Safety and risk management¶
Every engagement involves risk. The practical risks are well understood: unintended service disruption, data corruption, triggering automated responses that affect production. These are worth planning for, and the planning is straightforward.
The less discussed risk is psychological. An engagement that creates significant distress for participants, that generates findings used against the people who were honest about them, or that activates Satir’s survival stances without creating the conditions for recovering from them, produces two kinds of damage. The immediate damage is visible. The longer-term damage is that people become less willing to participate honestly in future exercises, and the organisation loses access to exactly the kind of real behaviour that makes exercises valuable. Psychological safety is not a soft concern alongside the operational risks; it is a precondition for the engagement producing anything worth having.
Operational risks¶
Before testing begins, establish what cannot be disrupted: production services, safety systems, regulated data environments, customer-facing processes during critical periods. Define who makes the call to stop if something goes wrong, and how quickly they can be reached. Define the rollback plan if testing causes unintended impact.
Gradual escalation reduces operational risk for first engagements: start with lower-risk scenarios, build confidence in the safety controls, increase intensity as the team and the environment have been proven to hold.
Human risks¶
Staff who do not know an engagement is happening and mistake a simulation for a real incident deserve rapid, clear communication that it was an exercise. The experience of discovering after the fact that a genuine-seeming threat was simulated can range from mildly disorienting to significantly distressing depending on how it was handled.
Social engineering scenarios that target employees benefit from clear limits on technique and intensity, and a clear choreography for notifying participants after the fact. The goal is to surface real behaviour under realistic conditions, not to test how much pressure people can absorb. An exercise that exceeds that limit teaches participants to protect themselves from future exercises.
Contingency planning¶
For each identified risk, define: who decides to stop, how recovery works, and who communicates to affected parties. The contingency plan does not need to cover every scenario; it needs to cover the scenarios most likely to occur given the specific engagement and environment.
If a critical vulnerability is discovered outside the agreed scope, define how it gets reported and to whom, without derailing the exercise or creating confusion about whether the exercise is still running.