Business Continuity & Crisis Exercising
Preparing the organizations to manage various types of crises with inherently strong operational and reputational impact
Latest updates of the risk landscape envisioned for 2025 onward still pose a high accent on geopolitical, financial, climate and cyber risks. Us in Deloitte have been challenged to advise on how to prepare real-life crises and disasters, which are increasingly targeting critical infrastructures and major players from all sectors, widening the operational, legal and reputational risk caused by inadequate resilience within the more aggressive and complex cyber space. This is one important reason to exercise potential failures of technical and organizational security measures trough a crisis simulation exercise.
Customers, suppliers, employees, and other stakeholders understand that crises will occasionally affect the organization. What they find hard to understand are the lack of preparation, the inadequate responses, and the confusing communications coming from the management. And to this perspective, we should add the focus of compliance requirements on crisis and continuity management, as the ones resulted from Digital Operational Resilience Act (“DORA”), Network and Information Systems Directive 2 (“NIS2”) and Cyber Resilience Act (“CRA”).
What organizations can do better?
Be proactive: Organizations should increase their ability to absorb both the operational and mediatic impact triggered by critical cyber incidents trough crisis simulations with top management and crisis handling teams.
Trough table-top exercises, most of the activities with strong relevance during real crises may be reviewed and trained:
- Key Strategic Decisions taken by the management during specific crisis scenarios;
- The internal and external communication strategy;
- The legal response, notification timeline and ownership;
- The roles and actions pre-defined in Crisis Management and Business Continuity plans.
The most relevant and fruitful crises simulation exercises are those attended by the entire management team, including the key people in charge with internal and external communication, legal & compliance, fraud, finance, IT, operations, production, procurement, cybersecurity, privacy and business continuity.
How Deloitte can support
Deloitte experts review the crisis management framework and prepare personalized and immersive table-top exercises experience for management teams, covering the most important types of crisis & risk scenarios. We have successful experiences with put-in-stage natural disasters (severe weather / earthquake scenario), infrastructure/ technology (power black-out scenarios), cyber-attacks (ransomware, phishing, data exfiltration and combination of these stand-alone scenarios), reputational crisis (national media coverage of negative publicity).
