You Don’t Want To Be the Next Case Study - A conversation with Jason Flint

Introduction to Crisis Management

0:00organizations aren't perfect. They're run by humans. Humans aren't perfect. I think those type of scenarios where you're really going to the heart of human behavior, I think those are the ones that are going to be challenging. Hello, everybody. This is Belen Santaolalla from Conductor Crisis Exercise Platform. You're listening to the Crisis Designer Podcast,

0:32where we share tips, thoughts, and concepts to help you create impactful crisis management exercises. So if you're involved in crisis management, reputational risk, business continuity training, information warfare, or immersive simulations, this show is for you.

Guest Introduction

0:56Today, we're joined by Jason Flint, a crisis management and corporate security leader with over 15 years of experience helping global organizations navigate disruption. From natural disasters and cyber attacks to reputational threats and executive risk, Jason has built and led end-to-end resilience programs across high-risk industries. In the past, he worked for PagerDuty, an incident management platform where he was responsible for leading the crisis response and resilience efforts

1:30across a variety of complex challenges, including the global pandemic, major geopolitical events, and fast-changing threats. Now working independently, Jason helps organizations turn uncertainty into strategic readiness. Jason, welcome to the Crisis Designer Podcast. Thank you. Happy to be here.

Crisis Management Role

1:54Great. So let's get started. Let's talk a little bit about your role in crisis management. How does it look like a day-to-day in your life? Yeah. No, day-to-day, things can change because, you know, right? Crisis are things that happen pretty suddenly. And, you know, managing those require a lot of flexibility, a lot of adaptability, requires an agile mindset. And so day-to-day, day-to-day, I'm, you know, monitoring what's going on, what's the latest trends that are

2:25happening on the macro stage. And then also just ensuring that our teams are prepared, that they're ready, and that they're, you know, essentially owning the risks of their departments and ensuring that they're communicating. Communication is a big thing when it comes to risks and threats. And then just preparing teams and strengthening our resilience as organizations. And it really takes a steady, steady hand to guide this, right? It's a complex world. It's a complex industry. And so just really

3:01sticking with it and, you know, being as prepared as possible for the things that are unforeseen and even the things that are seen, ensuring that we can manage those things effectively. Of course. And what type of clients or companies do you help and how do you help them? Yeah. I have a wider range of experience with a lot of different type of companies and industries. Everything from, you know, aviation in the past to, you know, technology companies to even diamond

3:33jewelry companies, which I think is a very on-point topic now, given what's in the news with the Louvre heist. And so, you know, the most important thing is that understanding risk is pretty much the same across all industries. It's something you need to identify, something you need to manage and plan for, and it's something you need to practice in terms of your response and ensuring that, you know, stakeholders across your organization and external partners are all in the same mindset in terms of

4:05getting the issue resolved. And so, you know, what I do is essentially manage all of that, that cross-functional, the collaboration, the external partnerships, and then ensure that we are ready, you know, with different types of plans, different playbooks, different response protocols, and different structures that are created within the organization. And so, it's a very in-depth and very exhaustive exercise that has to get done for a number of these organizations. And, you know,

4:40I've been able to do that across a number of different industries.

Importance of Resilience

4:44Nice. Sounds very exciting. Why is resilience critical in today's high-risk environments? Yeah. So, like, we live in a very connected world. You know, everything is connected. When there's an adage on AWS, you know, it's impacting flights, it's impacting your organization, your customers, regulators, investors. And so, resilience is important because you don't want to end up on the five o'clock news. You don't want to be that case study that, you know, the crisis experts are looking

5:16at the next couple of weeks. And so, resilience takes resilience. It's a long game. It's not, you know, there are short-term games that you can have in terms of compliance and readiness, but it's a long-term game that takes a lot of dedication, a lot of focus, and strategic planning. And so, you know, this is something that, you know, experts have been doing for long periods of time in order to sort of get to these standards. But, you know, what I focus on in my organizations or within the work

5:48that I do is how do you exceed the compliance level? How do you exceed the minimum requirements that are out there? Because, you know, when the regulators come and when the news and the press comes, they're not going to ask, are you certified in, you know, this ISO? Are you GDPR certified? Like, things like that. They're going to want to know, how did this happen? How are you going to fix it? And then how are you going to prevent this from happening in the future? Wow. I really like that idea of, like, you don't want to be in the news. You don't want to be the

6:19next case study. That's kind of a big threat, I guess, for organizations. How did your past roles shape your approach to crisis planning and response? Yeah, I started off in private investigations. You know, I did a lot of, like, surveillance operations. I did some undercover operations. And then I moved into the diamond jewelry industry where I was a risk manager planning very complex events and trade shows, events in Hollywood, things like that.

6:54And then in the tech industry, really putting it all together and, you know, focusing on the different types of threats that are across the business in a global organization. And so I think these things help shape my view on crisis, which is you need to be ready for one. You need to have structures and teams and resources in place. And then you also need to play a team game when it comes to these elements, right? You need everyone across the organization really focused in and locked in on preventing the bad things from happening. And then being really resilient in terms

7:30of response and operations, and then embedding technological advances within that in order to sort of force multiply, because there are not a lot of crisis managers in most companies, there's maybe one or two. So you really need to rely on your partnerships, your technology and innovation to get things done. Good. And right now, with the moment we live in, what behaviors or risks are most concerning to you right now?

8:00Yeah, I think that the standard, you know, cybersecurity risks are definitely concerning. Everything is connected to everything. And so I think in resilience, you know, maybe a decade ago, it was how many different contingency plans in terms of platforms and apps can you have? So you can migrate really easily. Now, everything is on the same platforms, the same cloud services. So it's become a slightly different game. And, you know, I think that the risks that I see are, you know,

8:31increasing in terms of the connectivity or interdependence of services and service providers. I think that's one. And then two, I think this AI, the increase in AI usage and, you know, it could be used for good, it could be used for bad. I think that is something that is also concerning for me and something that I've been thinking through a lot. And, you know, one of the things that I mentioned really recently to someone I was talking to was basically like, we're going to need to be able to verify what's real in

9:04real time going forward, because there are a lot of deep fakes or a lot of, you know, things happening that AI is generating and putting out into the into the world. And so I think really the, the AI focused threats are going to be the next thing that we need to, as an as organizations, as an industry really focus in on solving. Definitely. I was just seeing this LinkedIn post recently, about how you can just, with AI in like real time, be someone else, like, be an avatar, which is replicating your son or your CEO.

9:43And it's like, he might be asking you for a ransom and you don't, you cannot really tell if that's real or not. That's incredibly topical and scary. Yeah. Yeah. And I think organizations, like, they're going to have to, once they've caught this, and they realize this is happening, they have to tell people in the public, like, this wasn't our CEO, a CEO didn't say this, or this did not come from our company. And so, you know, there's going to be stock price impacts, which may or may not be recovered as a result. And organizations are going to be looking for someone to, to blame someone to sue. And, you know, AI companies are going to be the next target for those type of things. So it's really interesting.

10:21Yeah, we're going to see a lot of those in the upcoming months, I think.

Essential Elements of Crisis Management

10:26What are the essential elements of a strong crisis management program? I think it starts with definitely stakeholder engagement. You know, and I say this from the perspective of, from the top down and from the bottom up. So I think a lot of organizations focus on getting senior leadership buy-in, and they forget sort of the middle of the organization, which are the real doers when it comes to crisis management, crisis leadership.

11:01And so I think I've always focused on sort of a grassroots approach, starting from the bottom up and influencing different stakeholders in different departments. And so I think having a very strong base in terms of your support is important. And then really investing in preparedness. I think preparedness is something that is very low cost when it comes to organizations versus headcount versus, you know, external partnerships and consultants. So I think preparedness is something that can be built into organizations from the start and continue to practice plans, playbooks, and, you know, your response protocols is going to be important.

11:40And then lastly, I think really having a really strong charter, really strong mission and vision for your crisis leadership team in terms of what they want to accomplish and really building that into the DNA of the organization in terms of how we accomplish business objectives from the perspective of crisis leadership. And using, leveraging our responsive crisis to really improve our operations, improve our reach to our customers and to the public as well.

12:12Nice. So it's about trying to avoid detachment from the mission at every scale. But how do you integrate resilience into everyday operations? That's a difficult task for sure. I think a good way to do it is to focus in on, you know, the business processes within organizations. So when you think about business continuity and focusing on critical processes, think through sort of the elements of, you know, how can something negatively impact our business when it comes to this process?

12:51And then ensuring that those people who lead the process are thinking through, you know, what are the risks? What are the impacts? And then, you know, radically tying that to some level of performance, I think, is something that we should be doing as organizations when it comes to resilience, when it comes to crisis. How do we manage them? How well are we prepared for them? And then, you know, having some level of accountability in terms of, you know, who's the person in charge? Who's the person that's leading these crises is important. Right. So you're talking about how prepared we are for this.

13:25How do you do those preparations? Do you run trainings, exercises, crisis scenarios? Yeah, all of the above, really. I think I follow very closely FEMA's building block approach when it comes to exercises. Start small, you know, drills, tabletop exercises, and really move into immersive simulations, full-scale exercises are a good thing that organizations should be doing. Like, really practice the operations part of your crisis.

13:57How do you, you know, communicate to customers? Have you actually used that platform to do it in the past, or have you run a test recently? So really embedding the operational side of a crisis into a lot of your tabletop exercises and your functional exercises is important, or something that I see as critical for organizations to really build that resilience. And what do your exercises actually look like in practice, even if it's a small or a big one?

14:29When you had to put something together, what do they look like? Yeah, I've run a number of different types of exercises. I've run some where we've had, you know, sort of multiple, like 20 plus, almost 30 people involved in an exercise. And it's been one that's asymmetrical, where I'm providing context within emails. There's something in a Slack channel that comes up, and we have to start thinking through that. And then we move into a formal, like, Zoom call, where you're actually addressing the situation and talking through the steps.

15:04And I've also done, you know, the simulated elements on platforms, which are very helpful for real-time, you know, creating pressure and creating that level of uncertainty. And then I've done a lot of, like, learning exercises and gamified exercises, which have been fun. And there's been one exercise where we provided, like, 50 scenarios when you asked people to rate, you know, what's the severity of this situation that's happening? And that really helped me hone in on, like, the sensitivity of the crisis.

15:35What's the risk tolerance for these type of events? And then really pinpoint where we should focus as an organization. And so I've taken a wide range of approaches to conducting exercises. And it's really important to make sure it fits with the organizational culture. Yeah, got it. And when you are going to design a new exercise, how do you choose the scenario that you're going to design? How do you decide what's going to be the theme or the threat that you're going to replicate?

16:08Yeah, I think that I've taken two approaches. One, it's been, you know, something that we faced in the past that maybe we want to improve upon. I think that that's one, I think that's lots of opportunity to understand where things went wrong, where things went well, and then, you know, find those improvements that, you know, incremental improvements that can really make a difference within the organization for the next time it happens. And then the second one is just what's on the news.

16:35Great source of inspiration. Exactly. I talked about those case studies for organizations, like what happened to our competitors? I think when it comes to exercises, when it comes to resilience, it's a competitive, like, game. Like, we want to be better than our competitors. And so we should be looking to what problems they had recently, what news articles came out recently that had to do with this industry or that industry. And so using that as inspiration, developing those exercises as a result of that is really important because it's based off of real life.

17:11This happened. So we can't pretend, even within our exercise, that this isn't a reality. So I think that's really important as well.

Creating Impactful Exercises

17:19Totally. And do you have any best practices on how to create impactful exercises? Best practices would be to target the vulnerabilities. I think those are the places where you're going to see the most growth. I think walking through things that you've already done in the past is important. I think that's just a regular drill. But really target the things that you're vulnerable to. Whether it's cyber risk, whether it's AI risk, whether it's executive threats, really dig into those themes.

17:58And then, you know, multiple injects are important, of course. But I think one of the trends that we're seeing is people sort of combining multiple types of crises within one exercise. So creating this perfect storm scenarios. I think that's important as long as they're all interrelated and they really engage every member that's participating in the exercise. I think really creating a comprehensive exercise. And then lastly, I'd say one of the things that I've seen is our focus in exercises typically is that immediate response to a crisis.

18:36But sometimes we forget the recovery. We forget what happens afterwards, the months of lingering press inquiries and articles in the news, right? So I think make sure that you either do a part one and part two type of exercise where you focus on the response and then recovery. Or just start from the recovery side of the exercise. Like this happened. This is where we are. And this is the residual risks and impacts that we're focused and that we're facing over the next couple of weeks. So I think really understand where your risks are, where your vulnerabilities are, and then test those in depth from the initial start of the crisis all the way to the recovery.

19:17That's very interesting. Yeah, because we tend to focus only on the big splash. Well, when you are in the breaking news and it's like everything is like very heated. But the other part of the recovery phase, I'm sure that it's normally not covered. And I think it's a very important part of how to manage and deal with the crisis. And also you mentioned the engagement of the participants. And I wanted to ask you, how do you get the teams to be fully engaged in the training?

19:51How do you make sure that they show up in the day and they are excited and they want to be there? Yeah, I think that's a tough one. It's definitely a tough one, especially in a tough macro environment. I think one of the things that I've sort of championed within an organization is gamified exercises and immersive learning experiences. I think it's actually been proven that those are the type of activities where people learn the most and when they remember the most.

20:24I remember doing an exercise where one of the questions was, or one of the scenarios were that your teams put together a pool, a lottery pool. And essentially they win the lottery and there's about 15 people that are going to leave your organization. Is this a crisis? Is this an issue? Is this a non-issue? And so a lot of people remembered that scenario because it was such an impactful scenario to think about because it's something that's memorable.

20:54So I think gamifying for sure is important, making it fun for your participants, and then also making sure they get something out of it, whether it's swag, whether it's some level of learning that they didn't have before or some level of training. And I did talk about sort of the functional element of, let's have them craft an emergency communication during the exercise rather than just talking about emergency communication. So giving them those habits that they can take with them, I think are important. And do you run some sort of after-action review?

21:35And how do you make sure that like once the exercise is over, everything that has been discussed is actually implemented if needed? Yeah, after-action reviews, those are a must. I think you do those after every exercise and essentially after every incident. And those, you know, you can run those through a software platform. You can run those through having a direct conversation after the exercise. And I think those are really important to focus in on.

22:06You know, we built a retrospective playbook in my last organization. And that was something that really gave you the structured approach to how you approach an after-action report and get it completed. And then, you know, create this project plan as a result of this retrospective or after-action review. And you have to assign owners to all of the tasks. I think that's the one thing that gets missed is they put together this long list and it just kind of goes in a folder or somewhere on a computer and no one looks at it until the next exercise.

22:39So I think really designing your exercise so that there is a project manager at the end to take over that after-action, you know, post-incident reviews. And also ensure that they're tracking all of the completion of these elements. And, you know, I'd add that one thing you could do is throw in some, you know, micro exercises or micro simulations after the fact that target those specific actions to ensure that they're getting done or, you know, ensure that there's progress in terms of improving in those areas.

23:12So can you think of the most complex exercise or not complex, but challenging scenario or training situation that you led or you had to put together? Yes. I recently put together, this one was really challenging. It was an active shooter event. And so just thinking about, you know, the recovery versus the immediate, you know, sort of boom of the situation, I focused in on, you know, this news comes out, this has happened.

23:52What are we doing to sort of respond to this and what are the cascading effects throughout the investigation? And so, you know, I put together this scenario, I used like audio, I used video that was generated using AI, the social media posts, of course, because those are things that drive a lot of crises these days. And so it was really challenging because it asked participants to, one, you know, believe and understand that the situation is happening and it's real.

24:25And then dealing with the after effects, the investigation, which, you know, turned out there was bad news about the organization within the investigation, right? There was a grievance that the person had, which turned out to be true. How do you deal with that? How do you recover from that? So I think the most challenging crises or exercises are the ones where there's bad news from the investigation and that the company is actually at fault. And so just, you know, exercising that is important because, you know, organizations aren't perfect. They're run by humans. Humans aren't perfect.

24:55And so, you know, I think those type of scenarios where you're really going to the heart of human behavior, I think those are the ones that are going to be challenging. Definitely. What a good one. How to embed a dilemma in the whole scenario so you really see the human nature in the problem and how you deal with that. Right. Okay. So this is going to be my last question. And I always like to ask this question to the guests. What advice would you give a younger version of yourself starting out in this field?

25:31I think I would say become a coffee drinker. That's an important thing when you're in a crisis, right?

25:41Yeah. I think one of the things that I've been thinking through, and I think this is great advice for someone like me starting out, is think about crisis management more from the political and connection standpoint versus the strategic standpoint. I think a lot of what we do in crisis management involves connection with people, with external stakeholders, customers. So think about how you approach it from the perspective of voters, from your constituency, from dealing with these issues that get resolved from the benefit or from the perspective of your stakeholders.

26:26And so I think just being more mindful of that and, you know, you can create all the frameworks and all the preparedness you want, but every situation is different and they all involve people that are being impacted. And so really honing in on that human element and that connection element, I think, is important. Yeah, it's always about the human factor at every level, definitely. Well, Jason, thank you very much for coming to the show. It's been a pleasure to have you here and hear all your learnings and insights.

27:00I wish you the best and have a nice day. Great. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you.

27:43Thank you.