Today, more than ever, organizations are exposed to multiple risk factors, both internal and external. Recent events show us the extent to which managing crises is both sensitive and complex, and can have a lasting impact on the image and the assets of a company. As the news is constantly reminding us and because – no – it doesn’t only happen to other people: learning how to manage a crisis is no longer just an opportunity, but a necessity!
In society today, the concept of a “crisis” can be perceived in a variety of ways, which makes it difficult to define exactly. Indeed, the word crisis (economic, social or reputational) is widely used to describe all types of situations or events of the kind broadcast in media headlines.
In terms of its history, the word crisis comes from the Greek, “Κρίσις”, and combines the meaning of “judgment” and “decision » to describe coming to a decision between several opposing, if not conflicting, positions or opinions.
It does indeed consist of practicing, and thus training an organization in how to face one or more major events (whatever the origin of these events may be, and whether they are sudden or progressive in nature) that would have a significant impact on the operations of the company and could potentially put its resources, and therefore its assets, in danger.
Why run crisis management exercises?
Primarily because it is the only tangible way to ensure that the arrangements that have been put in place are working properly and are capable of facing all types of crisis situations. Indeed, every organization must be prepared to manage complex and destabilizing situations, including ones that it has not predicted or even imagined.
The objectives of a crisis management exercise are to test operational mettle, both in organizational and human terms, for each of the individual teams that will manage a crisis if a major event threatens all or some of its activities.
First, the exercises allow alert-escalation procedures up to the mobilization of crisis units to be validated, and, secondly, to validate all of the procedures for crisis management which are tested throughout the training session. Clearly, the exercises will contribute to raising the proficiency of the participants who, by doing them, progressively gain the expertise and reflexes necessary for effective management of the situation.
As crisis management relies on human capabilities (ability to anticipate, to make decisions, etc.) and because everyone can be led to react differently when faced with the unknown and with stress, being trained is also being prepared.
Finally, it should be noted that running crisis management exercises is a regulatory requirement for banks and financial institutions. The financial regulator ensures that the organization has completed at least one significant exercise every year to verify that the system has been tested and that an improvement plan has been established. Ideally, the level of difficulty of the exercises should increase, and, over time, cover different types of crisis.
Who should participate in crisis management exercises?
As mentioned above, crisis management exercises aim to test the capabilities of an organization to make decisions in an unusual context. They are therefore particularly aimed at members of the crisis management team (CMT), which makes the decisions; and this team is usually made up of representatives from the highest levels of management within the company (members of the executive or management committee).
During a crisis management exercise, the departments mobilized within the CMT may vary depending on the scenario being played out. However, expertise within human resources, communications (internal and external), legal, logistics, and the business area impacted will usually be drawn on.
In order to enhance the robustness of the measures, it is also prudent to involve additional people in crisis management exercises; they can help the company to protect itself against any lack of expertise within the CMT in a case where one of its regular members is unavailable.
It is also possible to train operational crisis teams whose role is to implement the decisions that have been taken by the CMT.
Crisis management exercises are also organized on a national and international scale. The Paris Resilience Group (made up of credit institutions or similar, market infrastructure organizations, and representatives from the Ministry of Economy and Finance, the Treasury Directorate General, the Fédération bancaire française [the French Banking Federation], Banque de France [the French central bank], supervisory and regulatory authorities such as the Financial Control and Resolution Authority (ACPR) and the Financial Markets Authority (AMF) meet together regularly to improve the robustness of the Paris financial market and to exchange experiences with other businesses as well as with other major financial centers. Large-scale exercises are run annually (an electricity blackout, an H1N1 pandemic, a hundred-year flood of the Seine, a cyber-attack, etc.)
What are the steps to take when setting up a crisis management exercise?
The first step is to define and validate the objectives of the exercise, which should take into account the degree of maturity of the entity in terms of crisis management (for the one or more crisis teams involved in the exercise). This means positioning the degree of challenge at a level where objectives are ambitious but achievable (the objectives must take into account the areas of improvement identified by previous exercises by checking that improvements or corrective actions have been properly implemented.
The second stage is to conduct a macro scenario exercise that is adapted both to the business context and the objectives set. The potential scenarios are many and varied, depending on the source (internal or external) and the features (technical, economic, or social and organizational) of the type of crisis selected. The range of scenarios is vast and stretches from the common to the more unexpected:
- Fire/gas explosion, with or without injured parties
- Cyber-attack with loss of data or destruction of IS
- Major IT failure
- Internal or external fraud
- Pandemic
- Social unrest
- Circulation of rumors
- Natural disaster
- Attacks
- Abduction/kidnapping or disappearance of senior managers
The macro scenario is then broken down into a detailed timetable which runs through each of the events that will be faced by the crisis management team or teams during the exercise. Each stimulus making up the timetable must be formulated concisely and precisely by using the terms specific to the company (the process, names and contact numbers of the people involved in the simulation, etc.) thus allowing the simulation to be organized and structured as closely as possible in line with the real business.
The live phase of the simulation is to play out the scenario as specified in the timetable. A co-coordinating group that represents both the outside world and other stakeholders within the organization sends the crisis teams being tested (via emails, phone calls, screen shots and press articles), the agreed stimulus in line with the pre-agreed timescales. Members of the crisis unit play their own role and observers in the crisis room record their observations for debriefing. The simulation team ensures that no information leaves the domain of the crisis exercise, which helps to prevent a “real” crisis breaking out.
At the end of the exercise, an immediate debriefing is led by the exercise director during which everyone joins in and helps feed the debate. An exercise report with the strengths and weaknesses of the procedure is then formalized and sent to the members of the crisis team.
The observations made during the exercises allow potential vulnerabilities in the organization to be identified, which are then the object of a prioritized action plan. The organization must then establish, implement and monitor a plan of action to ensure the resilience of the system put in place. The effectiveness and robustness of the crisis management system should then be tested in future exercises.