Applying the Complexity of Dungeons & Dragons to Business Continuity Exercises

Business ContinuityResiliencyTraining
Written By Geoff Kreller

Written by Geoff Kreller, CRCM, CERP

Thinking about the most recent business continuity tabletop exercises in which I’ve participated, some glaring weaknesses and themes came to mind – and that’s assuming the exercise was even scheduled (and wasn’t canceled). Stakeholders were bored or multi-tasking or simply declined to participate. During and after the exercise, it was difficult to determine whether the business continuity plan’s (BCP) effectiveness and completeness, or whether there were significant blind spots, assumptions and weaknesses that just weren’t evaluated. Perhaps worst of all, it felt like we were missing out on ways in which the organization could identify more resilient, flexible, and dynamic business strategies.

I thought about how Dungeons & Dragons (D&D) creates compelling scenarios that challenge players to adapt to ever-changing circumstances, support the team’s goals (potentially to the detriment of individual players), and make difficult decisions without complete information in an uncertain environment. Dungeon Masters (DMs) develop scenarios with captivating narratives, and Risk/Compliance professionals have the opportunity to lead similarly engaging business continuity scenarios using the best practices from this game. Here are some key D&D pitfalls that can add complexity, interest, and perhaps some additional team camaraderie to your next continuity tabletop exercise.

1.       We allow the institution to resolve the event too easily; there is no real crisis.

Much like a final boss killed with a single hit, a scenario that lacks true adversity isn’t going to test your organization/party members. The scenario can certainly start innocently (a website application goes down, office communications are unavailable, the CEO boards a flight for the Caribbean, a concerning email is received) but the full resolution should not be one step away. IT can’t simply say “we restored the application” and conclude the tabletop exercise.

The scenario should be broad enough to allow various departments to be affected, consider those impacts, and enable stakeholders to consider a range of different actions per round. This creates an enterprise-wide narrative for consideration, and one that requires multiple steps for mitigation and resolution.

In addition to the likelihood that the crisis intensifies during the exercise, the possibility of damaging outcomes and/or lasting consequences for the institution should also exist.

2.       The exercise fails to consider uncertainty in outcome.

In a universe of imperfect information, unforeseen consequences, externalities, and environmental factors, there should be a level of uncertainty in decision outcomes. I’m not saying that we need to bring all the D&D dice to the party (there are six or seven different types with different numbers of sides), although rolling a 20-sided die to determine the outcome of an action might increase the participation and revelry in rooting for a successful (or lucky) roll.

Just like shooting an ogre with a fire-tipped arrow sounds like a good idea until that enflamed ogre starts running toward your party; we can’t know for certain the results of the actions we take during a crisis event. We try to make sound risk-based decisions based on the information we know, past experience, and the probability of success – and even assuming that we make the best decision every time (which is a bold assumption), sometimes crisis events spin in directions we didn’t even consider.

A good DM will enable the outcome of the institution’s action(s) to affect and guide the scenario, both in terms of triggering the next decision and calculating the overall impact to the organization.

3.       The situation is not relevant to the organization.

There’s a reason why D&D games revolve around quests, dungeons, and nightmarish bosses. It’s what relevant to the game – knights, mages, barbarians and rogues probably aren’t getting together in to consider how to mitigate global warming.

Similarly, if your institution is in a fully remote or hybrid state and your Regus office location burns down to the ground, that doesn’t really present much of a scenario unless your institution’s commercial real estate holdings were concentrated in the area or building where the fire took place (or had other vested interests in the success of Regus overall).

If your institution uses Amazon Web Services (AWS) to store data in the cloud, having a walkthrough based on a ransomware demand may not be the best exercise to select, but the lack of data availability (and potential loss) could be used as a platform to test the institution’s backup and restorative processes.

There are a ton of crisis scenarios that have nothing to do with natural disasters or pandemics. While the availability of employees and infrastructure should be tested, think creatively about the exercise design. This may result in some interesting scenarios that have the capability of harming your institution. Examples include:

  • Increases in interest rates, leading to deposit pressure and decreases in borrowing demand

  • Decreases in interest rates, leading to refinancing pressure

  • Loss of a key vendor or third party provider

  • Loss of a vital source of loan or deposit applications

  • Unemployment increases

  • Increased tension between countries

  • Supply chain disasters, such as when an entire fleet of ships or cars are destroyed by disaster

 4.       Assumptions aren’t tested.

 Mike Tyson might have said it best, “Everyone has a plan until they get punched in the face”, and paraphrasing the Prussian strategist Helmuth von Moltke, “No plan survives contact with the enemy”.  I get a laugh out of 36-page business continuity plans, especially when they are used for scratch paper during these exercises.

I’ve seen tabletops start disastrously when stakeholders realize they have no ability to contact their employees or vendors because none of those electronic documents are available, either because they were never created or because no one maintained an offline copy for such emergencies.

As an aside, your business continuity plan should be kept in a go box (or offline area) and contain basic, yet critical information that you’ll need immediately. That includes your contact tree, your list of vendor contacts, other key third parties, your regulatory contacts, your key systems, your emergency off-site (or virtual meeting site) location, and your institution’s priorities for systems and services restoration.

Think about other things that should not be assumed certain when presented as responses in an exercise. Your DM should be able to detect and credibly challenge these assumptions when they arise. Tabletops can’t simply end because IT notes that it has the ability to restore data, information, and functions. Has that ability been mastered or has it been done one time by one individual? What is the time for restoration? Is there a potential for data loss? What if the back-up hasn’t been maintained?

For banks, have you actually tried to use the FHLB window to pledge collateral and obtain liquidity? That process is not easy, especially if no one has experience actually pledging collateral in ideal conditions (let alone a crisis).

5.       Not all of the departments are involved.

In a crisis event, all hands should be on deck. A crisis will affect every department within an institution, even if that effect is simply that employees of one function temporarily transfer to assist another function as an emergency measure.

Information Technology (IT) is an extremely important contributor to this process, but it is rarely the only necessary contributor. Consider impacts on (and insight from) customer service, operations, servicing, underwriting, finance, public relations, vendor management, legal, and risk/compliance during each exercise as well.

During a crisis event, your customers, employees, vendors, and shareholders will often increase their inquiries, feedback, concerns, and complaints if your external communication doesn’t fully consider the impacts they face as a result of these events as well.

6.       Stakeholders dismiss the selected event by noting the institution just wouldn’t survive.

That type of defeatist attitude will cascade through a team and obscure the consideration of possible alternatives, and your executive team should not accept this negative mindset. If someone thinks that dimly of the institution’s chances in an exercise, it’s hard to believe that you can count on their tenacity and resilience when the going actually gets tough. In D&D, you wouldn’t want to unexpectedly run into a Blob of Annihilation or a Kraken, but a resilient party will pull out the stops and take a stand or find a way to successfully retreat to live to fight another day.

In the scenarios that I’ve run and met with this resistance, we’ve improvised and “released” that employee and “promoted” the next person in that department. Not only are you testing your business continuity plan, you might also find your internal succession planning has a lot of promise!

7.       The improvisation is unrealistic.

To maximize the benefits from the points above, realistic improvisation is important. The improvisation should be reasonable to the situation posed and the actions (or inactions) taken. It’s possible that a significant data breach might result in a 20% decline in sales, deposits, or originations in the next quarter. It’s probably not going to cause a destructive riot at your headquarters location. A great DM will weave unexpected actions back into the narrative’s tapestry, and the same should be expected in a continuity scenario.

8.       Participation is not incentivized.

D&D players gain experience and have the opportunity to level up their characters, unlocking new abilities to use in later scenarios. In addition to the experience and understanding that your employees receive, incentivize participation through prizes, recognizing resiliency all-stars, or remembering their legendary performances during yearly evaluations.

Summary

These exercises have the capability to cultivate working relationships across different departments, test the ability of your institution to think outside the box, and create resiliency in your business strategy. Nobody wants a plain, boring donut – and nobody really wants to participate in a business continuity exercise with those same qualities.

We can’t expect employees to embrace continuity exercises when they feel unrealistic, unassociated with their function or role, and fail to materially add to their development or value at the company. 

While your current business continuity plan may check a box, there is a valuable opportunity for your entire enterprise to actively engage, discuss, and learn from each other during these engagements. Find the right DM to guide your exercise, dig deep into your resiliency mindset, roll some 20s at critical junctures, and the journey is sure to excite and surprise you all!

 

Follow NAQF and Geoff Kreller on LinkedIn for additional insights. For more information on how NAQF can facilitate your next business continuity exercise, contact us at contact@naqf.org.

Geoff Kreller
Previous

How to Launder Money Through Marine Vessels
Next

The Agony and the Opportunity of Compliance Training