Special thanks to Tandem Partner, Boost Consulting, for their contributions to this article. Boost Consulting specializes in providing information security and compliance services to financial institutions, which includes helping facilitate tabletop exercises. Learn more about how Boost can help you at CoNetrix.com/Security/Compliance-Consulting.

Tabletop exercises are often labeled as pain points and are seen as just another "to do" item on the compliance checklist. Yet, a tabletop exercise can be a huge value-add to your organization's resilience, if done well. According to the FFIEC's Business Continuity Management booklet:

"A tabletop exercise (sometimes referred to as a walk-through) is a discussion during which personnel review their BCP-defined roles and discuss their responses during an adverse event simulation."

In short: A tabletop exercise is one way to ensure your plans are ready and effective. This article will give you six simple steps for conducting an effective tabletop exercise.

So, let's take it from the top. The table-top.

Step 1: Pick a Relevant Scenario

When most people think about tabletop scenarios, they think about picking a threat (e.g., a fire, a phishing email, a ransomware attack, a geopolitical event, etc.). Picking a threat is a good start, but it's an incomplete picture on its own.

Just like in the game of Clue, you don't win by saying, "It was Colonel Mustard!" You have to determine it was Colonel Mustard in the Conservatory with the Candlestick. In the case of a tabletop scenario, instead of a person, place, and weapon, you need a threat, a current event, and a business process.

If you need help thinking of current events, look no further than the front page of the news for dangerous storms, cyber-attacks, and other bizarre derailments.

With a relevant and robust scenario, your team will be ready to imagine, "What would we do if that happened to us?"

Step 2: Create a Guest List

There are a lot of people you could invite to a tabletop exercise. The question is: Who should you invite?

Research shows the most productive meetings contain five to eight people. Any fewer and you might miss key information. Any more and you run the risk of participants disengaging.

So, who gets a seat at this table? After considering the usual suspects (e.g., cybersecurity, IT, risk management, operations, etc.), think about other stakeholders.

  • Affected departments if the scenario affected a specific business unit or system.
  • Vendor management if the scenario involved or originated from a third party.
  • Human resources if the scenario could involve a situation with a volatile employee.
  • Marketing if the scenario involved negative comments on social media.
  • Customer service if the scenario's impact could extend to customers.
  • Senior management if the scenario involved the need to make a public statement.

And that's just people inside the business. There are relevant people outside the business, too.

  • Board members who might benefit from a first-hand cybersecurity training experience.
  • Managed service providers who have the most experience with your systems and technologies.
  • Insurance breach coaches who want to be your first phone call when you have an incident.
  • Law enforcement (e.g., FBI, U.S. Secret Service, etc.) who could contribute expert knowledge.
  • Emergency responders (e.g., local fire departments) who could be literally putting out your fire.
  • Consultants who can bring external and peer perspectives to the table.

You can't invite all the people, but you can invite the most relevant people to generate the most relevant discussion.

Tip: Invite a note-taker. A recording is great, but a well-written summary is better. This gives you quicker access to key discussion points, action items, and unanswered questions.

Step 3: Put it on the Calendar

Schedule the exercise for one to two hours, max. Any shorter and you're likely to not get deep enough. Any longer and people might disengage.

Step 4: Be a Great Host

If hosting events is not a skillset you've focused on at this point in your career, here are a few tips for making your tabletop exercises engaging and effective.

  • Set the table. Set out some notebooks, writing utensils, and maybe even some refreshments (e.g., coffee, candy, healthy snacks, etc.). Think about your audience and what kind of environment would make them feel welcome and prepare their minds for engagement.

  • Use friendly words. When describing your tabletop, use words like "discussion" and "activity." Don't call it a tabletop "test." Tests are evil. Nobody likes tests. People engage in activities and disengage in tests.

  • Encourage discussion and bring the chaos. Saying, "We had a fire. What do we do?" is not helpful for creating discussion. Don't be afraid to introduce a bit of orchestrated chaos into your tabletop exercise. For example, in a fire scenario you could ask:

    • What happens if the fire occurred in a different place (e.g., server room vs. back office)?
    • What happens if the fire started at midnight instead of noon?
    • What happens if a key employee did not report to the evacuation location?
    • What happens if the fire inspector finds a suspicious device, and it's now an arson case?
    • What happens if the device was next to the wire and ACH workstations?
    • What happens if you have a customer show up who needs to get something out of her safe deposit box while the building is inaccessible?
    • What happens if Ryan started the fire?

In short, create an environment that welcomes participation and ignites exploration.

Step 5: Expect the Unexpected

The FFIEC Business Continuity Management booklet says:

"Features of a tabletop exercise may include the following: […]

    • Role playing with simulated responses, critical steps, recognizing difficulties, and resolving problems.
    • Clarifying critical plan elements, as well as problems noted during exercises.
    • Creating action plans to correct issues."

In other words, if you're doing it right, there will be issues that come up. Through the exercise process, you will find errors and imperfect results in your plans. Finding blind spots is the purpose of the process. It's how you make the plan better. Poke and prod, not at your people, but at your plan. Every error or imperfect result is an opportunity for lessons learned and action items.

Step 6: Write it Down

Document everything, from A to Z. From your guest list to your scenario. From your discussion points to your action items. From the easy answers to the tough questions. And maybe a selfie of everyone in the room for your marketing team to share with the world.

Make memories and write it all down so you don't forget anything, and, most importantly, so you can update your plan.

Let Tandem Help

To be even more effective in your tabletop exercises, use an exercise and test tracking software to help.

Check out Tandem Business Continuity Plan and Tandem Incident Management. With Tandem, you can schedule exercises in advance, get notifications about the event and follow-up action items, use scenarios to conduct the exercise, and export presentation-ready documents for your auditors and examiners.

See how Tandem can help you conduct effective tabletop exercises at Tandem.App.

Want to learn more about tabletop exercises? Check out our article: BCP & IRP Exercises & Tests: Frequently Asked Questions.