You ran a good tabletop. The right people were in the room. The scenario was sharp, the conversation was honest, and the after-action report named real gaps. People left saying it was the most useful day they'd spent on preparedness all year.
Six months later, almost none of it exists.
The AAR is a PDF in a shared drive. The improvement items got half-tracked in a spreadsheet, then overtaken by the next emergency. The person who understood the hospital surge dependency took a new job. The next exercise will start, more or less, from a blank page — re-litigating questions you already answered, re-discovering gaps you already found.
This isn't a failure of effort. It's the most common pattern in emergency management, business continuity, and crisis work, and the people running these programs are not lazy or unskilled. They're some of the most capable operators in any field. The problem isn't the practitioners. It's the process they're forced to work inside — a process that is designed to throw away most of what they know.
Preparedness is a matching problem
There's a useful idea from cybernetics that explains why this happens, and it's worth the two minutes it takes to understand.
In 1956, the British cyberneticist W. Ross Ashby formulated what became known as the Law of Requisite Variety: a system can stay in control of its environment only if its internal variety is at least as large as the variety of the disturbances coming at it. In his phrasing, only variety can absorb variety.
"Variety" here doesn't mean assortment. It means the number of meaningfully different situations a system can actually tell apart and respond to — its real repertoire of distinct, usable responses.
Apply that to preparedness and the whole field comes into focus. A threat environment has enormous variety: a near-infinite number of ways things can go wrong, compounding and recombining, throwing up novel situations no one scripted. Your response system's variety is how many of those you can actually recognize and act on. Preparedness is the match between the two.
Ashby's Law says something uncomfortable about that match. When the threat environment generates vast, compounding, novel variety, and the response apparatus is thin, static, and built around a handful of canned plans, the gap isn't bad luck. It's failure by definition. The controller is simply outmatched by what it's trying to control.
So the real question for any preparedness program isn't "do we have a plan?" It's "does our repertoire of responses come anywhere close to the variety of what could actually happen to us?" For most organizations, honestly answered, the answer is no — and not because they haven't worked hard at it.
The process is lossy by design
Here's the part that reframes everything.
The way preparedness usually gets done isn't just under-resourced. It actively destroys variety. It takes a high-resolution operating reality — varied, local, full of edge cases and weak signals — and runs it through a process whose real output is a compliance artifact: the plan, the AAR, the signed exercise documentation.
To produce that artifact on time, on template, and on budget, the process has to compress. Hard. Distinct hazards collapse into generic categories. Local nuance becomes boilerplate. Edge cases and weak signals — exactly the things that matter most when something novel hits — get deleted, because they don't fit the form. What comes out the other end is thin, generic, and frozen the moment it's filed.
The receipt becomes the product. And the variety that is preparedness gets destroyed on the way to the filing cabinet.
It's worth sitting with how backwards this is. Practitioners don't lack variety — they carry an enormous amount of it in their heads, their relationships, and their judgment. The process strips it out. We've built an entire discipline around manufacturing certificates that preparedness happened, and in doing so we routinely throw away the thing that would have made us prepared.
"Faster documents" makes it worse, not better
This is also why a lot of the new AI tooling in our space is solving the wrong problem.
Most of it is, at bottom, a faster way to generate documents. Point it at a prompt and it produces a plausible plan, a plausible exercise, a plausible AAR. That feels like progress because the painful part of the old process — the blank page, the hours of drafting — gets faster.
But look at what it's actually accelerating. It's the compression step. It's the receipt factory, running quicker. More documents, produced faster, frozen just as solid the moment they're done. A confident, plausible-sounding document with no model of your actual reality underneath it isn't requisite variety. It's the same lossy output with a shorter turnaround.
Speeding up the thing that was destroying variety doesn't close the gap. It widens it.
What actually closes the gap
The fix isn't more content. It's raising your response variety so it comes closer to matching your real threat environment — and, critically, keeping that variety alive instead of compressing it away after every cycle.
Concretely, that means a few things working together:
Preparedness that compounds rather than resets. Every exercise, plan, decision, and finding should make the next one sharper — not vanish into a drive. A tabletop you run shouldn't be an event you certify and forget; it should be a deposit into a system that remembers. The variety you generated this quarter should still be there, and usable, next quarter.
Grounding in real doctrine and live conditions. Response variety is only useful if it's true. That means answers anchored in actual federal doctrine and live hazard data — with citations and an audit trail — not a model guessing confidently in a setting where being wrong has consequences.
An information architecture that matches the complexity it's facing. One connected system that can see across your exercises, plans, intelligence, and stakeholders — and model how a failure in one place cascades into another, the way an energy outage cascades into hospital staffing, or a water failure into a public-health surge. Single-vertical, single-document tools structurally can't see those cascades. The real world doesn't respect those boundaries, so a system meant to match it can't either.
This is the conviction Preppr is built on. Not "more content, faster" — that's just faster receipts. The goal is to give practitioners enough usable, grounded, connected response variety to actually meet the environment they operate in, and to make sure that variety accumulates instead of evaporating after every cycle.
Only variety absorbs variety. The job is to raise the line.
The test worth applying
You don't need a product to ask the question that matters. Ask it of whatever you're using now:
When this exercise/analysis/threat assessment is over, will we be measurably better when we do the next one — or will we be starting over?
If the honest answer is "starting over," it doesn't mean your team failed. It means the process did exactly what it was designed to do: produce a receipt, and let the variety walk out the door.
The opportunity in front of our entire field is to stop confusing the certificate with the capability. Preparedness shouldn't reset to zero. It should compound.
