The typical leap into the darkness ends with a broken nose

Why Crisis Management Exercises Matter

Imagine this: Mike Tyson, Sun Tzu, and Bent Flyvbjerg walk into a coffee shop. What do a heavyweight boxer, an ancient Chinese general, and a modern-day professor have in common? Quite a bit, actually, when it comes to handling uncertainty and risk.

Picture this conversation: “Taking a leap into the unknown? You’re doing something without a clue what’s on the other side,” I’d start. Sun Tzu would probably nod and say, “He will win who, being prepared, waits to take the enemy unprepared.” Bent might add, “Skilled intuition from trial-and-error beats blind gut feelings”. And Tyson would finish, “Everyone has a plan until they get punched in the mouth.”

Now, Mike’s got a point. Plans are great until they get blown apart by reality. But let’s be real; you still need a plan, so you can adapt when the punches start flying. The consensus here? Train hard and often. Make mistakes in training, not in the heat of the moment. That’s how you turn the unknown into the known and become crisis-ready in your organisation.

Cyber threats aren’t going anywhere. So that means, if you’re standing still, you’re falling behind. To maintain a basic level of resilience, you need to keep training your crisis management capabilities.

Crisis Management training isn’t rocket science, but many organisations skip it They skip the simulations and the exercises; they don’t measure their readiness, but they should. Just like Sun Tzu said: “He who wishes to fight must first count the cost.” And training is part of that cost.

What Are We Getting Wrong?

Many companies have a crisis management plan on paper. Why? Often, it’s to tick a compliance box—NIS2, DORA, you name it. They run the exercise (if even prioritised that year), update the phone numbers, and call it a day. Congratulations, you have a crisis management plan. But do you have a crisis-resilient organisation?

Being ready for a crisis means more than dusting off the plan once a year. It’s about having a ‘living’ document—one that doesn’t just sit on a shelf but is actively embedded into the organisation. A living document evolves with your business, adapting as new challenges and insights arise. This means practising with purpose, learning from each exercise, and applying those lessons in real-time. It’s not just about having a plan but about having a dynamic strategy that grows with your team’s experience and the organisation’s needs. Let’s break down four practical steps to make sure your crisis management exercises do more than just tick a box.

1. Start Small, Build Success

Many companies make the mistake of going big from the start. The result? Overwhelmed teams and missed learning opportunities. Instead, start small and get the fundamentals right. Think of crisis management like training for a marathon—you don’t start by running 42 km. You begin with shorter, manageable runs that build strength and confidence.

Start with tabletop exercises. These low-pressure scenarios allow teams to walk through crisis steps and ensure everyone knows their roles. The goal is to test the fundamentals: Is there an established process for responding to an identified data breach? Can the team communicate effectively? A data breach simulation helps teams get comfortable with the fundamentals without the stress of a high-stakes crisis.

Training exercises build confidence and foster collaboration. When teams, like IT or communications, handle a minor incident successfully—whether it’s quickly identifying a problem or crafting an effective response—it shows them what’s possible. Celebrating these small victories shifts the mindset from ‘avoiding failure’ to “achieving together,” reinforcing the value of preparation.

Crisis management is all about teamwork and how well departments—like IT, Comms, HR, and Legal—coordinate and communicate. Practising with minor scenarios provides opportunities to build trust, break down silos, and ensure everyone understands their roles. This not only strengthens team dynamics but also promotes open dialogue, where team members feel heard and valued. Such an environment is crucial in real crises, where quick and coordinated action is essential.

Training should always build confidence, not fear. Small successes encourage teams to engage more fully and feel prepared to face larger challenges. As their confidence grows, more complex exercises can be introduced, testing decision-making and coordination under pressure.

2. Choose the Right Scenario and Exercise Type

Not all exercises are created equal. A common mistake? Picking the wrong scenario. It’s like training a football team with a tennis racket—completely off the mark. Your crisis management exercise needs to be relevant to what you do. The more context specific the scenario, the more valuable the exercise. It’s about preparing your team for the challenges that are most likely to hit them, not just a generic crisis.

Think about what your business does. Are you a financial services company handling sensitive customer data? Are you a tech firm with a critical software product? Or maybe you’re in manufacturing, relying on a complex supply chain? Each business faces different threats and scenarios should reflect this.

In the financial sector, a ransomware attack that cripples critical systems during trading hours. Or a data breach during a sensitive merger? The right scenario makes all the difference. It’s about anticipating what’s most likely to hit your specific organisation and being ready—not just with a plan, but with a team that knows exactly what to do.

Once you’ve identified the most relevant risks, it’s time to choose the right type of exercise. Not all scenarios serve the same purpose, so your choice should be guided by the specific skills and outcomes you want to develop.

• Quick Decision-Making: A time-pressured simulation tests rapid, high-stakes decisions.

• Cross-Departmental Communication: A role-playing exercise spread over several hours and engaging relevant teams assesses how well different departments coordinate in a crisis.

• Incident Response and Escalation Protocols: A straightforward tabletop exercise focused on incident response protocols reveals weaknesses in the basic handling of a crisis.

The more realistic the exercise, the more effective it will be. Realism means more than just creating a plausible scenario; it means mimicking the actual conditions under which your team will need to operate. Exercises should push your team to think on their feet and adapt dynamically, moving beyond the “business as usual” mindset. This helps ensure that when the real crisis comes, they’re ready.

Remember, the exercise’s difficulty should align with where your organisation is right now—not where you wish it was. Start with focused exercises that build foundational skills. As your team becomes more confident and capable, increase the complexity.

When done right, these exercises reveal hidden vulnerabilities and, more importantly, teach your team how to adapt in real time. They expose the gaps in your plans and the weak points in your defences. But more than that, they create muscle memory. Your team learns not just what to do, but how to think and react under pressure.

3. Measure What Matters

Many organisations miss the mark by measuring the wrong things—like attendance or duration of the exercise. What really matters is how well your team performs under pressure: Did they stick to the plan or fall apart? Were decisions made quickly? Was communication clear, or did it descend into chaos?

Honest feedback is the real value of any exercise. It’s not about glossing over mistakes but about understanding what worked, what didn’t, and why. Creating a safe space for open discussion ensures that when things go wrong, there’s no blame—just a shared focus on improvement. This openness again helps shifting the mindset away from ‘avoiding failure’, making it easier to act as a team when under pressure.

4. Act on What You Learn

An exercise is only as valuable as what you do afterward. Too often, organisations go through the motions of a debrief, note down areas for improvement, and then… nothing happens. The real impact comes from translating those lessons into specific, actionable steps. This means moving beyond broad statements like “We need better communication” and drilling down into exactly what needs to change. Whether it’s tweaking the crisis communication plan or providing targeted training sessions, the actions need to be clear, assigned to specific individuals or teams, and given deadlines.

When feedback leads to tangible improvements, it builds a culture of honest accountability. Teams become more engaged, knowing their insights lead to real changes. This isn’t just about fixing things; it’s about creating a continuous improvement loop where feedback drives action, and action leads to readiness.

Encourage people to challenge assumptions and suggest solutions, focusing on enhancing the team’s crisis response rather than pointing fingers. When feedback leads to concrete actions—like refining communication tools or decision-making processes—teams see that it’s more than just talk; it’s about real progress.

Sometimes, small, targeted changes can dramatically improve crisis response. Whether it’s a slight adjustment in communication strategies or refining decision-making roles, these tweaks can make a significant difference. Over time, these consistent improvements build a more resilient, agile organisation capable of handling crises effectively.