For those risks that present the greatest potential to impact your organisation, or have the greatest likelihood, it is important to understand what you would do it the risk materialised. Even where your risk management programme has identified those risks, along with controls to prevent or mitigate them, selected risks should be considered from the perspective of what would you do if it happened.
A Scenario-based workshop is a very cost-effective approach to understanding how you would detect, escalate, respond and recover were that risk to happen. Designing such a workshop should consider the context of the risk, (how it could start; precedents; scale and timelines; consequences) and the key stakeholders who would be involved or impacted. The design also involves understanding what planning you have in place to respond, what contingencies there are to mitigate the risk and the communications channels that would be involved.
Participants should be based on those whose expertise would be required to manage the event, along with those who have ownership of resources and stakeholder relationships that would be impacted or used in response. With this preparation completed you can then undertake the workshop to assess your capabilities, identify gaps and develop reassurance regarding your risk treatments.
Scenario-based workshops should be considered before you commit to simulation exercises. In addition to confirming your response resources and structures, the workshop format allows you to address any deficiencies. Better to do so in a workshop environment than identifying a gap at the outset of an exercise that takes considerably more time and resources to develop and undertake.