Crisis Management Series
CM Ai Gen_with Cert Logo_nn_7

[CM] Designing and Developing a Live CM Exercise

Designing and developing a live crisis management exercise involves a structured approach to ensure realism, safety, and actionable insights.

Moh Heng Goh
Crisis Management Certified Planner-Specialist-Expert

Designing and Developing a Live CM Exercise

Designing and developing a live crisis management exercise involves a structured approach to ensure realism, safety, and actionable insights.

 

Pre-reading for Participants Attending Module 4 of the CM-5000 Crisis Management Expert Implementer Course

Step-by-Step Guide to Designing a Live CM Exercise

Below is a step-by-step guide to creating an effective live exercise:

Define Objectives & Scope

  • Purpose: Clarify what you aim to achieve (e.g., test evacuation procedures, validate IT recovery, improve cross-team coordination).

  • Scope: Determine the incident type (e.g., fire, cyberattack, active shooter) and teams involved (e.g., IT, PR, security).

  • Success Criteria: Define measurable outcomes (e.g., "Evacuate the building in under 10 minutes" or "Restore critical systems within 2 hours").

Example Objective

"Test the IT team’s ability to isolate a ransomware attack while coordinating with PR to manage external communications."

Select a Realistic Scenario

  • Risk-Based: Align with high-impact, high-likelihood threats (e.g., natural disasters for coastal facilities, data breaches for financial firms).

  • Complexity: Include cascading effects (e.g., a power outage disrupts operations and communication systems).

  • Inject Design: Plan timed, escalating events (e.g., "At T+15 mins, hackers leak data on social media").

Sample Scenario

"A fire in the data centre breaks out, triggering IT system failures and media inquiries about customer data loss."

Assemble the Team & Roles

  • Participants:

    • Responders: Crisis team, IT, security, PR, facilities.

    • Controllers/Facilitators: Manage injects, adjust difficulty, ensure safety.

    • Evaluators/Observers: Document actions, timing, and gaps.

    • Actors: Play roles like "injured employees" or "angry customers."

  • External Partners: Involve emergency services, vendors, or regulators if relevant.

Tip

Use a RACI Matrix to clarify responsibilities (Responsible, Accountable, Consulted, Informed).

Plan Logistics & Safety

  • Location: Choose a realistic setting (e.g., actual office, backup site, or simulated environment).

  • Tools/Equipment:

    • Activate real systems (e.g., emergency alarms, mass notification tools).

    • Use props (e.g., smoke machines for fire drills, mock ransom notes).

  • Safety Protocols:

    • Ensure no real harm (e.g., use virtual "outages" instead of shutting down live systems).

    • Brief all participants on emergency exits and safety rules.

Develop the Exercise Timeline

  • Master Scenario Events List (MSEL):

    • Outline injects, timing, and intended outcomes.

    • Example:

      • T+0: Fire alarm triggers evacuation.

      • T+10 mins: Report of "trapped employee" in Room 203.

      • T+30 mins: Media calls about data loss rumours.

  • Branching Scenarios: Adjust injects based on team responses (e.g., if PR delays a statement, escalate media pressure).

Conduct Pre-Exercise Briefings

  • Participant Briefing: Explain objectives, rules, and safety measures.

  • Controller/Eval Briefing: Ensure facilitators understand injects and evaluation criteria.

  • Mock Communications: Test tools (e.g., radios, crisis apps) beforehand.

Execute the Exercise

  • Launch the Scenario: Start with the initial incident (e.g., activate alarms, simulate a phishing email).

  • Introduce Injects: Follow the MSEL but remain flexible to adapt based on team performance.

  • Monitor & Document:

    • Track decision-making speed, communication accuracy, and protocol adherence.

    • Use video/audio recordings (with consent) for post-exercise review.

Debrief & After-Action Review

  • Hot Wash: Immediate feedback session with participants.

    • Questions: What went well? Where did we struggle?

  • Formal Report: Summarise findings, including:

    • Strengths: Effective actions (e.g., "PR stated within 20 minutes").

    • Gaps: Failures (e.g., "IT took 45 minutes to isolate the breach").

    • Recommendations: Updates to plans, training, or tools.

Implement Improvements

  • Update Plans: Revise crisis playbooks based on lessons learned.

  • Targeted Training: Address skill gaps (e.g., media training for spokespersons).

  • Follow-Up Drills: Schedule smaller exercises to test fixes (e.g., a 30-minute comms drill).

Key Success Factors

 Realism: Mimic actual crisis conditions (time pressure, resource constraints).
 Psychological Safety: Encourage open dialogue without blame.
 Documentation: Capture details for compliance and continuous improvement.

Example Live Exercise: Ransomware Attack

Scenario:

  1. T+0: IT detects encrypted files and a ransom note.

  2. T+20 mins: Hackers threaten to leak data; PR must draft a customer notification.

  3. T+1 hour: Executives debate paying the ransom vs. legal repercussions.

Live Actions:

  • IT isolates servers, PR conducts a mock press conference, and Legal contacts regulators.

 

Types of Crisis Management Exercises
Design and Develop Crisis Management Exercises

 

More Information About Crisis Management Courses

To learn more about the course and schedule, click the buttons below for the  CM-300 Crisis Management Implementer [CM-3] and the CM-5000 Crisis Management Expert Implementer [CM-5].

Please feel free to send us a note if you have any questions.

Your Comments Here:

 

More Posts