By Cheryl Winokur Munk
Some companies are taking role-playing to a new level when it
comes to mitigating risks that could potentially disrupt a
business.
For years, companies have dabbled in scenario planning, also
known as war gaming or tabletop exercises, to help understand and
reduce risk. Recently, amid tariff talks, threats of trade wars,
geopolitical uncertainty, and, of course, the global pandemic, such
gaming has become more popular.
Consulting firms often design and oversee such exercises to
simulate real external threats that might derail a company's
operations. The players, from executives to rank-and-file
employees, gather around tables, sometimes for hours, responding to
and attempting to resolve simulated emergencies. Similar to a
choose-your-own-adventure book, every move a player makes leads to
new and frequently unanticipated consequences that can have ripple
effects throughout the company as the multiround games advance.
The drills can be designed to help companies work through
multiple types of external threats. Cyber-threats are common, but
other examples can be weather-related disasters (including climate
change), tariffs, changes in interest rates, active shooters and
other forms of risk. Of course, pandemic-related threats are also
becoming an increasingly popular tabletop exercise.
"There has been a rising sense that the world is becoming more
complicated and resiliency is something executives need to think
about," says Ed Barriball, a partner at McKinsey & Co. "I think
for a lot of folks, Covid brought that fully into focus."
Companies can create their own games, but often turn to
consultants, who craft realistic and relevant exercises, as well as
provide follow-up recommendations, says Jun Zhuang, professor and
director of the Decision, Risk and Data Laboratory at SUNY Buffalo.
Either way, consultants' costs vary depending on such factors as
type of exercise and frequency, company size and business type.
To determine what a reasonable budget might be, Mr. Barriball
recommends first calculating what the company's potential exposures
to various risks are, then using that to decide what's reasonable
to spend.
For many companies, especially large ones, consultants recommend
doing these types of exercises frequently, perhaps once a quarter,
with top executives taking part at least once a year.
"You don't want to do discovery learning at the point of
crisis," says Fernando Maymi, director of professional services at
IronNet Cybersecurity, a global cybersecurity firm that regularly
creates tabletop exercises for clients.
Common communication problems, such as not understanding roles
and responsibilities, tend to be exposed when realistic scenarios
are designed. Executives tend to make uninformed assumptions or
judgments.
"Executives don't really realize how much they are not
communicating," says Deborah Golden, the U.S. cyber and strategic
risk leader for Deloitte Risk & Financial Advisory. They are
often surprised when put to the test, she says.
Ideally, consultants say, the exercises lead to productive
changes in a company's policies, procedures and division of
responsibilities. After analyzing exercise results, consulting
firms can offer specific advice on how the company could do better
in the event of a real problem, says Chris Stephenson, national
managing principal of Grant Thornton's financial-management
practice.
Emily Stapf, cybersecurity, privacy and forensics integrated
solutions leader at PwC, describes a recent tabletop exercise
crafted for a pharmaceutical company at the behest of its board.
The objective was to make sure the company was prepared for various
operational disruptions, something that became all the more
important in the wake of the pandemic. C-suite executives and heads
of business units were presented with a scenario in which a
distribution center was impaired due to a ransomware attack.
In the exercise, Ms. Stapf says, shipments didn't go out,
customers started calling to complain, trucks were getting backed
up, employees struggled to communicate with one another and the
situation quickly turned into a public-relations nightmare. The
snowball effect was eye-opening for the executives, as there was no
backup plan in place. After the exercise, the company adopted
immediate network and system changes to make sure every center was
segmented so a similar attack couldn't spread, Ms. Stapf says. The
company also made it clear who was accountable for making real-time
communications decisions, she says.
Benjamin W. Rhee, managing director in Accenture Strategy's
life-sciences business, describes another recent exercise that was
designed for a life-sciences company looking for the most effective
and safest way to bring remote employees back to its offices to
restart critical projects. Scenarios were defined for different
trade-offs between business impact and employee health, Mr. Rhee
says. Players identified what groups might be considered for
returning under different scenarios, and devised alternative plans
as well, all with an emphasis on employee health and safety.
As a result of this process, the company was able to safely
bring back a limited workforce for the most critical activities,
Mr. Rhee says. The planning also gave the company a framework for
doing this with additional teams.
Scenario planning also seeks to test a company's ability to
withstand cybersecurity breaches. Zulfikar Ramzan, chief technology
officer at RSA Security, a global cybersecurity company, tells
about a global bank that ran a war game to help solve a problem its
chief information-security officer was having. Despite many
attempts, the bank executive often couldn't persuade other
departments to act swiftly on his cybersecurity
recommendations.
The results of the tabletop exercise revealed to the bank's
chief executive that important security updates were likely falling
through the cracks. To fix this, he tied certain security metrics
to departmental bonuses. This helped solve the problem the chief
information security officer was facing since the business units
now had incentive to implement his recommendations, Dr. Ramzan
says.
In the past, many scenario-planning drills were done in person,
with all of the key players in a room. But the pandemic has exposed
an additional vulnerability -- the inability to get together -- so
companies are increasingly requesting exercises with this in mind,
Dr. Ramzan says.
In a virtual environment, tabletop exercises can involve
real-time collaboration tools like Slack for chat and Google Docs
for multi-user document editing, says Earl Crane, a cybersecurity
executive and adviser to public and private-sector
organizations.
There can be a learning curve for executives, but it's good
training for real life, says Dr. Crane, who is also an adjunct
professor at Carnegie Mellon University. "When an incident takes
place, it is never at a convenient time, with everyone in the same
room, or even the same time zone or country," he says.
Ms. Munk is a writer in West Orange, N.J. She can be reached at
reports@wsj.com.
(END) Dow Jones Newswires
September 24, 2020 10:37 ET (14:37 GMT)
Copyright (c) 2020 Dow Jones & Company, Inc.