Designing and Developing a Live CM Exercise
Designing and developing a live crisis management exercise involves a structured approach to ensure realism, safety, and actionable insights.
![]() |
Pre-reading for Participants Attending Module 4 of the CM-5000 Crisis Management Expert Implementer Course | ![]() |
Step-by-Step Guide to Designing a Live CM Exercise
Below is a step-by-step guide to creating an effective live exercise:
Define Objectives & Scope
-
Purpose: Clarify what you aim to achieve (e.g., test evacuation procedures, validate IT recovery, improve cross-team coordination).
-
Scope: Determine the incident type (e.g., fire, cyberattack, active shooter) and teams involved (e.g., IT, PR, security).
-
Success Criteria: Define measurable outcomes (e.g., "Evacuate the building in under 10 minutes" or "Restore critical systems within 2 hours").
Example Objective
"Test the IT team’s ability to isolate a ransomware attack while coordinating with PR to manage external communications."
Select a Realistic Scenario
-
Risk-Based: Align with high-impact, high-likelihood threats (e.g., natural disasters for coastal facilities, data breaches for financial firms).
-
Complexity: Include cascading effects (e.g., a power outage disrupts operations and communication systems).
-
Inject Design: Plan timed, escalating events (e.g., "At T+15 mins, hackers leak data on social media").
Sample Scenario
"A fire in the data centre breaks out, triggering IT system failures and media inquiries about customer data loss."
Assemble the Team & Roles
-
Participants:
-
Responders: Crisis team, IT, security, PR, facilities.
-
Controllers/Facilitators: Manage injects, adjust difficulty, ensure safety.
-
Evaluators/Observers: Document actions, timing, and gaps.
-
Actors: Play roles like "injured employees" or "angry customers."
-
-
External Partners: Involve emergency services, vendors, or regulators if relevant.
Tip
Use a RACI Matrix to clarify responsibilities (Responsible, Accountable, Consulted, Informed).
Plan Logistics & Safety
-
Location: Choose a realistic setting (e.g., actual office, backup site, or simulated environment).
-
Tools/Equipment:
-
Activate real systems (e.g., emergency alarms, mass notification tools).
-
Use props (e.g., smoke machines for fire drills, mock ransom notes).
-
-
Safety Protocols:
-
Ensure no real harm (e.g., use virtual "outages" instead of shutting down live systems).
-
Brief all participants on emergency exits and safety rules.
-
Develop the Exercise Timeline
-
Master Scenario Events List (MSEL):
-
Outline injects, timing, and intended outcomes.
-
Example:
-
T+0: Fire alarm triggers evacuation.
-
T+10 mins: Report of "trapped employee" in Room 203.
-
T+30 mins: Media calls about data loss rumours.
-
-
-
Branching Scenarios: Adjust injects based on team responses (e.g., if PR delays a statement, escalate media pressure).
Conduct Pre-Exercise Briefings
-
Participant Briefing: Explain objectives, rules, and safety measures.
-
Controller/Eval Briefing: Ensure facilitators understand injects and evaluation criteria.
-
Mock Communications: Test tools (e.g., radios, crisis apps) beforehand.
Execute the Exercise
-
Launch the Scenario: Start with the initial incident (e.g., activate alarms, simulate a phishing email).
-
Introduce Injects: Follow the MSEL but remain flexible to adapt based on team performance.
-
Monitor & Document:
-
Track decision-making speed, communication accuracy, and protocol adherence.
-
Use video/audio recordings (with consent) for post-exercise review.
-
Debrief & After-Action Review
-
Hot Wash: Immediate feedback session with participants.
-
Questions: What went well? Where did we struggle?
-
-
Formal Report: Summarise findings, including:
-
Strengths: Effective actions (e.g., "PR stated within 20 minutes").
-
Gaps: Failures (e.g., "IT took 45 minutes to isolate the breach").
-
Recommendations: Updates to plans, training, or tools.
-
Implement Improvements
-
Update Plans: Revise crisis playbooks based on lessons learned.
-
Targeted Training: Address skill gaps (e.g., media training for spokespersons).
-
Follow-Up Drills: Schedule smaller exercises to test fixes (e.g., a 30-minute comms drill).
Key Success Factors
✅ Realism: Mimic actual crisis conditions (time pressure, resource constraints).
✅ Psychological Safety: Encourage open dialogue without blame.
✅ Documentation: Capture details for compliance and continuous improvement.
Example Live Exercise: Ransomware Attack
Scenario:
-
T+0: IT detects encrypted files and a ransom note.
-
T+20 mins: Hackers threaten to leak data; PR must draft a customer notification.
-
T+1 hour: Executives debate paying the ransom vs. legal repercussions.
Live Actions:
-
IT isolates servers, PR conducts a mock press conference, and Legal contacts regulators.
More Information About Crisis Management Courses
To learn more about the course and schedule, click the buttons below for the CM-300 Crisis Management Implementer [CM-3] and the CM-5000 Crisis Management Expert Implementer [CM-5].