Protective Security & Resilience

Training & Simulation

A security programme, a crisis plan, or an ESG governance framework that has never been tested under realistic conditions is an untested assumption. Training and simulation programmes build the human capability that turns written plans into operational reality — through crisis tabletops, physical red teaming, staff awareness, and ESG governance training designed for the specific organisation and the specific challenge it faces.

Crisis management tabletop exercises

Physical security red teaming

Staff security awareness

ESG & sustainability awareness

Capability is built through rehearsal — not through planning

Most organisations have security plans. Most have crisis management procedures. Most have ESG governance frameworks. Far fewer have tested them — under realistic conditions, with the people who will actually be required to execute them, in the time pressure and information environment of an actual event. The gap between what the plan says and what an organisation can deliver under pressure is discovered, reliably, at the worst possible moment.

ARRC's training and simulation programmes are designed to close that gap — not by running generic awareness sessions, but by designing exercises that are specific to the organisation's actual threat profile, its operating environment, its decision-making structure, and the specific scenarios that its risk assessments identify as credible. The scenario is realistic. The pressure is real. The findings are actionable. And the capability that is built lasts beyond the exercise itself.

Programmes span both ARRC service lines — physical security and ESG — because the organisations we work with require both. A board that cannot govern its ESG programme under regulatory scrutiny has the same capability gap as a security team that cannot manage a physical security incident under operational pressure. Training addresses both.

The value of a training exercise is not what participants learn about the scenario. It is what they learn about their own decision-making, their organisation's procedures, and the gaps between the two — while there is still time to close them.

— ARRC Global, Advisory Practice

Four core programmes

Each programme is designed and delivered for the specific organisation — its sector, its risk profile, its people, and its objectives. None is a catalogue exercise applied generically.

Security & Resilience 🎯

Crisis Management Tabletop Exercises

Facilitated exercises that test the organisation's crisis management capability — its decision-making processes, communication protocols, escalation structures, and inter-agency coordination arrangements — under a realistic scenario designed around the organisation's actual threat profile and operating context.

Scenario design

Every scenario is built from the organisation's TVRA findings or risk assessment — not from a generic incident catalogue. The scenario is credible because it reflects the actual threats the organisation faces, in the environment it operates in.

What gets tested

Decision quality under time pressure and incomplete information. Communication between departments, levels, and external agencies. Escalation — when to involve senior leadership, regulators, emergency services, and the media. The assumptions in the crisis plan that have never been tested.

After-action debrief

A structured debrief immediately after the exercise — identifying what worked, what did not, the decisions that were made well and those that were not, and the specific plan amendments and capability investments that the exercise findings recommend.

Sector applications

Relevant for every sector — corporate headquarters, financial institutions, CNI operators, educational campuses, manufacturing facilities, and real estate developments. The scenario changes. The methodology is consistent.

Security & Resilience 🔍

Physical Security Red Teaming & Penetration Testing

An independent, adversarial assessment of the organisation's physical security — conducted by practitioners who approach the facility as an informed adversary would, without access to security system documentation, and with the objective of identifying what can actually be bypassed rather than what the design assumes cannot.

What is tested

Access control bypass. Tailgating through controlled entry points. Social engineering of reception and security staff. Guard response protocols. CCTV blind spot exploitation. Vehicle management vulnerabilities. Restricted area access. The full physical security stack — not just the technology layer.

Operational safety

All physical penetration testing is legally scoped, operationally bounded, and conducted with the knowledge of the commissioning senior leadership — ensuring that the exercise produces genuine findings without creating security incidents or operational disruption that the organisation has not authorised.

Insider threat simulation

For organisations where insider threat is a primary risk concern — CNI, financial institutions, data centres — red team exercises can include insider threat simulation: testing whether existing detection and monitoring arrangements identify insider activity before it results in a security event.

Findings report

A classified findings report — structured by severity and remediation urgency, with specific recommendations for access control reconfiguration, procedure changes, training interventions, and technology gaps identified during testing.

Security & Resilience 👥

Staff Security Awareness Programmes

Security awareness training designed for the specific organisation and workforce — covering the security obligations of different staff roles, the behaviours that most commonly create physical security vulnerabilities, and the reporting processes that allow staff to act as an active component of the security system rather than a passive one.

Programme design

Designed around the organisation's specific security architecture, its threat profile, and the roles and responsibilities of the workforce groups being trained. Not a generic corporate awareness session applied uniformly regardless of whether the recipient is a receptionist, a data centre engineer, or a factory floor supervisor.

Content coverage

Access control discipline and tailgating prevention. Visitor and contractor management responsibilities. Social engineering recognition. Suspicious behaviour and suspicious item reporting. Insider threat awareness. Role-specific security obligations. Emergency response responsibilities.

Executive security briefings

Dedicated briefings for senior executives — covering personal threat awareness, travel security protocols, digital and physical security behaviour, and the specific security considerations relevant to the individual's role, profile, and travel destinations. Delivered individually or in small groups, not as a generic corporate session.

Programme structure

Designed as a structured annual programme — induction, annual refresher, and role-change briefing — with assessment to measure comprehension and retention. Not a one-time session that produces a compliance record without a capability outcome.

Integrated Risk & Sustainability (ESG) 🌿

ESG & Sustainability Awareness Training

ESG governance training for boards and senior leadership, and sustainability awareness for the wider workforce — building the understanding and engagement that makes an ESG programme operational rather than documentary. An ESG strategy without an informed board to govern it and an engaged workforce to deliver it is a strategy that exists on paper alone.

Board ESG governance training

specialized training for board members and executive‑committee leaders on their Environmental, Social, and Governance responsibilities. This program is tailored specifically for directors who want to oversee an ESG strategy with confidence, credibility, and best‑in‑class governance practices.

Management ESG capability building

Structured ESG training for the management team responsible for delivering the ESG programme — covering materiality, target setting, data collection, supply chain ESG, and the connection between operational decisions and ESG performance. Bridges the gap between the board's ESG governance obligations and the operational teams who must meet them.

Workforce sustainability awareness

Sustainability awareness for the broader workforce — covering the organisation's ESG commitments, the role of individual behaviour in achieving them, and the environmental and social obligations that apply to specific operational roles. Designed to build genuine sustainability culture, not to produce a training completion record.

ESG crisis simulation

Tabletop exercises for leadership teams on ESG-related crisis scenarios — regulatory enforcement action, greenwashing allegation, supply chain incident with human rights implications, investor divestment following ESG disclosure failure. The scenarios that test whether the organisation's ESG governance holds under pressure rather than only under normal operating conditions.

Sector-specific applications

Every training and simulation programme is designed for the specific sector — because the scenarios, the stakeholders, the regulatory context, and the consequences of failure are different in each.

🖥️

Data Centres

Cascading failure tabletops, physical red team exercises across multi-tier access environments, insider threat simulation, and environmental emergency response training for operations teams.

View Data Centre page → 🏛️

Banking & Financial Institutions

Active threat response, BCM testing against regulatory continuity commitments, insider threat simulation across branch networks, ESG governance training for boards under TCFD and BRSR obligations.

View Banking page → 🏭

Manufacturing & Industrial

Emergency response exercises designed for shift-based operations, worker safety awareness in relevant languages and formats, management crisis tabletops covering environmental emergencies, and ESG governance training for senior management.

View Manufacturing page → ⚡

Critical National Infrastructure

Consequence management exercises, multi-agency simulation, insider threat awareness, and BCM testing calibrated to the interdependency risks and state-level threat actors that CNI operators face.

View CNI page → 🎓

Education Campuses

Lockdown drill design, evacuation procedure testing, age-appropriate student security awareness, safeguarding crisis simulation for leadership, and ESG sustainability literacy for staff and students.

View Education page → 🏢

Commercial Campuses & Corporate HQ

Crisis management tabletops for C-suite, executive security briefings, staff security awareness across complex multi-building environments, incident command simulation, and board ESG governance workshops.

View Commercial page →

How ARRC designs and delivers training programmes

Four stages — from understanding the organisation's specific context to the after-action findings that make the exercise investment worthwhile.

Understand the context

Before any exercise is designed, ARRC understands the organisation's threat profile, its operating environment, its existing plans and procedures, and the specific gaps or concerns that prompted the training request. The exercise design follows from the context — not from a pre-built module.

Design the scenario

The scenario is built specifically for the organisation — using its actual premises, its real governance structure, its actual regulatory environment, and the specific threat or ESG challenge that is most relevant. Participants engage with a scenario that feels real because it reflects their actual situation.

Facilitate with pressure

Exercises are facilitated in a way that introduces the time pressure, incomplete information, and escalating complexity of a real event — not conducted as a comfortable discussion of a hypothetical. The objective is to surface genuine gaps, not to demonstrate that the organisation has a plan.

After-action and follow-through

Every exercise concludes with a structured after-action debrief — identifying specific findings, specific recommendations, and specific follow-up actions. ARRC can support the implementation of exercise findings where the organisation requires continued advisory involvement.

Why ARRC for training & simulation

Three things that distinguish ARRC's training and simulation practice from generic awareness providers and consultant-facilitated workshops that produce a report without building a capability.

🎯

Designed for the organisation — not applied to it

Generic security awareness modules and off-the-shelf crisis simulation scenarios produce generic outcomes. ARRC designs every exercise from the specific context of the organisation — its threat profile, its sector, its governance structure, and the specific capability gaps that its risk assessments have identified. The exercise is recognisable to participants because it reflects their actual situation, which is the condition under which genuine learning occurs.

🔗

Security and ESG training from one practice

Organisations that require both security training and ESG governance capability building — which describes most of the organisations ARRC works with — benefit from a single practice that understands both dimensions and can design programmes that address both coherently. A board that needs to govern physical security risk and ESG compliance risk can receive both from one adviser who understands the organisation's full risk picture.

⚖️

Findings that lead somewhere

The value of a training exercise is not the exercise itself — it is what the organisation does differently because of what the exercise revealed. ARRC's after-action process produces specific, actionable findings. Where the organisation requires continued advisory support to implement them — whether through security design improvements, plan revisions, or ESG governance enhancements — ARRC can provide it. The exercise is the beginning of a capability improvement, not the end of an engagement.

Design a training or simulation programme

Whether you need a crisis management tabletop, a physical security red team exercise, a staff security awareness programme, or board ESG governance training — we will discuss your organisation's specific context and confirm what a programme would involve before any commitment is made.

Initial conversations are obligation-free. Senior practitioner involvement from the first call.

Start the Conversation View All Services