A technique that can help managers better prepare for technology disasters is simulating scenarios. The use of scenario simulations is common in the defense arena, team sports, and aircraft pilot training. By simulating scenarios we afford individuals to get acquainted with distant realities and also provide them an avenue to test their reflexes and responses to the new environment. This is where the adage “practice makes perfect” comes into place.
Consider preparing for a football game. Unless each team ran through various scenarios and learned how to react to changes in an opponent’s strategy, they are likely to lose the game. Simulating various scenarios and working through them is critical to building any good organization. Scenario simulations are used widely by our defense departments to train soldiers on how to fight a wide assortment of battles under a variety of conditions. Even some disciplines, such as the training of aircraft pilots, are largely handled via simulations. After all, can we afford to put an untrained pilot in command of an aircraft?
Organizations need to be more cognizant in their preparation for technology disasters. The first step toward this is to realize the shortcomings of relying on contingency plans exclusively. Most organizations reduce crisis management to having a “contingency plan.” This plan is usually documented and consists of procedures and protocols that need to be executed should a crisis occur. These fall under what I consider “management by myths.”
Contingency Plans – Management By Myths
First, contingency plans might provide over-arching guidelines for dealing with foreseeable crises. Most crises, especially those in the technology sector that unleash maximum damage, are hidden and are never accounted for in crisis plans. A core concept of a crisis is the element of surprise.
For example, the airport baggage screeners had guidelines on how to deal with the suspected objects that looked like guns or bombs before 9/11. As we all know, the terrorists used box cutters. Now, baggage screeners are instructed to look for box cutters. What are the chances a terrorist will use the same device twice? Not likely. However, they could use a basic plastic explosive, not easy to detect. Will our baggage screeners be ready? Most will probably not be ready, due to the narrow “in-the-box” thinking that plagues many organizations.
A contingency plan is a prime example of “in-the-box” thinking. I had the opportunity to review the response plans for three Fortune 100 organizations, based in the Midwest. I found it surprising that all three looked 85 percent alike. Neither plan did enough to account for the peculiarities of the organization. Moreover, neither had been temporarily updated. The original carvings of the plans were designed in the late 1980s, and all three had only been slightly modified to reflect changes in the environment of the organization.
While the nature of the abnormalities the organization has to contend with may not change over time, the manner in how to respond to them does change. Consider the case of dealing with the press. Before, the Internet era, news reports on crises were delayed in reaching audiences. Today, news is delivered in real time. This can be a good or bad thing, depending on how prepared an organization is in dealing with crises. A prepared organization can use the news media efficiently and effectively to mitigate the impact of the crisis and also communicate effectively with the stakeholders. On the other hand, an unprepared organization can open itself up for legal troubles, bad mouthing in the marketplace, and loss of reputation.
The second problem with existing contingency plans is they are not ready to “meet the enemy.” This military term is used when all operations plans seem perfect ... until the moment you actually meet the enemy. Plans like this do not account for all the chaos and havoc of real events.
Most organizations, for instance, have traditional fire extinguishers located near computing equipment. If a fire were to occur, using the fire extinguisher on your PC would kill the computer. If a crisis scenario were executed, the organization would know they must replace the traditional extinguishers, which use a corrosive acid to contain fires, with a more apt fire extinguisher. On top of that, many individuals in the organization may not know how to use the new device. Expecting them to use it effectively during times of stress is absurd. Prepare to “meet the enemy” and force your exercise participants to do the same when you write scenarios.
The third problem with contingency plans is they do not do enough to assign roles and responsibilities. Most contingency plans are generic; they seldom address peculiarities of each organization. For instance, you may have a line in the chapter on communications stating, “Please contact your communication specialist for updates on the crises.” Now, pick 20 employees and ask them who is the communication specialist – you will probably end up with 10 different answers. Imagine the situation if during an aircraft emergency the passengers did not know who constituted the airline crew. This is not a rare occurrence in times of organizational crises.
Simulating Disaster Scenarios
Organizations must do more to imagine disasters and work through them in scenarios. Working with scenarios is critical toward operationalizing the plans and seeing how they hold up during times of duress and stress. Scenarios can be handled through multiple means. They can be physical or live demonstrations; they can be simulated using computer technologies, and can also be enacted. Regardless of how a scenario is executed it must meet two goals.
First, scenarios should help reduce the impact of the shock. Shock is the stage immediately following the impact of the crises. It is during the stage of shock where organizations make errors in responding to a crisis. Moreover, the longer the organization is paralyzed after the impact the greater the chance the crisis has of escalating.
Consider a simple example. You are driving while it is snowing; the snow turns into sleet, resulting in a slippery road. If you are not used to driving in such conditions, chances are you will not be able to control your vehicle if it begins to skid. As we all know, controlling your vehicle during the initial stages of a skid is critical to preventing a casualty. To the untrained driver an initial skid could cause a sudden rush of fear and anxiety, resulting in an incapacity to manage the steering. This is due to the shock of the impact. To a trained driver, a set of usual responses will be executed in order to bring the vehicle under control or to a safe stop.
Second, scenarios should help an individual and organization calibrate effective and efficient actions after the state of shock. Many times after the initial shock is over, organizations (and individuals) conduct haphazard actions that lead to a worsened situation. Many of these actions will come back to haunt the organization. Reactionary actions are never wise, unless one has had ample time and opportunity to run through plausible consequences that might be caused due to the actions.
Components Of A Good Scenario
Scenario planning has been used by businesses to help deal with strategic issues such as product pricing, marketing campaigns, and human resource incentive packages. However, their use of crisis management and management of technology disasters is weak at best. Many complain that scenarios are too expensive to run, the drills disrupt work practices, and scenarios can instill unneeded fear in employees. However, scenarios are the best bet for preparing people to deal with a crisis.
Regardless of the nature and scope, scenarios must be realistic. They must give the sense of reality to the item of interest. The scenario must challenge assumptions. Errors made during a scenario exercise should be looked at as avenues for learning.
A good scenario for simulating disasters must address five components:
Roles and responsibilities: Who is responsible for what? Who is the backup for a given task or an activity?
Communication protocols: How is the organization going to communicate and with whom? Who is responsible for communicating? What communication protocols will be used? Managing external communications is equally important. The organization should have one front and face for the press and external stakeholders.
Protection issues: How do we protect the assets affected by the disaster and mitigate further loss?
Damage assessment: How do we know what and who have been affected. Timely damage assessment is critical in reducing the impact of the initial shock and for calibrating immediate actions.
Conducting operations without all resources: Unless an organization has conducted an exercise in running without all resources, the chance of surviving during a crisis is low.
One cannot wait for a crisis to hit and then postulate over what to do. We must know how to act in times of stress and crises. Knowing this comes from prior enactments, experiences, and scenarios.
Kevin C. Desouza is president and co-founder of The Engaged Enterprise. Desouza has authored “Managing Knowledge with Artificial Intelligence,” (Quorum Books, 2002) and has recently co-authored “Managing Information in a Complex World” with T. Hensgen (M.E.Sharpe, 2004). In addition, Desouza has authored more than 100 articles for a number of management practitioner and academic journals. He can be reached at firstname.lastname@example.org.