Crisis Management Tabletop Exercise: What Managers Must Know about this Indispensable Crisis Exercise Format
by Oliver S. Schmidt, President & CEO, C4CS®
Many managers believe that having a crisis management plan and designated crisis response team members is sufficient. However, in order to be as prepared as possible conducting recurring crisis exercises is also critical.
A tabletop crisis exercise is essentially a role-playing activity that presents a group of training participants from one or more organizations with a set of exercise modules in a controlled environment. These modules include a written crisis scenario that simulates imminent risk within a specified time frame. The exercise participants are asked to analyze the situation, pose questions, and cultivate problem solving skills that help generate solutions.
External consultants typically develop the tabletop exercise and function as objective, third-party exercise facilitators who help participants identify gaps and weaknesses in existing crisis response plans, procedures, tools, etc. In certain cases, for example in connection with Cybersecurity Maturity Model Certification (CMMC), the tabletop crisis exercise must be conducted by a qualified external provider. Once shortcomings in the existing crisis management setup have been identified, solutions that will enable more effective crisis readiness planning and crisis response should be developed and implemented following the exercise.
The realistic crisis scenarios utilized in tabletop exercises are always customized and vary widely depending on the organization, exercise objectives, and other factors. Exercise participants should know as little as possible about the chosen crisis scenarios prior to the training exercise. Optional exercise injects may for instance call upon participants to respond to fictitious but realistic regulatory agency inquiries, media interview requests, and other challenges that are built into each scenario. When creating a tabletop crisis exercise, it is also critical to evaluate impacted business areas, determine the corresponding time frame and geographical scope, and triage which risks should be addressed by the exercise participants.
While many vital crisis management lessons may be learned in the course of a tabletop crisis exercise, the goal of the training is not to immediately devise solutions to problems that are identified during the exercise. It is also important to remember that the tabletop crisis exercise is not a test and hence nobody will fail. Rather, it is an exercise designed to systematically identify improvement opportunities for existing crisis management plans, procedures, tools, etc. in a controlled learning environment. The goal is to optimize the managerial response (decision making), the operational response (operations related activities geared toward containing and controlling the crisis), and the communication response (communication with internal and external stakeholders including via social media).
Crisis management tabletop crisis exercises should assess the existing crisis response setup for accuracy and completeness, build familiarity and consensus among exercise participants, recognize upstream and downstream dependencies, and ascertain existing communication capabilities. The participants will not know the answers to every problem – and that is precisely the point.
The use of challenging crisis scenarios is key to the success of tabletop crisis exercises. Crisis scenarios and exercise design must be tailored to fit the individual company’s needs no matter the industry, size, or location. For example, a company that has a high likelihood of falling victim to a data breach that may significantly impact business continuity should choose a customized IT and cyberattack crisis scenario for its next tabletop crisis exercise. A chemical manufacturer, however, may instead opt for a tabletop exercise scenario centered on an industrial accident which involves hazardous materials that are stored onsite.
Effective tabletop crisis exercises begin with an introductory component and a section that introduces the exercise scenario. After that, exercise facilitators share a list of facts along a specific timeline that are presented in the form of exercise modules. Questions based on actions that should be considered by the exercise participants are discussed at the end of each exercise module. The number of exercise modules depends on individual company needs. Tabletop crisis exercises conclude with a debrief and a discussion of what the exercise participants learned during the session and how urgently identified gaps should be addressed and result in changes to existing procedures, responsibilities, tools, the overarching crisis management plan, and any sub-plans and related documents.
By utilizing the organization’s active crisis response plans and lessons learned from past crises, as well as other industry standards and procedures, consultants develop and conduct tabletop crisis exercises that focus on any crisis the company could face. This includes physical accidents, product recalls, financial fraud, active shooters, sexual harassment, fires and explosions, ransomware, natural disasters, and many more potential crises. In addition, consultants are tasked with the facilitation of crisis scenario selection, a process that requires senior management’s input concerning the impact and likelihood of various possible adversarial events that may damage reputation, stakeholder trust and the bottom line.
Following each crisis exercise, the external consultants provide an After Action Report detailing prioritized recommendations to enhance the overall crisis management setup and specific components of it. The report contains a retrospective analysis of the actions taken by participants during the exercise, identifies whether or not specific exercise objectives were met, and provides expert advice delineating which steps should be taken in order to meet specific crisis management, emergency management, disaster recovery, and business continuity planning goals.
Companies that are well prepared not only experience significantly fewer crises, but their employees also manage those that occur despite proper crisis prevention more effectively. With assets, customer relationships, employee information, reputation, stakeholder trust, and perhaps organizational survival at stake, it is imperative for any company to invest in recurring tabletop crisis exercises. Senior managers should remember the following advice from Aristotle: “For the things we have to learn before we can do them, we learn by doing them.” I regularly cite these words and tell members of the board of directors and management teams across industries that their endorsement of and participation in recurring tabletop crisis exercises are essential steps on the way to increasing crisis readiness and organizational resilience.
In partnership with Catalyst Connection, Pittsburgh-based C4CS® (https://c4cs.com) provides virtual and in-person tabletop and other crisis management exercises that are built around realistic scenarios including industrial accidents, cybersecurity incidents, employee and product crises, and more. Oliver S. Schmidt can be reached at schmidt@c4cs.com or via LinkedIn: https://www.linkedin.com/in/oliver-s-schmidt–c4cs