How to Handle the "What Would You Do If..." Interview Without Guessing
"It's Friday at 5pm." Caroline Webb's voice is calm, steady, almost gentle. "You discover that a software update deployed this morning may have exposed patient data for 6 hours. Your CEO is on a flight and unreachable. What do you do?" The room is quiet. This is not a trick question. It's a filter. Caroline has managed real data breaches, real regulatory audits, real crises. She has watched smart people make terrible decisions under pressure because they react instead of think. She doesn't want to know what you would do. She wants to know how you would decide. And then she's going to make it harder: "Now the engineering lead says they're 'not sure' if data was actually exposed — it might just be a logging error. Do you still notify regulators?" Your answer to this follow-up is the interview.
Why This Conversation Goes Wrong
You jump to action without gathering information. "I would immediately notify regulators and issue a press statement." Caroline: "Based on what? You don't even know if data was exposed yet." Acting before understanding is reactive, not decisive. The best crisis managers gather facts first — even if it takes 30 minutes — because the wrong action is worse than a delayed right one.
You consider only one stakeholder. "We need to protect the patients." Yes — and also the employees, the regulators, the board, the customers, and the company's viability. Single-stakeholder thinking in a crisis leads to solutions that solve one problem and create three others.
You avoid the ethical dimension. Caroline's third scenario involves a client asking you to delay a compliance report. If you discuss logistics without addressing ethics — "Let me check the regulatory timeline" — you've missed the point. The question is not whether you CAN delay. It's whether you SHOULD.
You present certainty where uncertainty exists. "The right thing to do is clearly..." Nothing in a crisis is clear. If it were, you wouldn't need judgment. Caroline rewards candidates who say "There are competing priorities here, and here's how I'd weigh them" over those who present false confidence.
The Stakeholder Sweep
In a situational crisis interview, the winning answer is never the action — it's the process. The Stakeholder Sweep forces you to map every affected party, assess the impact on each, and then decide. Caroline isn't looking for the right answer. She's looking for the right way to think about the problem.
Ask before acting
"Before I decide anything, I need to understand the scope. Who discovered the exposure? What data was potentially affected — PII, PHI, financial? Has the vulnerability been closed? Is the engineering team investigating?" These questions aren't stalling. They're the difference between a measured response and a panicked one. Caroline will nod because this is exactly what good crisis managers do first.
Map the stakeholders and their stakes
"The affected parties are: patients whose data may be exposed (safety and privacy), regulators who require notification within specific timelines (compliance), the engineering team who deployed the update (accountability without blame), the board who needs to be informed (governance), and the broader customer base (trust). Each group needs different information at different times." Enumerating stakeholders shows systemic thinking. Caroline is checking your peripheral vision.
Address the uncertainty honestly
"The engineering lead says 'not sure' — that's not the same as 'no.' In healthcare data, I would treat 'not sure' as 'assume yes' for regulatory purposes and 'investigate further' for communications. I'd rather over-notify than under-notify. The cost of a false alarm is embarrassment. The cost of a missed breach is regulatory action and patient harm."
Separate the decision from the action
"My decision: we begin the regulatory notification process now while investigation continues in parallel. We don't wait for certainty to start the clock. My reasoning: HIPAA requires notification within 60 days, but starting the process early gives us room. If the investigation confirms it was a logging error, we can close the notification. If it confirms exposure, we're already ahead of the timeline."
Name the second-order consequences
"If I'm wrong and it was a false alarm, we'll have spent resources on an unnecessary investigation and notification. If I'm right and we waited, we face regulatory penalties, loss of patient trust, and potential litigation. The asymmetry of consequences makes the decision clear — the cost of acting on a false positive is far lower than the cost of failing to act on a real breach."
The moment that changes everything
Caroline doesn't want the right answer. She wants to see you think through the wrong ones first.
The hidden scoring rubric in Caroline's interview is consequence thinking. She presents escalating scenarios because she wants to see how deep your reasoning goes. The first-level answer is "notify regulators." The second-level answer considers "but what if the data wasn't actually exposed?" The third level asks "what's the cost of being wrong in each direction?" The fourth level considers "who else is affected and what do they need?" Most candidates stop at level one or two. The ones who get hired think through level four without being prompted. Caroline has managed real crises at healthcare tech companies. She knows that the people who perform best in actual emergencies are not the ones who act fastest — they're the ones who take 10 minutes to map the landscape and then act decisively. Speed without direction is panic. Direction without speed is analysis paralysis. The sweet spot is what Caroline calls "calibrated urgency."
What to Say (and What Not To)
Instead of
"I would immediately notify regulators."
Try this
"Before I act — what do we know? What data was affected? Has the vulnerability been closed?"
Instead of
"We need to protect the patients."
Try this
"Patients, regulators, the engineering team, the board, and customers all need different things here."
Instead of
"I'm sure this is the right call."
Try this
"The cost of acting on a false alarm is far lower than the cost of missing a real breach."
Instead of
"We should delay until we know for sure."
Try this
"I'd treat 'not sure' as 'assume yes' for compliance and 'investigate further' for communications."
Instead of
"The engineering team is at fault."
Try this
"Right now we need investigation, not blame. Accountability comes after the crisis is contained."
The Bigger Picture
A 2024 study by the Ponemon Institute found that organizations that had a practiced incident response plan contained data breaches 74 days faster and saved an average of $2.66M compared to those that improvised. The plan doesn't prevent the breach — it prevents the panic that makes it worse. Caroline's interview is designed to identify candidates who would build that plan, not just follow it.
In healthcare technology, where HIPAA and patient trust are the operating constraints, the bias should always be toward disclosure. A 2023 HHS analysis found that organizations that self-reported potential breaches within 48 hours received 60% lower penalties than those that delayed, even when the delayed organizations had smaller actual exposures. The regulatory system rewards transparency. It punishes concealment.
Here's the ethical dimension that separates managers from leaders: Caroline's third scenario — a client asking to delay a compliance report — has no complexity in the ethics. It's clearly wrong to delay. The complexity is in the execution: how do you say no to a major client without damaging the relationship? The leaders who navigate this well don't lecture about ethics. They say "I understand the pressure you're under, and here's what I can do to help. What I can't do is delay the report." Principled AND pragmatic.
Practice This Conversation
15 minutes · AI voice roleplay with Caroline Webb
Reading about this is step one. Practicing it changes everything. Sonitura lets you rehearse this exact conversation with Caroline Webb, a realistic AI svp of operations at a healthcare tech company who reacts to your words in real time. It takes 15 minutes. The next time someone asks "What would you do if..." — you'll show them how you think, not just what you'd do.
Practice This Scenario Free →Related Guides
Job Interview
How to Navigate a Panel Interview Where Three Executives Want Different Things
8 min read · 18 min practice
Job Interview
How to Ace the Startup Culture Fit Interview Without Sounding Rehearsed
7 min read · 12 min practice
Job Interview Prep
How to Survive a Stress Interview: Composure Is a Skill, Not a Personality Trait
7 min read · 10 min practice