Skip to content
Corporate Law Departments

In Practice: How Dassault Systèmes’ law department employs scenario planning to mitigate risk

Rose D. Ors  CEO of ClientSmart

· 6 minute read

Rose D. Ors  CEO of ClientSmart

· 6 minute read

How can companies and organizations best prepare for natural disasters, cybersecurity hacks, and other high-impact crises? Plan for them.

In a business environment where uncertainty is a given, how does a company’s law department build the organizational muscle to respond to what Donald Rumsfeld famously called “known unknowns” and “unknown unknowns”? The answer: scenario planning and simulations.

In this installment of In Practice, Rose Ors, CEO of ClientSmart, spoke to Michelle-Kim Cohn, Deputy General Counsel at Dassault Systèmes, about how the global technology company employs scenario planning and simulations to prepare the company to respond to low- and high-probability, high-impact risks.

Rose Ors: Why do you engage in scenario planning and simulations? 

Michelle-Kim Cohen: These tools are extremely valuable to plan effective ways for the company to respond in an actual crisis. During the scenario analysis phase, we examine trends and other data to identify contingencies that, if they occur, will significantly impact company operations. The analysis does not identify every possible contingency — the COVID-19 pandemic is a great unforeseen example — nor precisely how the contingency will unfold. What the process does is identify plausible scenarios.

We establish written policies and procedures for each event and develop the appropriate training tools. We test the efficacy of our crisis response tools with simulations — what we call drills — in low-stress environments. Each drill is a dress rehearsal that informs us on what steps work well and what steps must be changed and refined before an actual crisis hits. These drills give us a lens into the readiness of the response team and other company personnel.

It is a given that human error will be a factor in high-stress situations. The goal is to minimize errors through regular training and practice.

Rose Ors: What are other benefits? 

Michelle-Kim Cohen: Another significant benefit is the high level of trust that the process builds among the scenario-planning team members. Most of our teams are composed of legal and a cross-section of subject-matter experts from other business units. When we come together, we leave our functional silos and don a mindset where learning from and respecting divergent viewpoints matters.

It is a given that human error will be a factor in high-stress situations. The goal is to minimize errors through regular training and practice.

Another benefit of our work on scenarios has played out in our response to the pandemic. Because of the geographies in which we operate, we plan for and practice our response to natural disasters — fires, earthquakes, extreme weather. Although we had no response plan for a health crisis, our natural disaster plans and drills allowed us to quickly pivot to a full-remote operation and again pivot to returning to the office. Our natural disaster response strategy proved invaluable, particularly our emergency communication and IT plans. Of course, the COVID-19 pandemic, unlike most natural disasters, has been a far more prolonged crisis that requires a different playbook, which continues to evolve.

Rose Ors: Can you say more about the composition of the scenario team? 

Michelle-Kim Cohen: A member of our legal team always has a seat at the table. The team can also include a member from ethics and compliance, human resources, IT, communications, safety and security, and other units whose expertise is needed for each scenario. Our policies and drills aim to protect our employees’ health and safety, the privacy of our stakeholders, and our ability to support our customers.

The nature of the work requires that we understand our respective roles and responsibilities and join together as a crisis response team that can make quick decisions and act in a coordinated way within a high-stress, fast-moving environment.

Rose Ors: Let’s now talk more about the simulations and drills you conduct. What are some examples? 

Michelle-Kim Cohen: In addition to drills on what to do in response to natural disasters, we conduct simulations that test our readiness to respond if the government pays us a surprise visit. This scenario is most plausible for our offices operating in the European Union but also can occur in the US. We make the exercise mirror an actual event as closely as possible.

We also conduct drills to prepare the company for geopolitical risk. In Latin America, for example, we run drills on responding to political demonstrations and other types of political events that could impact operations. Although not drills, we conduct active shooter training in North America — live classroom-type training and online exercise in all our offices.

In Practice
Michelle-Kim Cohn, of Dassault Systèmes

Rose Ors: Do you debrief after each actual event or simulation?

Michelle-Kim Cohen: We do a debrief right after every incident response — actual or simulated. We call the debrief an audit, and it’s a critical step. The audit may consist of several group emails or an all-hands meeting, depending on the scenario. In either case, we assess our strengths and vulnerabilities and then take the necessary steps to improve the plans and training. In addition to these audits, we regularly evaluate our written policies and procedures. The pandemic drove home an important lesson: complacency is not an option.

Rose Ors: Where do you store the plans and processes — decision trees and the like — so that everyone who needs to access them in a high-stress scenario can access them quickly? 

Michelle-Kim Cohen: Your question came up recently during a panel I was on that was organized by the Association of Corporate Counsel. It was interesting to see so many hands go up when the moderator asked how many kept their plans in a physical binder in their office. My advice is to store the most up-to-date procedures on whatever secure company system you use, so it is available from a mobile device.

Rose Ors: How do you measure the success of each scenario response in an actual crisis?

Michelle-Kim Cohen: The goal is not to execute everything flawlessly — that is an impossibility. The goal is to perform well enough where the principal objective of the response is achieved. So, if the aim during a cyberattack is to protect sensitive data from being stolen, the objective is met. Objectives range from business continuity to employee safety to regulatory compliance.

In an ongoing crisis — the pandemic is an apt example — our goals evolved as the state of the pandemic evolved and ranged from the speed we transitioned to remote work to the effectiveness of our communications with employees and customers.

Rose Ors: How key is leadership-level participation during the scenario planning process?

Michelle-Kim Cohen: C-Suite support is always essential to developing a culture that emphasizes risk intelligence and response preparedness. The leadership must also signal to the workforce that preparedness is a high priority by modeling the behavior they expect.

More insights