Planning an Effective Tabletop Exercise
Most organizations with mature business continuity capabilities usually have a purpose-driven exercise program which includes testing the recovery solutions ranging from individual recovery strategies to detailed recovery plans. Mature business continuity programs include testing of all continuity plans at least annually, depending on the budget. Requirements for these exercises can range from simulations to walkthroughs. Sometimes it’s hard to get the program budget or participation for more elaborative exercises in those cases. Tabletop exercise is usually one of the most cost-effective and practical options both for mature and new business continuity programs. It is easier to sell to executives and business responders. However, an effective tabletop exercise requires planning and fluid facilitation by the business continuity management (BCM) practitioner. This article dives into the tactical aspect of conducting an effective tabletop exercise for practitioners who are looking for a balance between effectiveness, budget, and business participation.
The evolving nature of threats calls for continuing maintenance of a BCM program. As a practitioner, you might be updating your governance documentation, program structure, and continuity plans in response to both external and internal factors. Maintenance and updates ensure the BCM program is effective and operational. One of the important maintenance projects is to make sure your continuity plans are exercised and tested. Common ways to do that include plan walkthroughs, tabletop exercises, and functional tests. Some of these exercises are explained below:
Depending on your organization’s requirements and program maturity, you can select the appropriate exercise type. A tabletop exercise is one of the ways for testing business recovery without real-time activation and is a good balance between plan walkthroughs and a functional exercise. These exercises require less planning as compare to a functional exercise and are more complex than a simple plan walkthrough.
Tabletop exercise scenarios could be designed to exercise response to the most likely organizational threat. For example, if you have an office site in a natural disaster-prone region such as a seismic zone, you might want to exercise your continuity plans using an earthquake scenario.
Tabletop Exercise Planning
Planning a tabletop exercise is one of the initial and important steps. BCM practitioners should work closely with the business participants to define the scope and objective of the exercise and understand what is critical for the business and how it aligns with the organization’s strategic business priorities. Business participants and leadership should be engaged in the planning process early on.
Things to consider when scoping a tabletop exercise:
Which recovery plan or procedures would businesses deem critical and want to prioritize for the exercise?
A business function or group usually manages several processes, but not every process might be business critical or needs to be recovered within the same time objective. It is a good practice to review the criticality of a process and identify if it is a mission-critical activity. Business impact analysis (BIA) data can be utilized to evaluate the criticality of various business processes. BIA data should be reviewed and refreshed (if needed) before utilizing it for priority assessment.
Do these plans have a critical dependency on the execution of other plans?
As most of the business activities are interdependent, it is important to review both the upstream and downstream dependency for the business process or recovery plans in scope. If there is a critical dependency on execution of other processes or plan, you could consider including either the dependency plan as part of the exercise or clear assumptions during the exercise in which these dependencies are available. For example, if we are discussing business recovery but it is dependent on a disaster recovery (DR) of critical business applications, you can either include the DR team representative or state an assumption the application will be recovered within a given recovery time objective (RTO).
Who needs to participate or be available for the exercise?
As these tabletop exercises can require a good time commitment from the business (depending on the objective and scope of the exercise), BCM practitioners should determine the players and block their calendars in advance so they get enough time to plan. Also, players’ roles and responsibilities should be communicated in advance of the actual scenario facilitation. In addition to communicating the responsibilities, practitioners should identify a backup contact for each player. Ideally, backup contacts should also participate in the scenario in order to test the redundancy from a people perspective. For example, if the primary contact is not available does the backup understand the roles and responsibilities and feel confident in executing the recovery procedures and plans in the scope?
Players in the Tabletop Exercise
As you further plan for the tabletop exercises for different business functions, it is important to understand who will be participating and what roles they will be playing.
Four main types of participants for a tabletop exercise:
Depending on the scope and objective of the exercise external stakeholders such as the fire department, regional emergency teams, vendors can also be included in the exercise. Players’ roles and responsibilities should be clearly communicated during the planning phase of the exercise.
Once the participants are identified for the exercise, the next step is to work on the logistics for conducting the exercise which should be identified and planned for in advance. Some of the common exercise logistics are listed below:
- War Room: These exercises should replicate or be conducted in a real war room which might be identified as part of your recovery plans. Response war room should be equipped with proper telecommunication, video conferencing, high-level instruction, and whiteboards.
- Commute: If the war room is in a remote location or situated at a different site, the same should be communicated to the participants so they can plan to be there before time. If needed, driving instructions and other information should be provided in advance of the exercise.
- Remote Participation: if for some reason participants are unable to attend the exercise in-person, the BCM practitioner should make sure the war room is equipped with proper devices for video conferencing and at the very least should have a telecommunication port. It is advisable the key people should participate in-person. Other backup contacts could dial in remotely.
Defining Key Themes for the Exercise
Key themes help in providing structure to a tabletop exercise. Some examples of key themes are listed below:
Building a Scenario
Building a tabletop scenario is easy if you have a clear scope and key themes defined for the exercise. Things to consider when building a scenario:
- The scenario should enable the audience to test recovery points in scope and touch key themes
- Add injects in your scenario – introduce additional information that would nudge the participants to think about dependencies
- Keep it simple
Exercise Facilitation Guide
As a BCM practitioner, you would be more often facilitating the tabletop exercise and reporting on the results.
- Have a clear timeline for the exercise. Allocate time for scenario run, break, and debrief.
- Prevent rabbit holes – guide the exercise audience not to read too much into the scenario but focus on the response.
- Make the exercise objective clear – these exercises sometimes are misconstrued as audit.
- Ask someone to assist you in notetaking or if possible, record the session.
- Encourage everyone to participate and contribute to the response.
- Debrief after the scenario to identify improvement opportunities and update plans if needed.
Sample Tabletop Scenario
A tabletop scenario could range from natural disruption to cyberattack and would depend on which plan you would want to exercise. Sample scenarios to exercise your plans:
Tabletop Exercise Scenario Example
Sample Scenario: Earthquake
Scenario Time: listing the day and time will enable the business to determine if it is a peak time for the process or not and depending on which the response can be customized.
Tip: Capture peak time information in the recovery plans. BIA is a good time to discuss business process peak time requirements with the business.
Scenario Overview: overview should provide enough detail on how the disruption is unfolding without giving a lot of technical details about the scenario
Tip: Scenarios should not be too detailed in order to prevent rabbit holes
Inject: additional information that would give impact information or precursor to participants about what needs to be focused on. Injects help with taking actions that meet the exercise objective
Tip: Injects should be aligned with the objective of the exercise.
Facilitator Card: facilitators could print question key cards in advance. These key cards help in driving the conversations and cover the key themes of the exercise.
Case Study: Hurricane Tabletop Exercise, May 2019
A software company has a critical office site in Orlando, Fla., which often gets impacted during the Atlantic hurricane season. In order to prepare for the storm season – from June to October – the company’s BCM program office started planning for the season in March where they worked closely with the business updating continuity plans and planning for the tabletop exercise before the hurricane season began.
March: Exercise Planning
During the planning session with the business, the BCM program office identified the following:
- Key stakeholders/teams who need to participate in the exercise
- Scope and objective of the exercise
- Location of the exercise – remote location documented as a crisis command center in the continuity plans
- Dependent plans and teams which need to be included in the exercise
- Dependencies which need to be covered
- Assumptions for the exercise
- Mode of communication
Once the key stakeholders, objectives, and location for the exercise were discussed and vetted with the business, the BCM program office sent out a “save the date” invite to key stakeholders. Exercise invite was sent out in the second week of March and included the following:
- Brief business continuity program overview
- Tabletop exercise description, objective, and scope
- Responsibilities and role of the attendee
- Location of the exercise and driving directions
- Documents they need to review before the exercise
- Dial-in information if the attendee is going to be remote
- Backup contact if the attendee is unable to join the exercise
By the end of March, the BCM program office received responses from all attendees. In some cases, the program office had to follow-up with the teams proactively.
After saving the date for the exercise BCM program, the office worked on reserving the command center location for the day of exercise and acquiring the artifacts (whiteboards, notepads, markers, etc.) which might be required for the facilitation of the exercise.
April: Facilitation Deck
After saving the exercise date and getting the confirmation from attendees, the BCM program office started working on the facilitation deck which included the following:
May: Exercise Facilitation
The exercise was conducted in the first week of May.
- Discussed recovery and response procedure for a Category 5 hurricane that might hypothetically hit the site
- Response procedure initiated by activating the CMT, which activated the emergency response for the site (once personnel safety was ensured by the CMT and emergency response team/ business response was initiated)
- The business worked with different global teams ensuring the work in covered if the Orlando site is unavailable
- Debriefed with different teams
Exercise Facilitation Scenario: Before the Hurricane
Time Update After 24 hours: During the Hurricane
Time Update After 24 hours: After the Hurricane
Lessons Learned from Hurricane Exercise
- Exercise helped in bringing different response team to the same table
- It was hard for remote teams in EMEA and APAC to participate during the U.S. hours (future regional teams will be traveling to Orlando location for exercise participation)
- There were some communication gaps between the response teams and business recovery teams
- Some of the equipments in the war room were not functioning which was reported under actions items
- Emergency response system was not updated with the leadership contact
- Site closure procedure and site lead were clearly identified during the exercise
- Backup for office managers were not prepared for the recovery responsibilities
- Recording the exercise using telecommunication software was helpful for later references
- Having coffee and refreshments in the war room helped with breaks
BCM program office documented the learnings, gaps, and action items in the tabletop exercise report and socialized with the participants. BCM PO worked with the business functions and other teams in addressing the gaps before the hurricane season.
Action Items and gaps were addressed by the end of May, and business owners provided a final sign-off on updated continuity documents before the hurricane season begins.
Continuity response was activated multiple times in the hurricane season not only for higher category storms but also for tropical depressions which are usually accompanied by high-speed winds and heavy rainfall. The response team could easily rely on the updated continuity documents and muscle memory which was built as part of the hurricane response exercise conducted in May.
Tabletop exercises should be conducted periodically. For an effective tabletop exercise, scenarios that address threats with higher likelihood and probability should be exercised more often. Regular BCM program exercises not limited to tabletop helps in building a more effective and actionable BCM program.