Designing Holistic Crisis Exercises - A conversation with Maura Santunione

Introduction to Crisis Management

0:00scenarios are selected not just for their likelihood, but for their potential to effectively test and validate the key capabilities across the organization. Hello, everybody. This is Belen Santaolalla from Conductor Crisis Exercise Platform.

0:34You're listening to the Crisis Designer Podcast, where we share tips, thoughts, and concepts to help you create impactful crisis management exercises. If you're involved in crisis management, reputational risk, business continuity training, information warfare, or immersive simulations, this show is for you. In each episode, we speak to experts and crisis designers about their methods and lessons learned so we can all build better and more resilient systems. And today, we're delighted

Guest Introduction

1:10to welcome Maura Santunione, Global Business Continuity Manager and Leader of the BCI Italy Interest Group. With over 20 years of experience across security, crisis preparedness, and operational risk, Maura has helped shape international resilience strategies that integrate governance, compliance, and cross-functional collaboration. She's also a certified ISO 22301 lead auditor and passionate

1:44about designing meaningful learning-focused crisis simulations. Maura, welcome to the Crisis Designer Podcast. How are you today? Thank you. Fine. Thank you for the invite. Okay, let's get started. How do you support resilience in general? My primary role is to help organizations build and implement resilience, which is a crucial element for success today. I do this by taking a holistic approach,

2:21blending a strategic view with practical business continuity, all and always aligned with the GRC requirements. This means moving from theory to practice by breaking down internal silos and fostering cross-functional cooperation. A key part of this is designing trainings and awareness programs to build and strong cultural preparedness. This is my focus as a resilience

3:01professional and as leader of the BCI Italy chapter, where we support the growth and skill building of our community.

Importance of Holistic Approach

3:12Fantastic. Fantastic. Why do you think your work matters?

3:22Good question. This work is crucial nowadays because in our fast-changing world, it's essential to effectively manage risks and respond to various events that can cause negative but also positive impact in the organizations. An holistic approach that aligns with GRC requirements and foster cross-functional

3:54collaboration ensures the entire organization is prepared and optimized for acting. this allows us to maintain running. This allows us to maintain running operations, protect assets and reputation, and position us to seize new opportunities. And this matters for managing the present and design to be prepared for the unknown future.

4:28Okay. So, the holistic approach is really important for what you're saying. Why is that important for you? Like, how did you get into crisis and continuity and why is the holistic thing so important for you? Yeah, I got into crisis and continuity through a natural progression from my operational roles. My experience in supply chain, warehousing, distribution, logistic, quality, compliance, and testing told me to apply lean principle to maximize operational efficiency

5:11and minimize or prevent business disruption. You can understand that the holistic approach is the one that can ensure a systematic approach to the events. And this provides me with a solid foundation in risk management, which I then applied when I moved into the business continuity crisis and security manager roles.

5:45Okay. So, all that experience also providing this help to companies as crisis and security managers have led you to also be BCI Italy chapter leader. So, what's your focus as the leader of this group? Yeah, my focus is on promoting initiatives that build a strong resilience culture and a community dedicated to structured approach to resilience and anti-fragility.

6:23We aim to foster a professional network that shares practical experiences, explores emerging risks, and improves crisis and continuity practice across industries. A big part of this is encouraging organizations and professionals to move toward a more systematic and strategic approach, for example, by introducing robust exercise programs to go beyond simple box-ticking tabletop sessions, for example.

7:04Got it. So, is that something that you see a lot in the community, that difficulty from going from simple checkbox compliance to something more structured? It's an example. I can mention, for example, the issuing of plans, okay, on the paper that remain there, more than validate with a holistic approach, the capability of the team to act, you know, are an example.

7:43But I think that this is the needed step that we have to do together. And the community of the BCI can be the perfect place where we can train and grow together.

Top Risks in the Sector

8:00Great. Okay. And since you're like completely in the middle of risk and the perception of what's going on today, what risks are top of mind in your sector today? Yeah. Yeah. Why cyber threats, supply chain disruption and regulatory complexity are certainly top of mind. What I see as just as critical is the capability gap, as I mentioned before, the ability to respond effectively.

8:34The speed of change in the speed of change in markets and risks today demand more than just having plan. That's why a holistic and systematic approach is so, so relevant. I will repeat and repeat and repeat, because it's the way to truly validate whether our programs work in practice. Testing against realistic scenarios help ensure our response teams are not just informed or involved,

9:12but just, but also competent, capable and confident to act in critical situations.

9:26What makes a holistic exercise program better? A holistic exercise program, for example, is better because it's tailored to the organization's specific needs, like also the systems, no, which optimize time, resources, and resultant outcomes. Following the full exercise management cycle, as described in the international standards like ISO 22398 or the BCIGPG,

10:07it moves beyond a single exercise to embedded a continuous learning culture. This approach also involves varying exercise types and engaging stakeholders across the organization, ensuring alignment and readiness at each level, because growing and moving to advanced doesn't mean just increased complexity,

10:38but more, be more efficient and appropriate for the given scope. Okay, so you're talking about exercising in that holistic approach that goes beyond standards and just ticking boxes. How do you choose which scenario to design? Yeah, based on the ISO that I take as REF scenarios are defined and included in an yearly exercise program

11:14as an ongoing process planned, starting from a strategic review of the organization context and the current risk landscape, looking at the previous incidents, detected near misses, audit finding, or areas of concern in existing plans. And ultimately, scenarios are selected not just for their likelihood,

11:47but for their potential to effectively test and validate key capabilities across the organization. This, I think, that is the change in the mindset of the professional, no? On what we propose, what is the scope of our proposal. Yeah, okay.

12:17It makes sense. And in your experience, what makes a good simulation?

12:25A good simulation, in my perspective, reflects real work context and complexity with a clear purpose and well-defined objectives, smart objectives. It engages, as I mentioned before, the right stakeholders, challenges, assumptions, and facilitate dynamic decision-making in order to train the participant in this process.

12:57It must also be adaptable because participants can always, we know, surprise us, no matter how we will plan the exercise of the program, no? Yeah, completely. Yeah, completely. Yeah. Yeah.

13:18Okay. So, that adaptability, it's like a really good example because anything can happen once the exercise starts. But do you have any other go-to best practices for scenario design? Yeah. Yeah. When I'm designing a scenario, I focus on a few key things. The scenario itself has to be pleasurable but challenging enough to push the team without overwhelming them.

13:55It's also critical to define, as we mentioned before, the objectives and the scope of the exercise right from the start, along with clear roles for everyone involved in the exercise, in alignment with the established exercise program. The specific type of exercise we run always depends on the context.

14:26We can choose from micro-exercise to large-scale simulation, depending on the purpose, and a crucial step that's often overlooked. I always plan the entire exercise with the after-action review in mind, so we know exactly what we need to evaluate and learn from. At the end, it's a validation process, the exercising.

15:01Nice. Nice. Okay. So, that's really interesting. So, designing from the after-action review in mind, that makes you focus on the training objectives at the beginning to make sure that you tackle those at the end of the exercise. So, do you tend to facilitate, before we get to the end of the exercise, do you tend to facilitate the exercises that you create? Yes. Yes, and I love it. I love it. I believe the best lessons are learned on the ground, and active participation in those exercises always delivers excellent insights.

15:40ISO 22398 underlines how crucial a skill the facilitation is for keeping the exercise on track and ensuring solid learning outcomes. So, my role, therefore, is to be meticulously prepared to support the entire flow of the exercise. This includes supporting the key exercise roles that they must play the role, not me, but they, them.

16:18So, observing team dynamics that, at the end, should be evaluated in order to bring the lesson learned or the best practice or also the area of improvement. And, clearly, balancing a structured approach with the flexibility needed to meet our objective without rigidly sticking to the script.

16:56Is there a way in which you prepare participants of what's going to happen on the day? Yeah, sometimes I don't, it's easy, no? It's better, so they don't know. Announced exercises are one of my favorites. While preparation is a crucial step, this doesn't mean participants should be specifically pre-involved for performing the simulation, no? Of course. Yeah, ISO 22398 recommends a clear definition of the exercise roles.

17:34It is important. It's crucial for success, as well as a tailored briefing based on participants. Depending on the scope, of course, I may also provide the pre-read materials with context, objectives, and roles of engagement as first part of the exercise. So, the scope here is to reduce uncertainty, so participants can focus on the scenario more than the format.

18:10At the end, we can summarize my approach in the focus of participants. That is crafted for optimizing the purpose, no? If the purpose is to validate their preparedness and their confidence, clearly, they don't have to know about, no? Yeah, of course, I got it. Right, so the exercise is wrapped up.

18:43You have focused on how the after-action review is going to look like. So, how do you actually run that part? Yeah. As I mentioned, the briefing is really important. And it's also planned, based on the participant, I start with an immediate debrief or hot wash to gather fresh reaction. Then, I lead a structured post-exercise review where we assess performance against objectives,

19:22highlight good practices, and identify lesson-learned as well gray areas, or area of improvement. All findings feed into an action plan that's monitored over time, because for me, feedback without follow-up is just a smoke talk or a coffee break.

19:52Yeah, it's important, I think. It's relevant. We have to work on the results. As we mentioned, we would introduce a continuous improvement culture, no? And this is one of the most important parts, the validation. Yeah, that's key. How do you transform the insights into transformation, into action, right?

20:25Yeah, action, action, improvement, no? Exactly. Okay. And can you give us an example?

Toughest Scenario Built

20:31Could you tell us a little bit about the toughest scenario that you had to build? Yeah. One of the most challenging was an exercise week that I designed. Oh, wow. We performed in a plant with more than 3,000 people with simulation of simultaneously supply chain disruptions and all the event management phases in order to understand if the entire chain works now,

21:06because sometimes we tend to test phase by phase now in different exercises. And all of that, without causing real operational interruptions, it had to simulate both immediate technical operational response and strategic crisis decision-making and strategic crisis decision-making with the top management.

21:40The standards, for sure, help manage the complexity and maintain control and efficiency.

21:49This kind of standard for me are not just theoretical, but there are tools that guide us for the best. I would recommend to everyone not shy away from testing the resilience. In my experience, organizations are often more resilient than we expect. The exercises are the best way to uncover that strength.

22:19Fantastic. I really like that. That's a different outlook of what I normally hear. Like, normally, enterprises and companies are more resilient than we think. And that's a really positive thinking, I think. Yeah, yeah. Yeah, because the operational field must be efficient. And they are really prepared to avoid and prevent business disruption. Everyone in its works is prepared not to manage unexpected events in the little field.

22:58And clearly, when we make an orchestral exercise involving everyone, we can find, we can be really surprised. As I mentioned, participants can really surprise us. It's a nice surprise. Yeah. Sometimes we discover that we have to work. Yeah. Right.

23:28So, well, this is the last question then for you. What advice would you give your younger self? Looking back, key learning I would share with myself is the power of acting. And also with myself, current myself, while I've always been a key observer, also due to the fact that I'm an auditor,

23:59I've learned that truly listening is a crucial skill for quickly identifying the best solutions and being more efficient. In critical situations, the smallest details always make the difference. And active listening acts has a powerful booster for spotting them. Definitely. Definitely. What a good takeaway, I would say.

24:32Not only for this, but for life. Active listening is such a key for identifying problems and solving them. And that's what actually crisis management is about. So, well, it's a deep dive tool that sometimes we forgot to have five cents that we can use in order to immerse us in the situations.

25:02And this is my learning that I bring with me. And if it would be possible, I would also. You tell yourself. Yeah, in the past. Okay. Well, Maura, thank you very much. It's been a very insightful chat, full of very interesting thoughts and practices. I really like that holistic approach to the whole process with creating crisis exercises.

25:33So, thank you for having the time and sharing all this with us today. Thank you. Thank you. Thank you. Thank you.