In today’s complex risk landscape, organisations face ever-increasing threats from cyberattacks and natural disasters to supply chain shocks and geopolitical instability. As a result, many organisations simulate disruptions through scenario exercises to assess and enhance their ability to respond effectively.
Normally, the learning points from these exercises are captured in post-exercise reports that make observations and propose recommendations for improvement. However, frequently organisations struggle to implement these recommendations, meaning the same vulnerabilities persist.
This article will examine a range of factors that conspire to prevent organisations from implementing lessons identified during scenario exercises and suggest steps that can be taken to address the situation.
The purpose of scenario exercises
Scenario-based exercises can take many forms ranging from simple tabletop sessions to complex multi-response team simulations. These exercises are conducted for a variety of reasons and the aim, objectives and exercise methodology will vary depending on the training audience. Strategic exercises tend to focus on determining what the organisation must do to address the situation: in other words, decide the ultimate objective or strategic intent to be achieved. Tactical team exercises commonly are used to explore the challenges and complexities of how to convert the strategic intent into operational activity and how to co-ordinate and prioritise resources between competing problem-sets and organisational departments. Operational exercises often focus on the immediate actions needed to save life, stabilise a situation or the processes and procedures needed to recover disrupted IT systems.
Broadly, organisations conduct exercises to:
- Test immediate actions, escalation, notification and invocation procedures
- Validate emergency response plans
- Practice leadership decision-making under pressure
- Enhance cross-functional coordination
- Identify operational and strategic gaps
- Meet regulatory requirements
Scenario exercises also have the additional benefits of:
- Building confidence among response team members
- Enhancing teamwork and communications between departments
- Developing a more detailed understanding of risk profiles
- Allowing senior leaders to explore the potential impact of low probability high impact events before they occur
Why then do organisations struggle to implement lessons learned?
A post-exercise report should provide observations of what went well, where gaps exist and identify recommendations for improvement. However, organisations frequently struggle to successfully translate these recommendations into tangible enhancements to their resilience preparations and incident response arrangements. Each set of circumstances is unique to the organisation but below are several factors that conspire to prevent organisations successfully benefitting from the lessons identified during response team exercises and fully implementing recommendations for improvement.
- Insufficiently compelling imperative – ‘it’s just an exercise.’ One of the first challenges is that lessons from scenario exercises may fail to resonate with senior leaders or fail to create the sense of a ‘burning platform’ where senior leadership internalise the imperative to implement improvements and corrective action. This can occur when the exercise scenario is too generic which may happen if the scenario is AI generated and insufficiently tailored to the detail and nuance of the organisation. Where exercise recommendations for improvement do not directly relate to a regulatory requirement it is sometimes tempting for organisations to compartmentalise it within the theoretical realm of the exercise rather than commit new resources and management effort to solving a previously unknown problem.
- Optimism bias and inconvenient truths – ‘It won’t happen to us.’ Another contributing factor to the lack of imperative can be a prevailing optimism bias amongst senior leadership teams who are used to success. Where senior leadership teams have a dominant personality, insufficient diversity or an underdeveloped culture of challenge, Group Think can prevail and lessons from exercises dismissed as ‘inconvenient’ to the desired business priorities. Ultimately, there is nothing like the experience of a real disruption to focus the mind, and even then, there may be siren voices in management teams who advocate that that ‘lightning won’t strike twice.’
- Lack of organizational commitment. In some cases, organisations treat exercises as a one-off event or compliance requirement and senior leadership interest wanes once the exercise has finished. Without commitment from the top, continual improvement efforts can quickly lose momentum and without executive level sponsorship well-meaning resilience managers can lose traction within the organisation and make little progress in persuading busy departments to follow-through on post-exercise action points.
- Competing priorities. All organisations operate in a competitive, resource constrained environment. Against real world pressures, post-exercise momentum can be often short-lived and unless there is a robust structured process for implementing improvements, attention will shift to “business as usual” and lessons learned may be forgotten.
- Lack of executive-level sponsorship. In organisations where there is no senior executive championing resilience as a strategic priority, exercises and their subsequent learnings can be seen as a distraction from the immediate pressures of meeting performance targets. Executive-level sponsorship in the form of an empowered and accountable senior leader is essential to break down silos, promote holistic cross functional cooperation and enforce accountability. Without a drive for cultural change from the top, exercises may become tick-box activities, and improvement plans will fall by the wayside.
- Siloed structures and fiefdoms. Most organisations operate in vertical structures, with relatively weak horizontal coordination mechanisms. These siloed structures can create boundaries between responsibilities and, in competitive bottom line orientated cultures, encourage departments to guard their territory when post-exercise recommendations require financial commitment from within existing budgets. Additionally, where interdepartmental rivalries and the presence of personal fiefdoms exist among senior leaders, there can be a resistance to cross-functional coordination and shared accountability. In these cases, improvement initiatives that span joint areas of responsibility have a high chance of stalling due to a ‘consent and evade’ mentality.
- Budget constraints. Implementing recommendations for improvement may often require new investment, whether for staff training, procurement in new systems, physical assets or staff resources. In tight fiscal environments, the temptation is to deprioritise resilience investments in favour of short-term operational requirements: a situation that is exacerbated when departments compete for influence or resources.
- No culture of continuous improvement. Organisations that lack a learning culture, generally struggle to turn feedback into action. Post-exercise recommendations for improvement may be greeted with genuine interest and be recognised as a reflection of reality by staff across the organisation, but without a culture of continuous improvement or a structured approach to institutionalise lessons learned, these recommendations do not become ‘sticky’ and improvement may become episodic rather than systematic.
- Lack of governance structures for improvement and ambiguous accountability. When action items have no clear owner, or where responsibilities fall between departmental boundaries, the potential for inaction increases. Post-exercise recommendations may often sit in limbo because tasks are not assigned to named individuals with deadlines for completion. Matrix management structures can be particularly weak in this area especially when recommendations span functional domains and there is no one directed to take the lead. An absence of clearly defined accountability and responsibility for ensuring continuous improvement is often evidence that organisations lack the mechanisms and culture to institutionally learn from the lessons they generate. Even when organisations want to improve, many lack the established governance structures needed to manage and monitor the continual improvement process effectively. Without defined roles, responsibilities, reporting frameworks and management oversight, improvement initiatives are likely to drift.
- Improvement seen as too complex or too difficult. Some post-exercise recommendations are not quick fix solutions and may require lengthy, complex change programmes. These can often be relegated to the “too difficult for today” category, particularly when leaders are under pressure to deliver short-term results. In the absence of a long-term resilience roadmap and continual improvement governance structure, these critical reforms can be perpetually postponed.
What can be done?
To maximise the benefit from the considerable time and financial investment that organisations devote to conducting exercises and to close the gap between the recommendations for improvement that these exercises generate and the creation of lasting improvement, organisations should consider the following steps:
1 Secure executive sponsorship: Senior leaders must actively support and prioritise post-exercise resilience improvements. Without access to the executive management team and senior level sponsorship, most improvement initiatives will fail because well-meaning and energetic resilience staff may lack the traction to secure buy-in, budgetary allocations and overcome organisational inertia to drive through improvement initiatives.
2 Establish governance frameworks: Organisations should create a structured oversight mechanism to manage and monitor improvement activities across departments that sets out executive level sponsorship, senior leadership accountability and responsibility for delivery. Here, alignment to international standards such as ISO 22301 can help. By implementing a formalised process that follows a Plan, Do, Check, Act cycle, organisations can set out an implementation and maintenance framework that defines what will be done, how frequently, by whom and how effectiveness will be measured and assured. By subjecting the recommendations for improvement to internal audit and a management review, organisations will enhance senior leadership engagement and ensure the resilience programme is suitable for the organisation and is promoting continual improvement. Certifying to an international standard can be expensive, require a dedicated staff resource and generate a significant bureaucratic overhead, however submitting to external scrutiny and a pass / fail criteria can provide the necessary forcing function to maintain senior leadership attention and ensure that resilience is appropriately resourced, and lessons identified are acted upon and embedded.
3 Clarify responsibilities: A key activity on receipt of the Post Exercise Report is to allocate ownership of each recommendation for improvement, with timelines and performance metrics for implementation. The creation of a cross departmental Working Group under the leadership of an accountable senior leader is an excellent forum to coordinate the implementation of the exercise recommendations for improvement. Management oversight for implementing the post exercise recommendations for improvement is best done by a Steering Group. This may only meet once per year but is essential to hold departments across the organisation to account and allocate the necessary resources. These formalised forums can help break down silos and foster collaboration between departments and provide a single focus on the organisational objectives and priorities for resilience.
4 Allocate and sequence resources: Recommendations for improvement often require procedural or structural changes or investment in new capabilities. Key to ensuring continual improvement is a formalised cost benefit assessment to approve and allocate appropriate resources to prioritised activities. A centralised budgetary allocation under executive level control to fund cross departmental improvement initiatives can create the necessary incentive for implementation and promote cross departmental collaboration.
5 Take a long-term view: Building resilience is a continual process, and some improvements will take months or years to achieve and require phased implementation. A key route to success is to develop a strategic resilience roadmap. One method to achieve this is to conduct a resilience gap analysis or Maturity Target Operating Model, this will allow the organisation to baseline its resilience status, put context on the recommendations for improvement identified during exercises and define the level of ambition for resilience.
6 Carry on exercising: Exercising remains an essential component of embedding continuous improvement and building the muscle memory to respond during a disruption. While it is highly unlikely that a real life event will follow the exact same path as a previous scenario exercise, response teams that are familiar with working together, have mature well practiced decision making processes and understand their plans, have a higher chance of responding quickly and appropriately to an emerging disruption and preventing it developing into a full blown crisis. Organisations should develop a progressive exercise programme that is linked to the strategic risk register and use it to promote adaptive problem solving against increasingly complex and rapidly evolving scenarios.
Conclusion
Scenario exercises offer organisations the opportunity to simulate crisis, identify weaknesses and practice the response to a disruption without suffering real-world consequences. However, if the organisation struggles to implement or institutionalise post-exercise lessons, much of the effort is wasted and the organisation remains vulnerable.
Organisations’ inability to implement improvements is rarely about a lack of insight, but is more often due to organisational barriers, structural gaps and an absence of leadership attention. Until organisations can address some of the root causes inhibiting institutional progress such as functional stovepipes, budgetary provision and the absence of an appropriate resilience governance structure, they will continue to struggle to reap the benefits from their investment in exercising and perpetuate existing vulnerabilities.
Structure and consistency are the key to continual improvement: the good news is the implementation of a resilience governance structure with clearly defined responsibilities and accountabilities is relatively inexpensive and easy to achieve.