What’s Old is New: The Enduring Value of Tabletop Exercises

Posted June 13, 2024 by Kevin Finch 

I’ve been working in business resiliency for over 20 years now, and Tabletop Exercises were around long before I got into the industry. This is the second blog in my “What’s Old Is New” blog series.

“Plans are nothing; planning is everything.”

Dwight D. Eisenhower

How long? In my limited research, I have not been able to come up with a starting point in the history of Tabletop Exercises, but it’s not difficult to imagine a group of military commanders sitting around a table discussing contingency plans and logistical problems, in really any era of human history.  In fact, the Roman Historian Vegetius once wrote that “every plan… is to be considered, every expedient tried and every method taken before matters are brought to this last extremity [general engagements]…” Vegetius was discussing operational military strategies in the 4th century, but there’s evidence that degree of meticulous discussion and planning went on for 2-3 centuries before that as a part of the Grand Strategy for the defense of the Roman Empire.  Stakeholders coming together to consider every possibility for the execution of a plan in a crisis?  Sounds a lot like a Tabletop Exercise to me (even though I never was one of those guys that thinks about The Roman Empire all the time).

What is a Tabletop Exercise?

So, what is a Tabletop Exercise? There are several definitions out there, but it’s generally agreed that a Tabletop Exercise is one where team members meet to discuss their roles and responsibilities in response to some sort of emergency situation. Often there is a fictitious scenario created to help guide the discussion and ensure that various response strategies are examined as a part of the exercise.  The concept of the Tabletop Exercise has applications across the spectrum of Emergency Response, crisis management, business resiliency, Data Recovery (DR), and cybersecurity.  I have participated in dozens of Tabletops over the years, testing crisis communications, data restoration procedures, responses to facility outages, SaaS application outages, and even bird flu plans

Tabletop Exercises have shown to have enduring value because they do a few things very well. They do an excellent job of helping identify gaps and weaknesses in plans by forcing response teams to critically examine plan content in the face of adverse circumstances. Tabletop Exercises also enhance team coordination and communication by helping to demonstrate the lines of communication that need to take place in response to an actual incident. Overall, Tabletop Exercises help improve decision making under stress by creating a simulated stressful environment to safely examine the underlying processes.

“Those who plan do better than those who do not plan, even should they rarely stick to their plan.”

Winston Churchill

If anything, Tabletop Exercises are even more relevant today than they were in the past for many companies. In many industries, regulatory compliance pressures have only increased over time, often requiring some sort of exercise be performed annually. Business interruption insurance companies are also starting to require some form of resiliency exercise be performed in order to lower the risk profile of companies they are insuring. There has also been the slow continuous growth of customer demands in nearly every industry for reliable service delivery, and Tabletop Exercises can be a useful method of validating service reliability under adverse circumstances.

Tabletop Reviews of Data Recovery Plans

In addition to “traditional” Business Resiliency-type Tabletop Exercises, there is also value to be found in doing Tabletop reviews of Data Recovery plans.  In many IT environments the different components that comprise an application (networking, identity management, database management, application management, user environment, etc.) tend to be managed by disparate teams. In an emergency situation, teams will be unfamiliar with the operating processes of other teams to some extent simply because they don’t work together often. It’s also reasonable to expect that teams will be unfamiliar with recovery documentation authored by other teams, and may not have a clear picture of interdependencies.

A Tabletop read through of Data Recovery plans can help teams to illuminate those interdependencies and gain some familiarity with the recovery processes other teams need to execute. The DR Tabletop read through is valuable on its own, but I think it is most useful as a preparatory step for a Data Recovery technical exercise. Plans can be analyzed for gaps and weaknesses, interdependencies can be studied and documented, and recovery process order can be scrutinized — and all of this can take place without tying up system resources or risking impacts to your production application environment.

Tabletop reviews of Data Recovery plans have been around at least as long as I have been working, but like their Business Resiliency brethren, I think they are even more relevant today than they may have been in the past. They have the same benefits they always did: — preparing technical teams for Emergency Response and increasing plan familiarity, leading to reduced downtime and improved recovery times. However, users and customers have far less tolerance for downtime than ever in this era of 24/7/365 commerce, highlighting the importance of faster systems recovery. Plus, given the increased burdens of customer privacy and the threat of ransomware downtime, the importance of rapid, smooth Data Recovery has only been heightened.  Anyone that’s gone through one can probably tell you about the increased clarity and insight they got from the process, and how much it helped their recovery teams.  Tabletop reviews of Data Recovery plans can so powerfully improve the quality of programs that we have been recommending them to nearly all our resiliency customers lately.

“Just because something is “Old School” doesn’t mean that it’s outdated.”

John G. Miller, American Author

Pretty much everyone agrees that testing is a necessity for advancing resiliency programs.  Tabletop testing has been a part of that forever, and the value we can realize from them now is greater than ever before.  Even though that’s the case, sometimes you just need some expertise from outside your organization to help bring it all into focus. Sayers is here to help. Our Business Resiliency team has decades of experience in all aspects of creating and facilitating Tabletop Exercises, and we can put one together that meets your unique needs.  We’re here to help you get the most from your plans, and from your program.

    Addresses

  • Atlanta
    675 Mansell Road, Suite 115
    Roswell, GA 30076
  • Boston
    25 Walpole Park South, Suite 12, Walpole, MA 02081
  • Rosemont
    10275 W. Higgins Road, Suite 470 Rosemont, IL 60018

 

  • Bloomington
    1701 E Empire St Ste 360-280 Bloomington, IL 61704
  • Chicago
    233 S Wacker Dr. Suite 9550 Chicago, IL 60606
  • Tampa
    380 Park Place, Suite 130, Clearwater, FL 33759

Have a Question?

Subscribe Contact us