By Cheryl Winokur Munk 

Some companies are taking role-playing to a new level when it comes to mitigating risks that could potentially disrupt a business.

For years, companies have dabbled in scenario planning, also known as war gaming or tabletop exercises, to help understand and reduce risk. Recently, amid tariff talks, threats of trade wars, geopolitical uncertainty, and, of course, the global pandemic, such gaming has become more popular.

Consulting firms often design and oversee such exercises to simulate real external threats that might derail a company's operations. The players, from executives to rank-and-file employees, gather around tables, sometimes for hours, responding to and attempting to resolve simulated emergencies. Similar to a choose-your-own-adventure book, every move a player makes leads to new and frequently unanticipated consequences that can have ripple effects throughout the company as the multiround games advance.

The drills can be designed to help companies work through multiple types of external threats. Cyber-threats are common, but other examples can be weather-related disasters (including climate change), tariffs, changes in interest rates, active shooters and other forms of risk. Of course, pandemic-related threats are also becoming an increasingly popular tabletop exercise.

"There has been a rising sense that the world is becoming more complicated and resiliency is something executives need to think about," says Ed Barriball, a partner at McKinsey & Co. "I think for a lot of folks, Covid brought that fully into focus."

Companies can create their own games, but often turn to consultants, who craft realistic and relevant exercises, as well as provide follow-up recommendations, says Jun Zhuang, professor and director of the Decision, Risk and Data Laboratory at SUNY Buffalo. Either way, consultants' costs vary depending on such factors as type of exercise and frequency, company size and business type.

To determine what a reasonable budget might be, Mr. Barriball recommends first calculating what the company's potential exposures to various risks are, then using that to decide what's reasonable to spend.

For many companies, especially large ones, consultants recommend doing these types of exercises frequently, perhaps once a quarter, with top executives taking part at least once a year.

"You don't want to do discovery learning at the point of crisis," says Fernando Maymi, director of professional services at IronNet Cybersecurity, a global cybersecurity firm that regularly creates tabletop exercises for clients.

Common communication problems, such as not understanding roles and responsibilities, tend to be exposed when realistic scenarios are designed. Executives tend to make uninformed assumptions or judgments.

"Executives don't really realize how much they are not communicating," says Deborah Golden, the U.S. cyber and strategic risk leader for Deloitte Risk & Financial Advisory. They are often surprised when put to the test, she says.

Ideally, consultants say, the exercises lead to productive changes in a company's policies, procedures and division of responsibilities. After analyzing exercise results, consulting firms can offer specific advice on how the company could do better in the event of a real problem, says Chris Stephenson, national managing principal of Grant Thornton's financial-management practice.

Emily Stapf, cybersecurity, privacy and forensics integrated solutions leader at PwC, describes a recent tabletop exercise crafted for a pharmaceutical company at the behest of its board. The objective was to make sure the company was prepared for various operational disruptions, something that became all the more important in the wake of the pandemic. C-suite executives and heads of business units were presented with a scenario in which a distribution center was impaired due to a ransomware attack.

In the exercise, Ms. Stapf says, shipments didn't go out, customers started calling to complain, trucks were getting backed up, employees struggled to communicate with one another and the situation quickly turned into a public-relations nightmare. The snowball effect was eye-opening for the executives, as there was no backup plan in place. After the exercise, the company adopted immediate network and system changes to make sure every center was segmented so a similar attack couldn't spread, Ms. Stapf says. The company also made it clear who was accountable for making real-time communications decisions, she says.

Benjamin W. Rhee, managing director in Accenture Strategy's life-sciences business, describes another recent exercise that was designed for a life-sciences company looking for the most effective and safest way to bring remote employees back to its offices to restart critical projects. Scenarios were defined for different trade-offs between business impact and employee health, Mr. Rhee says. Players identified what groups might be considered for returning under different scenarios, and devised alternative plans as well, all with an emphasis on employee health and safety.

As a result of this process, the company was able to safely bring back a limited workforce for the most critical activities, Mr. Rhee says. The planning also gave the company a framework for doing this with additional teams.

Scenario planning also seeks to test a company's ability to withstand cybersecurity breaches. Zulfikar Ramzan, chief technology officer at RSA Security, a global cybersecurity company, tells about a global bank that ran a war game to help solve a problem its chief information-security officer was having. Despite many attempts, the bank executive often couldn't persuade other departments to act swiftly on his cybersecurity recommendations.

The results of the tabletop exercise revealed to the bank's chief executive that important security updates were likely falling through the cracks. To fix this, he tied certain security metrics to departmental bonuses. This helped solve the problem the chief information security officer was facing since the business units now had incentive to implement his recommendations, Dr. Ramzan says.

In the past, many scenario-planning drills were done in person, with all of the key players in a room. But the pandemic has exposed an additional vulnerability -- the inability to get together -- so companies are increasingly requesting exercises with this in mind, Dr. Ramzan says.

In a virtual environment, tabletop exercises can involve real-time collaboration tools like Slack for chat and Google Docs for multi-user document editing, says Earl Crane, a cybersecurity executive and adviser to public and private-sector organizations.

There can be a learning curve for executives, but it's good training for real life, says Dr. Crane, who is also an adjunct professor at Carnegie Mellon University. "When an incident takes place, it is never at a convenient time, with everyone in the same room, or even the same time zone or country," he says.

Ms. Munk is a writer in West Orange, N.J. She can be reached at


(END) Dow Jones Newswires

September 24, 2020 10:37 ET (14:37 GMT)

Copyright (c) 2020 Dow Jones & Company, Inc.