Any organization today needs to understand the risks that can have a profound impact to its reputation and the measures it should take when under attack. No other reputational risk cuts across the corporate landscape like cyber-risk. Everyone has links to the digital world—servers, e-mail, data, etc.—and therefore is susceptible to a cyber-attack. That umbrella includes everything from a global tech giant to a local flower shop.
According to a recent CBS.com report, cyber-attacks occur 4,000 times a day, which translates to three every minute. Fortunately, most attacks fail; but that provides little comfort for organizations with so much at stake. It only takes one incident to cause irreversible damage.
And while a cyber-attack can create chaos and cause a drop in shareholder value, the bigger threat is to an organization’s most valuable asset—its reputation.
As cyber-attacks continue to escalate around the world, many organizations are investing more time and resources into their cyber-security and crisis-response efforts. I believe one of the more effective practices used to prepare for a cyber-incident is a wargame simulation—a pressure-packed exercise that reveals the challenges organizations face before, during, and after a cyber-incident.
Stakeholders keep a close eye on how an organization responds to difficult situations. Actions taken during a crisis can ultimately affect the organization’s reputation. A wargame simulation is one way to test your ability to survive and even thrive in a crisis.
In one example of a wargame simulation, organizational leaders assume their roles of C-suite executives and respond to an unexpected cyber-attack. The simulation challenges participants to deliver a response immediately, one month later, and one year post-incident.
Participants are faced with many business-impacting decisions, including whom to report to and when, cyber-insurance issues, regulatory challenges, third-party vendor relationships, and brand and reputation management.
It’s a tense and uncomfortable experience. Even when you know it’s a simulation, your heart sinks when your organization’s reputation is in danger. The threats, the hacker’s distorted voice, and the breaking news reports are all fake, but the potential is real. Participants know it’s an exercise, but it’s unscripted, which provides a true test of decision-making ability.
WHAT IF QUESTIONS
Wargame simulations help organizations prepare for uncertainty. They stress-test leaders to ask and answer questions like:
How do we track what digital information is leaving our agency and where that information is going?
Is our organization prepared for a cyber-attack?
How well do we work with each other when a crisis occurs?
How do we know who is really accessing our systems, and from where?
What decisions should be made, and who makes them if there is a cyber-attack?
Source: Chuck Saia, Deloitte
,
Wargame simulations can help organizations detect gaps and weaknesses in readiness, response, and recovery plans. And they can identify ways to enhance an organization’s crisis playbook. Deloitte recently adjusted its crisis management playbook to incorporate the lessons learned from one of one of its wargame simulations. By surfacing a gap that the company needed to fill, the simulation allowed Deloitte to avoid learning about it as a real crisis unfolded.
Despite its value, scenario planning isn’t yet widely accepted by organizations looking to protect, preserve, and enhance their reputations. In Deloitte’s Reputation@Risk global survey on reputational risk, 36 percent of 300 executives surveyed said they don’t do “what if” scenarios to prepare for reputational risk. Hopefully, these organizations won’t be testing their risk management efforts during a real-life crisis. The worst time to fine-tune a crisis management strategy is during a crisis.
ABOUT CHUCK SAIA
Chuck Saia oversees strategic and reputational risk management, regulatory affairs, and independence, ethics, and compliance, as well as confidentiality and privacy matters for Deloitte. With more than 20 years of experience advising clients on corporate governance, regulatory issues, risk management, and internal controls, Saia continues to drive relationship building at the C-suite level for Deloitte’s key clients. His current focus is on protecting, preserving, and enhancing Deloitte’s reputation to position the company to “make an impact that matters”—on Deloitte’s people, clients, and society.
Does practice make perfect? Not in crisis management; no amount of planning can prepare for 100 percent of the multiple risks to reputation. But practice does lead to improvement in approaches, a decrease in uncertainty, and an increase in confidence.
Stakeholders keep a close eye on how an organization responds to difficult situations. Actions taken during a crisis can ultimately affect the organization’s reputation. A wargame simulation is one way to test your ability to survive and even thrive in a crisis.
No comments yet