Running Cross-Functional Exercises: Building Organizational Muscle Memory

EDITOR’S NOTE: This article is part of a seven-part “Cross-Departmental Resilience Framework” series by Scott Balentine of Methodist Le Bonheur Healthcare. The series offers a practical roadmap for embedding resilience across governance, operations, and culture.

Previous articles in this series:

• https://drj.com/journal_main/resilience-council-governance-framework/
• https://drj.com/journal_main/defining-important-business-services-resilience/
• https://drj.com/journal_main/creating-dual-playbooks-business-continuity/

***

Resilience is not proven in planning documents—it is tested under pressure. Organizations that limit testing to IT recovery or departmental tabletop exercises risk discovering critical failures during real crises. A robust exercise program is the only way to confirm whether continuity plans actually work when faced with disruption. By rehearsing together, departments can identify weaknesses in coordination, communication, and decision-making that would otherwise remain hidden.

The ISO 22301:2019 standard explicitly requires organizations to “conduct exercises to ensure readiness” and “evaluate the effectiveness of continuity strategies.” Similarly, the NIST SP 800-34 Contingency Planning Guide underscores the importance of testing plans not only within IT but also across business units to validate coordination. The DRI Professional Practices identify exercises as a core component of preparedness, emphasizing multidisciplinary participation as essential to resilience maturity.

Cross-functional exercises transform resilience into lived practice, ensuring people know not only their individual roles but also how to collaborate across departmental boundaries.

Why Cross-Functional Exercises Matter

Beyond IT Recovery

Many organizations still equate resilience exercises with IT failover testing. While these tests confirm whether systems can be restored, they do not assess whether the business can operate effectively during downtime. For example, a hospital’s IT team may restore electronic health record (EHR) access, but without practiced downtime procedures, clinical staff may struggle to maintain safe patient care. Similarly, in a financial institution, restoring trading systems is insufficient if compliance teams fail to notify regulators within mandated timeframes. True resilience requires ensuring business services—not just technology—are maintained.

Building Trust and Coordination

Exercises strengthen relationships among departments that rarely interact under normal conditions. During crises, decision-making depends on trust, clear communication, and mutual understanding. Shared rehearsals foster this trust and provide opportunities to clarify handoffs. For example, IT may know when containment of a cyberattack is achieved, but communications staff need that information to time external announcements. Without practice, these handoffs are often delayed or mismanaged.

Meeting Regulatory Expectations

Regulators increasingly demand proof of resilience through enterprise-wide exercises. The UK’s Financial Conduct Authority (FCA) PS21/3 policy requires firms to test the resilience of “important business services” against severe but plausible scenarios. This obligation extends far beyond IT and necessitates exercises that bring together multiple departments. Similarly, in the healthcare sector, regulatory bodies expect hospitals to conduct multi-disciplinary drills, such as mass casualty or evacuation exercises, to validate readiness for high-stakes events.

Case Studies

Cleveland Clinic: Practicing the ‘One-Team’ Model

During the COVID-19 pandemic, Cleveland Clinic operationalized its “One-Team” model by conducting joint rehearsals that brought together clinical operations, IT, supply chain, and communications. These exercises enabled rapid resource reallocation, continuity of critical services, and compliance with evolving public health mandates. By simulating disruptions before they occurred, Cleveland Clinic demonstrated agility and reinforced its culture of coordinated resilience.

Maersk: Improvised Recovery During NotPetya

In 2017, the global shipping giant A.P. Møller–Maersk experienced one of the most devastating cyberattacks in history when NotPetya malware encrypted systems worldwide. Operations were paralyzed across ports, shipping lines, and corporate offices. With no structured cross-functional exercise program in place, IT and operations improvised recovery. Remarkably, the company rebuilt systems in days, aided by an offline backup discovered in a Ghana office. Leaders later admitted rehearsed cross-functional exercises could have significantly shortened downtime and reduced chaos.

Kaiser Permanente: Wildfire Evacuation Drills

Kaiser Permanente Santa Rosa conducted hospital evacuation drills prior to the 2017 Tubbs Fire and the 2019 Kincade Fire. These rehearsals, involving clinical leaders, facilities staff, security, transport, and communications, proved invaluable. When wildfires forced real evacuations, staff executed roles and patient flows with precision, preventing chaos and maintaining safety. Pre-existing cross-functional exercises turned potential disaster into a controlled, coordinated response.

Designing Cross-Functional Exercises

The first step in designing cross-functional exercises is to define clear objectives. Without explicit goals, exercises risk becoming generic discussions which do little to improve organizational readiness. Objectives should focus on validating whether critical services can continue within defined impact tolerances, whether roles and responsibilities are understood across departments, and how effective communication is with regulators, customers, and staff. They should also test governance and escalation pathways to uncover gaps which might otherwise only surface during an actual crisis. Clear objectives establish the purpose of the exercise and provide the benchmarks against which performance will be measured.

Once objectives are set, the next step is to select scenarios that are both severe and plausible. Scenarios should be rooted in the organization’s risk profile and designed to test resilience under conditions most likely to cause disruption. For example, ransomware attacks affecting IT and operational technology (OT) systems, severe weather events that force facility shutdowns, supply chain disruptions involving critical materials, or a pandemic causing widespread workforce outages are all realistic scenarios. Selecting scenarios that resonate with the organization’s vulnerabilities ensures exercises are relevant, challenging, and impactful.

Cross-functional exercises must also involve all departments, not just IT. True resilience depends on the ability of multiple functions—operations, HR, finance, legal, communications, supply chain, and facilities—to work together under pressure. For instance, in the event of a cyberattack, IT may handle containment, but communications teams must quickly prepare regulatory disclosures and customer updates, while HR mobilizes surge staffing to support critical functions. Involving all departments ensures handoffs are tested in realistic conditions and prevents gaps that could otherwise undermine the response.

Organizations should also vary the types of exercises conducted to build maturity over time. Tabletop exercises provide a forum for executives and managers to walk through scenarios in discussion-based sessions, testing decision-making without operational disruption. Functional exercises go further by rehearsing specific departmental actions, such as restoring backups, activating call trees, or initiating vendor workarounds. Full-scale exercises represent the highest level of complexity, involving multi-day simulations such as hospital evacuations or live failovers of IT infrastructure. By rotating among these formats, organizations can incrementally build resilience and test different dimensions of readiness.

Performance measurement is another critical component of cross-functional exercises. Exercises should not be judged subjectively but against measurable criteria. Metrics may include the time taken to reach key decisions, the clarity and accuracy of communication across departments, adherence to impact tolerances, and the number or severity of corrective actions identified. These metrics create a feedback loop that enables leaders to assess the maturity of their resilience program and identify where additional investment or training is required.

Finally, conducting after-action reviews ensures lessons learned translate into improvements. Immediately following each exercise, structured debriefs should be held to capture successes, failures, and insights. Corrective actions must be documented, assigned to specific owners, and given deadlines to ensure accountability. Without this follow-up, exercises risk becoming “check-the-box” activities that demonstrate activity without driving progress. When done properly, after-action reviews turn exercises into engines of continuous improvement, embedding resilience into the organization’s culture and operations.

Challenges and Solutions

One of the most common challenges in running cross-functional exercises is exercise fatigue. Staff may begin to perceive exercises as disruptive or burdensome, especially if they are repetitive or disconnected from day-to-day work. When employees feel rehearsals take them away from their core responsibilities without adding value, engagement drops and the effectiveness of the program suffers. To address this, organizations should rotate scenarios regularly, vary the types of exercises, and make clear links to daily operations. By keeping exercises fresh and relevant, staff are more likely to stay engaged and recognize their importance.

Another significant obstacle is the lack of executive buy-in. Senior leaders may undervalue exercises, dismissing them as non-productive time rather than strategic investments in organizational resilience. This mindset can starve resilience programs of the sponsorship and visibility they need. The most effective way to counter this resistance is by leveraging case studies that demonstrate the consequences of inadequate preparation. Incidents like Maersk’s costly global shutdown during the NotPetya cyberattack or Colonial Pipeline’s decision to halt operations following a ransomware incident provide powerful reminders that untested plans can escalate into catastrophic failures. Such examples help executives appreciate the business value of regular rehearsals.

Over-engineering exercises is another frequent challenge. In the effort to make scenarios realistic, planners may create overly complex simulations that overwhelm participants and obscure learning objectives. When exercises attempt to replicate every possible contingency at once, staff may become confused and lose sight of their core responsibilities. A better approach is to start small, using simpler tabletop discussions that build confidence and clarify roles. As the organization matures in its resilience journey, more complex functional and full-scale simulations can be introduced. This progressive scaling allows teams to develop capacity incrementally without being overloaded.

Finally, siloed planning often undermines the effectiveness of exercises. Departments may conduct their own rehearsals independently, focusing narrowly on their internal processes without integrating with other functions. This fragmentation prevents organizations from practicing the cross-functional coordination real crises demand. Governance through a resilience council offers a strong solution. By overseeing exercise planning and execution at the enterprise level, the council ensures integration, avoids duplication, and reinforces resilience as a shared responsibility. This cross-departmental governance creates consistency while also fostering collaboration and trust across organizational boundaries.

Benefits of Cross-Functional Exercises

One of the primary benefits of cross-functional exercises is the enhancement of operational readiness. When staff rehearse their roles and responsibilities under realistic conditions, they gain the confidence to act decisively in actual crises. Exercises provide a safe environment for employees to make decisions, test procedures, and identify uncertainties, ensuring they are better prepared when pressure is real. This preparedness translates into faster and more effective responses when disruptions occur.

Cross-functional exercises also improve communication across departments. Crises often falter not because plans are absent, but because information is delayed, misinterpreted, or lost in handoffs. By practicing coordination in advance, teams strengthen the flow of information between technical and business functions, reducing delays and misunderstandings. These rehearsals reinforce the importance of clear communication channels and establish trust among departments that may not interact frequently under normal conditions.

From a compliance perspective, cross-functional exercises help organizations meet regulatory requirements. Standards such as the ISO 22301 mandate for regular testing of business continuity management systems, while policies like the FCA’s PS21/3 in the financial sector require evidence that important business services can withstand severe but plausible scenarios. By conducting structured exercises, organizations generate the documentation and evidence necessary to demonstrate compliance, reducing regulatory risk while strengthening actual resilience.

Another significant benefit lies in continuous improvement. Every exercise, whether tabletop or full-scale, generates lessons that highlight strengths and expose gaps. These findings, when captured and acted upon, enable organizations to refine procedures, update playbooks, and strengthen governance. Over time, this cycle of testing and improvement elevates resilience maturity, ensuring the organization adapts as risks and business models evolve.

Finally, cross-functional exercises support cultural integration by embedding resilience into the organizational DNA. When employees see resilience rehearsals as a normal part of work life, they internalize the value of preparation. Exercises reinforce the message that resilience is not the responsibility of a single department but a shared priority across the enterprise. This cultural shift creates a workforce that is more engaged, accountable, and aligned when facing disruption.

Conclusion

Cross-functional exercises are the crucible where resilience is proven. Organizations that restrict testing to IT recovery or departmental drills risk being unprepared for real-world crises that span multiple functions. Case studies from Cleveland Clinic, Maersk, and Kaiser Permanente demonstrate rehearsals prevent chaos, shorten recovery, and build trust.

Guided by ISO 22301, NIST SP 800-34, and the DRI Professional Practices, organizations should design structured, measurable, and inclusive exercises. These rehearsals ensure resilience is not theoretical but lived. In an environment of escalating cyber threats, natural disasters, and supply chain risks, running cross-functional exercises is not optional—it is the only way to guarantee organizational survival.

***

The fifth article in this seven-part series, “Modernizing Collaboration Tools: The Digital Backbone of Resilience,” explores how technology enables true organizational resilience by supporting transparent, rapid, and coordinated response. It examines how outdated, siloed systems can paralyze operations during crises and outlines how modern, cloud-based, and integrated platforms—aligned with ISO 22301, NIST SP 800-34, and NIST Cybersecurity Framework 2.0—can transform coordination and decision-making. Through case studies from Southwest Airlines, Norsk Hydro, and healthcare organizations, the article highlights the risks of legacy tools and the advantages of modernization. Readers will gain practical steps to audit, upgrade, and integrate collaboration technologies to strengthen enterprise-wide resilience.