The Language of Practiced Resilience

What it is

Microsimulations compress the value of traditional crisis exercises into formats short enough to run frequently and structured enough to produce data - a single-player rep runs 3–5 minutes, a multiplayer team drill 30–45 minutes, an expert-led executive sim 60–90 minutes. Each in-turn around a critical decision point, with realistic media and evolving injects, and every rep generates structured data: time-to-decision, decision quality, coordination breakdowns, and process gaps.

Why it matters

Traditional testing relies on annual tabletops - infrequent, unscalable, and qualitative. Microsimulations make practice continuous, measurable, and scalable, feeding directly into Capability Intelligence so leaders see where resilience is strong and where it is fragile.

Recognition

Gartner named Microsimulations in the Hype Cycle for Legal, Risk, Compliance and Audit Technologies in both 2024 and 2025, recognising Microsimulations as an emerging approach to operational resilience and decision assurance.

What it is

Capability Intelligence replaces the readiness checkbox. Instead of point-in-time attestation ("we have a plan, we ran an exercise last year"), it produces living signal from every practice rep, team drill, executive simulation, and live incident. The unit of measurement is decision capability - the demonstrated ability to make the right call, fast enough, under pressure - aggregated across functions, business units, regions, and risk domains into one reporting layer.

Why it matters

Boards and resilience regulators are moving from documentation as evidence toward demonstrated capability. DORA, APRA CPS 230, and the UK Operational Resilience regime all require testing severe-but-plausible scenarios and continuous evidence of performance. Capability Intelligence answers the question regulators now ask - not "do you have controls?" but "can you actually respond?"

How it is generated

Every Microsimulation feeds the same intelligence layer. Single-player reps build individual decision speed. Team drills surface coordination gaps. Executive simulations test strategic judgment. Critical Event Management connects live events to the data back into the dataset - producing comparable, longitudinal evidence across the whole organisation.

What it is

Broader than business continuity or disaster recovery testing: where those validate a specific control or process, resilience testing validates whether the organisation as a whole - people, technology, third parties, and decision-making - can deliver important business services through severe-but-plausible disruption. A complete programme tests across four dimensions:

• ●People - can the right teams make the right decisions under pressure?
• ●Process - do playbooks hold up when conditions change?
• ●Technology - do systems and integrations behave as expected under stress?
• ●Third parties - do critical service providers recover within tolerable timeframes?

Regulatory drivers

• ●DORA, EU - regular testing of digital operational resilience, including scenario-based exercises
• ●UK Operational Resilience (FCA, PRA, BoE) - test the ability to stay within impact tolerances
• ●APRA CPS 230 (Australia) - maintain and rehearse business continuity and operational risk programmes
• ●NIST CSF / ISO 22301, FFIEC - all reference evidence-based testing over self-attestation

Why traditional testing falls short

Annual tabletops and infrequent BCM rehearsals were built for slower change and tighter expectations. Threats now evolve faster than annual cycles, regulators expect continuous evidence, and boards want forward-looking signal. Microsimulations close that gap - frequent enough to run often, structured enough to produce data, scalable enough to test the whole organisation.

What it is

Designed for individual practice at scale. A participant meets a realistic scenario - a pressing alert, an AI-drafted phishing message, an escalating regulatory query - and navigates it through immersive media: emails, chat messages, dashboards, voicemails. They decide in real time, then AI-driven feedback explains where their choices aligned with policy and best practice, and where they diverged.

What it measures

• ●Decision quality against scenario-defined response paths
• ●Time-to-decision under pressure
• ●Pattern recognition across repeated scenario variations
• ●Knowledge or process gaps revealed by recurring errors

When to use

• ●Onboarding for risk awareness
• ●Quarterly capability refreshes across large populations
• ●Targeted reps for high-exposure teams (engineering, customer-facing, finance)
• ●Pre-event prep before major team drills or executive simulations

What it is

Runs across functional teams through a shared scenario in real time. Participants log in from wherever they are and respond together to an evolving situation - a cyber incident, a third-party outage, a regulatory inquiry, a physical security event. A facilitator or scenario engine introduces injects that change conditions and force the team to adapt. The output is a structured map of where coordination broke down, where decisions stalled, and where roles were unclear.

What it measures

• ●Coordination across functions (risk, security, ops, comms, legal)
• ●Time-to-decision when multiple roles must weigh in
• ●Quality of escalation and information flow
• ●Ability to sustain decisions when conditions change
• ●Effectiveness of playbooks and protocols under live pressure

When to use

• ●Crisis Management Team (CMT) rehearsals
• ●Cyber and operational incident response stress
• ●Cross-functional readiness checks ahead of launches or deadlines
• ●Quarterly testing required by CPS 230, DORA, or UK Operational Resilience

What it is

The highest-stakes format. A trained facilitator runs an executive team, board committee, or cross-functional leadership group through a complex scenario built around their actual business - real services, real regulatory exposure, real interdependencies. The scenario confronts them through facilitator-controlled injects, surfacing decisions that test strategy, governance, and judgment under pressure.

What it surfaces

• ●Are governance escalation paths actually ventilated under pressure?
• ●Where are the gaps between board-level assumptions and operational reality?
• ●How would the organisation make trade-offs in a plausible cover?
• ●Are impact tolerances, recovery objectives, and disclosure obligations actually achievable?

When to use

• ●Board or executive team who needs direct experience of severe-but-plausible scenarios
• ●Executive onboarding or annual leadership rehearsal
• ●Before or after a material change - acquisition, migration, regulatory deadline
• ●To validate impact tolerances and recovery commitments under realistic conditions

What it is

Where business continuity and incident response describe the plans, Critical Event Management is the coordination layer that runs when those plans activate - connecting the people who decide, the playbooks they follow, the communications they send, and the systems they update, in real time. A capability typically includes:

• ●Activation triggers - when and how an event escalates into formal response
• ●Role-based playbooks - who does what, when, and in what order
• ●Communications workflow - internal alerts, customer messaging, regulator notifications
• ●Decision logging - a real-time record of what was decided, by whom, and why
• ●Post-event reporting - auditable evidence for regulators, boards, and insurers

Why it matters

Most organisations discover the gaps in their crisis response only when they activate it for real. Critical Event Management makes those gaps visible before the incident by making coordination explicit, structured, and instrumented. Decision logs from real events become evidence of resilience - and inputs to Capability Intelligence that strengthen future practice.

How it connects to practice

In iluminr, the same workflows used in Multiplayer Microsimulations and Expert-Led Simulations carry over into live response. Teams practise in the system they will actually use - and data from real events feeds back into the same Capability Intelligence layer that scores practice. Practice and response stop being separate disciplines.

What it is

A facilitator presents a scenario - a cyber incident, a natural disaster, a third-party outage - and walks the group through its stages. Participants describe what they would do and they would do it, and what decisions they would make, while a scribe captures the discussion. The output is a written report covering what occurred, what did not, and what should change. Tabletops trace back to business continuity planning and public-health emergency preparedness.

• ●Flexible - facilitators can pursue interesting threads as they emerge
• ●Surface assumptions and disagreements more structural formats can miss
• ●Well-suited to genuinely novel scenarios with no dominant "correct" response

• ●Frequency - expensive and slow to organise, so they happen once or twice a year
• ●Scale - only tests the people in the room, not the wider organisation
• ●Data - qualitative notes, not structured data you can compare year to year
• ●Realism - describing what you would do is not the same as doing it under pressure

How Microsimulations evolve the format

Microsimulations are not a replacement for every tabletop, but they address each structural limit: they run frequently, scale across the organisation, capture structured data automatically, and place participants inside the scenario rather than describing it from the outside. Many organisations use Microsimulations for continuous practice and reserve tabletops for annual deep-dives on novel or strategically significant scenarios.

What it is

Decision Assurance reframes resilience around its actual point of failure: the decision. A plan nobody can execute under pressure is not resilient; a control assurance review cannot reveal it. What matters is whether the people accountable for critical events make the right call, fast enough, with the right information. It answers four questions about any critical decision-making context:

• ●Will the right decisions be made? (Decision quality)
• ●Will they be made fast enough? (Decision speed)
• ●Will they be made consistently across people, teams, and units? (Decision reliability)
• ●Is there evidence to demonstrate all of the above? (Decision auditability)

Why it matters

Boards and regulators increasingly want forward-looking assurance, not historical attestation - shifting from "did you have a plan?" to "if a severe-but-plausible event occurred tomorrow, do you have evidence the right decisions would be made?" Microsimulations produce that evidence directly, and aggregated, it becomes Capability Intelligence.

How it differs from control assurance

Control assurance verifies that policies, procedures, and technical controls exist and function as designed. Decision Assurance verifies that the humans operating in and around those controls will make the right calls when conditions deteriorate. Both are necessary; only one of them was historically measurable.

What it is

In a static scenario, participants are given a situation and asked to respond. With injects, the situation evolves: new information arrives, conditions change, stakeholders make demands, regulators call. The participant cannot simply execute a plan - they must adapt, as they would in a real event. Injects originate in scenario design, where structured information flows into a commandpost replicates the fog of real operations.

Types of injects

• ●Information updates - new facts about the unfolding event
• ●Stakeholder injects - a regulator calls, a customer threatens to leave, a journalist publishes
• ●Role activations - a key person becomes unreachable, or a new function is called
• ●Environmental changes - a secondary system fails, a third-party cannot recover, a deadline moves
• ●Adversary moves - in a cyber attack/physical scenario, the threat actor adapts

Why injects matter

Static scenarios test whether a plan exists. Injects test whether the people running it can adapt when reality diverges. Most real-world incidents involve at least one significant inject - a complication not in the original playbook - and the most plans collapse at exactly that point. Practising under inject pressure is what builds the adaptive capability real events demand.