just that roles and responsibilities and understanding what other people are doing when you walk into that room. You’re not breaking down, “Why to do this?” or “Don’t you do this?” That you’re pretty comfortable, and it’s deeper questions that you’re going to ask during the exercise to clarify a certain piece, rather than knowledge seek.
Bryan Strawser: I think it behooves people who have been involved in a previous exercise, and they find themselves going into another exercise. Same company, same rough role, and responsibilities. I think it is important to reflect on what went well and what didn’t go well in that previous exercise, and look at the formal after-action report if you have access to it, because at least the way we ponder constructing exercises, and I know our clients believe in this too, we’re looking at what didn’t go well last time that we said we were going to fix? Now we’re going to test it again to see if it’s fixed. You brought up accountability for employees. We’ve done a couple of exercises earlier this year with clients where that was a factor. One company had a process for that. It went into the exercise world and went well. One had never thought about it, and went, “Wow, we should figure out how to do that.” Obviously, this fall when we go back there and do an exercise, we’re going to be asking that. “Okay, so …”
Bray Wheeler: You’ve had time.
Bryan Strawser: “You’ve had time. We’re going to test it.”
Bray Wheeler: Do you know where your employees are?
Bryan Strawser: Yeah, “Do you know where your employees are? How are you going to account for the employees in this building?” The 1100 employees [inaudible 00:05:58], and I have confidence in this particular case the HR leader will be like, “Yes, we’re going to initiate our new process.”
Bray Wheeler: Done.
Bryan Strawser: Like magic, it happens. But it behooves you to go back and look at that list of opportunities and make sure that you’ve addressed them before the next exercise.
Bray Wheeler: Or I think to your point, in preparing for the next exercise, and even thinking about how you’re going to follow up out of that exercise is that after action and those opportunities, those things that didn’t go well, to your point, is it’s really based on what do we want to change? How do we want to fix it? Making it actionable, those opportunities, rather than, “Well, that didn’t go well. We don’t have a process for that.” Great. You need to take that opportunity and say, “Okay, we didn’t have this and we need to put that into place and that needs to be ready for the next exercise or next event or time limit, or whatever you want to set to it.” But make it actionable.
Bryan Strawser: Another area, I think, in preparing for an exercise, and you mentioned this, I think you talked about it as workstreams and I agree with that context. You think about the elements of a crisis team or a data incident response team, you have people there who are representing different functions or are a particular subject matter expert. They’re bringing that silo with them. But think about a client-facing business where you have multiple clients in different sizes that your organization provides services or products to, and then just think about the concept of communication in that world. You’ve got external comms going out to the public, like PR, you got social media. You got the investment community for publicly traded. You’ve got your employees, so now you got internal communications, and then you got communications for your clients.
Bray Wheeler: You even have regulatory.
Bryan Strawser: Good point. I left that out. You’ve also got communication regulators. Now you’re in a crisis and you have to communicate what’s going on. That is probably not just your comms team. It’s probably multiple stakeholders in various workstreams to make that happen. If you go upstream of preparing for the exercise, then it might be a good idea to get your workstream together and walk through this, particularly if it’s been a while since your last exercise. Do you have the inputs and outputs and the decision points nailed down? Do you need to practice this outside of the crisis environment before you get to the exercise? In some cases, yes. We have clients that should probably practice that.
Bray Wheeler: Well, and especially if there have been organizational changes if there are new leaders in those positions covering those areas. Communications is a good example because it’s probably one of the more complex pieces of running a crisis, because of everything we’ve laid out. Who’s in charge of drafting the messaging? Who has that responsibility? Who’s approving it? Who needs to see it first?
Bryan Strawser: Where’s the base factual narrative that we’re all working off of?
Bray Wheeler: Right. How is it being delivered, and who’s delivering it? How? There’s through social media. There’s through, hey, we have people calling into our customer service line who may not be a customer. They may just be journalists or a general person off the street asking a question. Employees calling up. We’ve seen that before, where employees will call the customer service line looking for information. It’s having all those different components, to your point, laid out ahead of time and knowing who’s running what.
Bray Wheeler: The second bucket we have been talking about … we have the player, participants, members of the crisis team, and then there’s the facilitators or the operators of the exercise [crosstalk 00:10:06]-
Bryan Strawser: Controllers and exercise director, depends on what terminology you’re using.
Bray Wheeler: Evaluator. All those things.
Bryan Strawser: Servers.
Bray Wheeler: I think as we were talking earlier, there’s really two ways as you’re thinking about the exercise. You’re running an exercise probably for two reasons. One is it’s a newer function or a newer plan or generally just a new team, and really it’s a-
Bryan Strawser: It’s a confidence builder.
Bray Wheeler: Yeah. You’re building confidence. You’re getting them comfortable with the plan and the process and the players and each other, in a lot of cases. The second one is it’s a more mature function. This one is we’re going to challenge you. As you indicated earlier, introducing fog into it.
Bryan Strawser: Fog of war.
Bray Wheeler: Stress.
Bryan Strawser: We’re going to introduce noise in order to distract you from managing your scenario.
Bray Wheeler: Yeah. How are you able to discern what’s important, what’s not important, what decisions do you need to make, all those different things. Really, as a facilitator or controller … we’ll use facilitator for conversation purposes, really with that new function, you’re really guiding them. You’re shepherding them through the exercise. You’re a source for answers to questions. You’re mediating different conversations. You’re really just allowing them to talk it out and play it out to get comfortable with it. When you get into that mature scenario, your role changes. You’re less the source of truth. You’re a nudger. You’re just poking them and prodding them along to keep the exercise moving so that they don’t stall out, but really you’re not giving them the answers anymore.
Bray Wheeler: You need to be able to distinguish between what role you’re playing in preparing for that exercise and make sure that you’re clear on that, so that you’re not giving too much information in a mature situation, but you’re also not so abstract with the new.
Bryan Strawser: Yeah. I think those are all great points. As the exercise staff, so to speak, we’re really looking at are we clear upfront what everyone’s roles are going to be? Are we clear on how we’re going to interact? The way our approach has been, even if we’re sitting next to each other during the exercise, is we use a particular channel on our internal slack to keep everybody in sync, because often when we’re doing exercises, there might be two or three of us in the room, and one or two of us are mulling, who are calling in, or some other nefarious way of injecting information. We’ve done some strange things. But the interaction … we’re very clear that we’re going to execute a move 14 now.
Bryan Strawser: When I’m directing the exercise, I’ll then say, based on their reaction to move 14, we’ll execute move 17 or move 19. Those moves are basically the reward or the consequence of what they’re doing in the move that we just called. Sometimes we have moves that we inject that we don’t even bring up because the situation has superseded that. Part of what I think we do in the preparation for this is we do a pretty good job, I think, of thinking about the multiple branches that the exercise may take, and then crafting injects that are realistic that make sense in the moment that they do these things. Even if they seem far fetched at the time, we’re creating them. Sometimes we’re creating these in order to jump ahead in time or force an action because they haven’t chosen to do something earlier.
Bryan Strawser: For example, one of our internal traditions on information security, cyber security-focused exercise, is to have someone inject themselves into the scenario and pretend to be Journalist Brian Krebs, because famously, Kreb gets ignored by people sometimes and that’s really not a wise move. There’s always a consequence in our exercise if you respond to Krebs, then he will work with you in the exercise on the story. If you ignore Krebs, then the story’s going to break a lot faster than you think it’s going to, because now he’s mad. Exercise Krebs is mad.
Bray Wheeler: And often with a surprising level of accuracy of-
Bryan Strawser: Of what actually happened.
Bray Wheeler: … what’s going on to force that, because he’s known for that.
Bryan Strawser: But this is what you want to create, I think, in the exercise, is to play out what we were just talking about. One of the bigger decisions that you’re going to make in a cybersecurity exercise when you get to the point of confirming a breach, and the breach involved regulated data, PCI, PHI, trade seeker data, you pick your issue, some of these have mandatory reporting periods attached to them. You may be in the exercise thinking, “I’ve got 72 hours to craft my messaging to understand the various vehicles I’ve got to send stuff out to my different audiences, and I’ve got time to figure this out.” What you don’t know is that phone they rang over at the comms table in the exercise was exercise Bryan Krebs, and your comms team blew him off.
Bryan Strawser: To them, they’re just … At least the first time. They learn the lesson quick. The first time they do that… They’re like, “Okay, well I’ve saved the situation because no journalist knows.” The problem is, 15 minutes later in the exercise, you get the … a new story lands in everyone’s mailbox, and when they click it, it’s an audio link that they’ve recorded by an actor blowing your story wide open by Bryan Krebs. And now you don’t have 72 hours.
Bray Wheeler: You do not.
Bryan Strawser: You’re out of time.
Bray Wheeler: You’re out of time.
Bryan Strawser: You got to go now, and actually you’re too late because the story’s already out. It’s not your story.
Bray Wheeler: Now you’re playing catch up to …
Bryan Strawser: Now you’re playing catch up.
Bray Wheeler: … what’s going on.
Bryan Strawser: In fact, we always craft it in a way that you’re going to have to correct the story. The story’s right, you’ve had a data breach. It might be that what you know is 600,000 records, the story is 4 million, so it sounds worse than what it really is and now you got to correct it. That’s going to be really hard.
Bray Wheeler: Really to that point, in thinking about the different branches, you also have to be able to go into this prepared for situations where they take a different turn, or they explore a different branch than what was considered. Often, you can lay some of these out as … some of them are more binary choices. It’s a yes, no. It’s a go, don’t go, pay, don’t pay, type of situation. Sometimes there are more branches that we think through and have prepared. But I think as the facilitator, what you really want to be able to do is be comfortable with that exercise in a fashion that if they go a different route or they don’t take action on something that you assume they were going to take action on that they had done previously, that they were good at, that you assume there’s no way they’re possibly going to pass this up.
Bryan Strawser: And they do.
Bray Wheeler: They do, or it gets stalled out in a different conversation and nobody’s aware that this other conversation’s going on. You have to be prepared to add another inject, or on the fly put additional pressure out there so that you’re forcing some of these injects you’ve already put into play to be played. You have to be able to improvise and adapt, even if you’ve done a really good job of laying out the different things. I think to that end, too, as the facilitator, you can bind yourself up in knots if you get too detailed and you get too rigid to the plan that you’re trying to play out that, “Well, there’s only one of two choices. If they don’t pick these two choices, I don’t know what to do. This exercise is a failure.” It’s not a failure.
Bray Wheeler: You have to be able to lay it out in a way that you’re allowing them to organically react to things and just prepare for them to start taking paths, but then be prepared as that facilitator or evaluator to say, “You know what? They actually went a different route and it was really effective. We didn’t have to play two more injects,” or “We had to add two more injects in on the fly to move the conversation or explore a different piece of the objectives that they want to accomplish with the exercise.” I think that’s the other piece of a facilitator, too, is to keep those objectives that you’ve laid out for the exercise top of mind, that really what you’re trying to do is if communications is a thing, you’re really playing up that communications piece of it. You’re not letting that slide because the conversation went a different way. You’re trying to drive them back to some of those objectives if you can.
Bryan Strawser: I think you bring a really important point. Part of it is that whole idea of thinking through the storyline for the exercise, and crafting your injects to support that in branches that you’ve foreseen. But you’re exactly right, Bray, in that there will be situations that you just didn’t foresee. It doesn’t mean that they’re wrong, the team just chose to go a different route. As the facilitator, exercise director, you either got to decide that the path they’re on is right and that’s the right path for what they’ve decided and you’re going to have to rearrange on the fly to deal with that, or you’re going to have to take some actions to get them back onto your main storyline. It’s hard to tell until you’re in the moment and you see the direction that they’re going to wind up going.
Bray Wheeler: Well, and sometimes they just get hung up on a point and they just feel like, “I don’t have all the-”
Bryan Strawser: The wrong point?
Bray Wheeler: The wrong point. Or, “I don’t have enough information to make a decision. I don’t know what to do. I’m making an assumption here. I don’t know. I don’t know.” You have to be able to, as the facilitator or that exercise staff, be able to step in and just say, “This is what we know. This is the only information you have. Assume this to be true,” in order to get them unhooked or unstuck off of a point that they’ve rallied around that says, “No. Just assume this to be true. Move on.” To get them to keep moving. It’s that nimbleness. It’s that improvisation, that as that facilitation staff when you’re preparing for it, you need to know the nuts and bolts of logistics of what’s going on. But really, you just need to be comfortable in a way walking in there that you can push them and make them work through it. Whatever the goal is for that exercise, your focus is just on making sure that that happens.
Bray Wheeler: Regardless of what tangent or how slow the exercise may move because they’re really exploring good content, those aren’t failures, if you can’t get to your last inject. You crafted ten injects and you only get to eight. It’s not a failure.
Bryan Strawser: In the end, the number of injects doesn’t matter.
Bray Wheeler: No.
Bryan Strawser: Do you reach the goals the director just laid out in the exercise?
Bray Wheeler: Exactly.
Bryan Strawser: When you’re finalizing your exercise plan and you lay out, “Here’s where we’re going to stop. We’re stopping at 3:00, or when we reach this point in the exercise, this decision has been made, or this conclusion has been reached and this is where we’re going to cut it.”
Bray Wheeler: Call it.
Bryan Strawser: Call it. Maybe you don’t really have a hard time in some cases. It depends on your exercise and your company that you’re doing. I think ours usually has a … There’s a point where we got to end, but we’re trying to get them there in advance of that by getting them to the final decision that they need to make before this thing wraps up, or…
Bray Wheeler: Or identifying the decision points you need to be able to-
Bryan Strawser: Exactly.
Bray Wheeler: … walk into the execs.
Bryan Strawser: Or you achieve the result. It’s like your Oregon Trail game ends because you died of dysentery, or you died fording the Mississippi.
Bray Wheeler: Right, your wagon axle broke.
Bryan Strawser: Your wagon axle broke.
Bray Wheeler: You all starved.
Bryan Strawser: Whatever those events were in Oregon Trail on the exercises, we’re the same way. That’s it for this edition of the Managing Uncertainty Podcast. We wish you well in preparing and planning for your next exercise. We’ve got 90 days till ours, so we’ve got some work to do. Thanks for tuning in. Hope you’ll listen next week.
In this episode of the Managing Uncertainty Podcast, Bryghtpath Principal & Chief Executive Bryan Strawser discusses the Plan Do Check Act Cycle in your...
In this episode of the Managing Uncertainty Podcast, Bryghtpath Principal and Chief Executive Bryan Strawser and Senior Consultant Bray Wheeler discuss the brand new...
In this riveting episode of the Managing Uncertainty podcast, join host Bryan Strawser, Principal and Chief Executive at Bryghtpath, as he shares vital strategies...
