Conducting impactful tabletops to train and develop your business resiliency.
Throughout the process of maturing your business continuity or governance and compliance environment, you have likely encountered the need for conducting an annual or quarterly preparedness exercise, commonly referred to as a “tabletop exercise”.
You may also be encountering or being instructed to implement tabletops now that we are entering into the global Business Continuity Awareness Week (BCAW), an annual global event that is facilitated by the Business Continuity Institute (BCI).
In addition to their relevance to building business resiliency, these exercises are required for compliance with numerous standards, including ISO 27001/22301, GDPR, and SOC 2 – just to name a few. While the focus of each tabletop may change, the format and desired outcome are largely the same, which will be discussed below.
Why Are Tabletop Exercises Important?
Tabletop exercises are required for adherence to many standards, but more importantly, they are used to verify, validate, and enumerate response processes and procedures in place within an organization.
The scope of these validation tests spans many disciplines to include Business Continuity, Disaster Recovery, and Security Incident Response. The process of conducting tabletops provides an opportunity for all relevant personnel to become proficient in responding to the many different types of incidents faced by organizations.
In cases where an organization may have a new or immature response environment, conducting these exercises is used to uncover inconsistencies in their response posture such as training gaps, lack of fully realized procedures, technological shortcomings, and possible governance oversights.
By encountering these gaps ahead of a realized incident, the organization can develop a comprehensive remediation plan and ensure they are prepared for incidents of all types.
3 Steps to Optimize a Tabletop Exercise
The following steps are used to ensure the organization receives the greatest possible value from the time and resources spent on planning, executing, and learning from tabletops.
1) Design and Plan
When planning a tabletop exercise, you must first begin with the desired outcome in mind and work backward to ensure all objectives are met. Here are a few things to consider when preparing to meet all objectives:
- What are your objectives? What is the organization preparing for?
- Is your objective to achieve annual compliance? Or is the intent to further the organization’s maturity on a measurable basis? There are many types of incidents an organization could conduct tabletops in preparation for such as Disaster Recovery, Security Incident Response, and Business Continuity Incidents. The type of incident will heavily influence which personnel should attend and what types of scenarios will be covered.
- Who will be in attendance?
- For a tabletop to be effective, it is important to ensure that key decision-makers are involved. Personnel can include but are not limited to organizational operations personnel, first responders (both internal reaction teams and local emergency first responders), and in certain circumstances, it may be required to include high-risk vendors which are heavily leveraged for business processes. In some situations, it may be pertinent to also include high-level executives for the strategic direction of incident response governance.
- What scenarios should be covered?
- Having applicable and appropriate scenarios that can be used to facilitate learning and discussion within your tabletop is the most important aspect of design. Utilizing a risk-based approach, you should design scenarios to meet your objectives and align with likely incidents the organization may encounter. Within the scenarios you create, try adding unique and interesting injects to keep the discussion moving. An example of such injects may be the addition of a faulty generator that does not provide the expected level of redundant power during a power outage.
2) Execute
The execution of the tabletop is the most crucial step of the whole process.
This is when members of various response teams get the most training, interaction, and insight into the organization’s incident response program. The format of the tabletop is largely up to the facilitator. However, the general flow of the exercise will likely follow the below approach:
When executing a tabletop, here a few things to remember:
- Ensure the environment is suitable for discussion.
- The goal of the tabletop is to generate discussion and plan ways to respond to incidents. The environment should be configured in a way that promotes that behavior. Keep in mind that while formats such as PowerPoint presentations in a classroom setting might work great for presenting new material, it may not be the best choice for spurring interpersonal communication. A good solution is to use a circular or elongated conference room table. If that is not an option, try placing chairs in a large circle or even a series of smaller groups for small team discussions.
- Utilize injects and open-ended questions to uncover overlooked details
- You should encourage dialogue throughout the presented scenario in a manner that spurs discussion and promotes teamwork. The conversation should be directed towards a solution that falls within the scope of the previously identified objectives. When the team has arrived at an appropriate response to the scenario, utilize the developed injects to further exacerbate the scenario, and drive the deeper discussion.
- Findings within this process are highly valuable as many times the processes discussed and limitations highlighted have not been previously disclosed or conceived. They should be carefully notated for use within the After-Action Report and Remediation Roadmap. It is for this reason that a team member, or multiple team members, should be directed to act as scribes to ensure that all pertinent discussion points are captured.
3) Learn
All the time spent carefully planning and executing your effective tabletop doesn’t just add value to the team directly during the exercise. Throughout the process, you have learned numerous lessons regarding gaps in processes, limitations in capacity or response procedures, and possibly even efficiencies that could be implemented throughout the organization to increase productivity. Now that the tabletop has concluded, it is time to consolidate those findings and generate the following items:
- An After-Actions Report
- The After-Actions Report, or AAR, is used to reflect on the performance and effectiveness of the tabletop and to effectively communicate the results. The AAR should contain the following at a minimum:
- Date of the tabletop.
- Facilitator and other team members in attendance and their respective roles.
- The objective of the tabletop and whether that objective was reached. If it was not reached, include a detailed explanation why.
- Speak to both the strongest parts of the tabletop and the areas that require further work. Highlight the areas in which you would like to improve.
- An examination of how effectively the existing policies and procedures aided in responding to scenarios. If they were not effective, speak to how they will need to be improved and consolidate them into a concise Gap Assessment that will be used to generate the Remediation Roadmap.
- Remediation Roadmap
- A detailed Remediation Roadmap will document gaps in organizational preparedness that came to light during the tabletop exercises. The Remediation Roadmap should utilize S.M.A.R.T goals to ensure that those assigned to remediate identified gaps follow steps that are actionable and measurable. An effective Remediation Roadmap should contain the following at a minimum, but may be adjusted to best fit the organization:
- A list of all identified gaps.
- Assigned owners of each gap. Without a responsible owner, the gap is not addressed and will still be present during the next tabletop or actual incident.
- Recommendations for resolving each gap.
- Utilize the project planning method of your choice to overlay the gap remediation timeline with preplanned check-in points and due dates. Common methods are to utilize Gantt charts, project management timelines, or sprint timelines.
- A detailed Remediation Roadmap will document gaps in organizational preparedness that came to light during the tabletop exercises. The Remediation Roadmap should utilize S.M.A.R.T goals to ensure that those assigned to remediate identified gaps follow steps that are actionable and measurable. An effective Remediation Roadmap should contain the following at a minimum, but may be adjusted to best fit the organization:
- The After-Actions Report, or AAR, is used to reflect on the performance and effectiveness of the tabletop and to effectively communicate the results. The AAR should contain the following at a minimum:
Showtime!
Now that you know the basics of planning, executing, and learning from the various types of tabletops it is time to begin conducting one of your own. If you feel as though your team may require further guidance, please reach out to our team here for more information. We’ll provide the guidance necessary to develop a robust response posture that your team can be confident in.
Leave A Comment