How to Run a Successful Crisis Simulation Exercise

Written By James Neilson

Imagine your company is hit with a major cyberattack. Customers can’t access your platform, media inquiries are flooding in and executives are demanding answers.

Now ask yourself:

  • Does your team know exactly what to do - or would panic take over?

  • Are your response plans tested and refined, or are they sitting in a file collecting dust?

  • Do key decision-makers understand their roles, or will confusion slow down the response?

Here’s the reality:

  • 60% of businesses that experience a major crisis collapse within six months. (Source: U.S. Federal Emergency Management Agency - FEMA)

  • Companies that run regular crisis exercises recover up to 4x faster. (Source: PwC Global Crisis Survey)

  • Only 32% of executives say their company has a well-rehearsed crisis response plan. (Source: Deloitte 2024 Crisis Management Report)

A crisis simulation is the only way to find out if your team is truly ready. It allows you to test your response plans, fix gaps and build confidence before a real crisis happens. But not all crisis simulations are effective. Many are poorly structured, unrealistic or fail to generate real learning. So how do you ensure your simulation is practical, impactful and actually improves your readiness?

Let’s break down how to run a successful crisis simulation - without wasting time or resources. (And if you want to save hours of prep work, CrisisCompass has ready-to-go crisis scenarios that can be delivered immediately, or can be tailored to suit your organisation/industry.)

Step 1: Define Your Objectives - What Are You Trying to Test?

Why This Step Matters:
If your exercise has no clear objective, it won’t drive real improvements. You need to decide:

What do you want to assess?

  • The effectiveness of your crisis response team?

  • The speed of decision-making under pressure?

  • Your external communications strategy?

What type of crisis are you preparing for?

  • Cyberattack?

  • Supply chain failure?

  • Natural disaster?

  • Reputational crisis?

Common Mistake:
Many organisations run generic, one-size-fits-all simulations that don’t test specific vulnerabilities.

How to Fix It:
Define your success criteria upfront. For example, if you’re testing cyber resilience, success might be:

  • Detection time: Was the breach identified within 15 minutes?

  • Decision-making: Did the crisis team follow the escalation protocol correctly?

  • Communication: Were customers notified within an appropriate timeframe?

Step 2: Choose the Right Type of Crisis Exercise

Why This Step Matters:
Not all crisis simulations look the same. The format you choose impacts realism, participation and effectiveness.

Common Crisis Simulation Types:

1️⃣ Tabletop Exercise (TTX) – Best for Strategic Teams

  • A discussion-based scenario where crisis leaders talk through their response.

  • Ideal for senior management and cross-functional coordination.

  • Works well for testing decision-making and communication.

2️⃣ Live Simulation – Best for Operational Readiness

  • A real-time, interactive exercise where teams must respond as if the crisis is unfolding live.

  • Ideal for testing incident response teams, IT teams or emergency response units.

  • Involves mock media pressure, simulated customer inquiries and fast decision-making.

3️⃣ Drills – Best for Physical Safety and Security

  • A hands-on exercise (e.g. fire drill, active shooter response).

  • Focuses on evacuations, security protocols and safety procedures.

Common Mistake:
Some companies default to tabletop exercises for everything, even when a live simulation would be more effective.

How to Fix It:

  • Use tabletop exercises for leadership decision-making.

  • Use live simulations to stress-test operational teams.

  • Use drills for security, physical safety and evacuation procedures.

Step 3: Design a Realistic, High-Impact Scenario

Why This Step Matters:
A weak or unrealistic scenario will not prepare your team for a real crisis - in fact it will undermine your crisis and resilience program credibility in the eyes of your staff.

The biggest mistakes companies make:
Using vague, unrealistic scenarios (“A generic ‘IT failure’ occurs”).
Making the scenario too predictable (crises are messy - your exercise should be too).
Not increasing pressure as the simulation unfolds.

How to Fix It:
Build a scenario based on real threats your business faces.
Include multiple injects - new information should emerge as the scenario progresses.
Simulate external pressures (social media reactions, legal considerations, media coverage).

Pro Tip: Your scenario should evolve dynamically. For example, a cyberattack scenario might start with an IT system failure and later escalate into data ransom demands.

Step 4: Facilitate the Exercise Effectively

Why This Step Matters:
A poorly run crisis exercise wastes time and fails to create learning moments.

Keys to Success:
Appoint a skilled facilitator to guide the exercise.
Ensure all key roles are participating - not just crisis leaders.
Use a “real-time” approach where participants must react to new developments.

What NOT to do:

  • Don’t let it become just a discussion - even in a tabletop, participants should be making real decisions.

  • Don’t spoon-feed answers - teams should figure out solutions under pressure.

CrisisCompass has in-depth expertise in facilitating exercises in a range of sectors, threat environments and organisational cultures.

Step 5: Conduct a Post-Exercise Review and Implement Lessons Learned

Why This Step Matters:
A crisis simulation is worthless if you don’t act on what you learned.

Best Practices for Post-Exercise Reviews:
Conduct a structured debrief - What went well? What needs improvement?
Use a Post-Incident Review (PIR) template to capture key findings.
Update your crisis plan based on gaps identified.

Common Pitfall:
Many organisations run a crisis exercise, then never make any real changes.

Pro Tip: Treat crisis exercises as a continuous improvement tool - not a one-time event.

The CrisisCompass Post-Incident Review (PIR) template helps you document key lessons and make real improvements.

Final Thoughts: Be Crisis-Ready, Not Just Crisis-Aware

Running a crisis simulation isn’t just about “ticking a box.” It’s about ensuring your business is truly prepared when disaster strikes.

But let’s be real:
✅ Designing and facilitating a crisis exercise from scratch takes time.
✅ Many companies struggle to build realistic scenarios, injects and response checklists.
✅ A poorly structured exercise can do more harm than good.

That’s why CrisisCompass can help:
Structured crisis exercises for tabletop, live simulations and drills.
Realistic crisis scenarios and injects that evolve dynamically.
Post-exercise reviews.

Don’t wait for a real crisis to identify what the gaps are in your organisation’s readiness; reach out to CrisisCompass today and start building a truly resilient organisation.

James Neilson
Previous

Why Crisis Communications Matter More Than Ever
Next

Why Most Crisis Plans Fail (And How to Fix Yours)