A popular phrase in the industry these days is tabletop exercises. A tabletop exercise is a simulation of a crisis situation in a stress-free environment with a focus on training and familiarization with roles and responsibilities. Auditors and examiners are looking for credit unions to produce proof of testing their Incident Response Plan or Business Continuity Plan, and a tabletop exercise is a great way to accomplish that. It also helps to prepare your credit union to keep operations up and running during a business interruption.
A huge benefit of a tabletop exercise is that you can go through a disaster situation without the actual chaos of the event. They also help to identify weaknesses and errors in existing policies, plans, and procedures (including capabilities) that guide response and recovery processes. This article will identify components of a standard tabletop exercise and discuss strategies to make yours successful.
Planning the exercise
Participants should include people or departments (both internal and external) that are likely to respond or be heavily influenced by the scenario as well as those who may learn from or contribute to the planned discussion topics. If that group would be too large for this type of exercise, you may want to divide it into teams by function or role if necessary (consider group dynamics).
The facilitator is responsible for communicating the ground rules and tone, leading and moderating the discussion, helping to answer participant questions, and resolving problems. When selecting a facilitator, look for someone who is well organized, knowledgeable about the topic of the exercise, and has good interpersonal skills. This is someone who is not participating in the exercise, so it might be beneficial to look outside your organization.
The facilitator will organize the message, encourage, and elicit (but does not provide) solutions. They will keep the discussion flowing and focus on how critical tasks would be performed as the event unfolds. They will ask the questions to engage participants to think about the situation from all angles and inject roadblocks or additional information at different stages of the exercise.
A large conference room or briefing facility is an ideal environment. Ensure that all participants can easily see each other, the facilitator, and the viewing screen by seating people at a large conference table, in a circle, or in a U-shaped configuration with the facilitator and screen at the front. Virtual is an option as well.
Set the ground rules
To get the greatest value out of the exercise, everyone should treat this as real. Outside interruptions should not be permitted, such as phones, tablets, laptops, etc. Everyone is encouraged to contribute. There are no right or wrong answers, this is an exercise, not a test. The goal of the exercise is not to be mistake-free, but to identify potential problem areas. Participants should only use the information given during the exercise, so no googling it.
Developing the scenario
An effective tabletop scenario should be realistic and engage participants. Select a scenario that includes changing circumstances over time, and has specific details like time of year and day, weather conditions, etc. as well as escalations and injects. Injects are specially crafted variables that affect the scenario by changing or evolving it entirely or causing the exercise to progress in different (sometimes unexpected) directions.
Conducting the exercise
Set the scene of the scenario by using specific details and possibly visual aids (pictures). A great narrative of the scenario event will help to engage participation and truly simulate the event occurring. Acknowledge and record all ideas and contributions from group participants. This will help participants remember what was discussed so that they can go back later and update policies and plans with discovered information. Ask questions after each inject. These questions are designed to stimulate the discussion of issues and actions.
At the end of the exercise, it is good to pose some questions evaluating the event. Some examples of questions to address in reviewing include the following:
- What challenges did the exercise present?
- What went well in the exercise? What did not go well?
- What were our biggest takeaways from the exercise?
- What improvements should be made to the plan as a result of this exercise?
- What are your recommendations to improve the training and exercise program?
Practice makes perfect
To wrap it up, tabletop exercises are a great way to test your Business Continuity Plan or Incident Response Plan. They are fairly easy to conduct and don’t require a lot of resources so if you have not conducted any tests yet, this is a great test to start with. Auditors and examiners will love to see the report written up describing the exercise as well.