Toolkit: Tabletop Exercise for BCM

FOUNDATIONAL Refreshed: 9 January 2023 | Published: 7 March 2017 ID: G00224225

Analyst(s): Roberta Witty, Ken Otis, Belinda Wilson

Tabletops are an early type of recovery exercise that organizations conduct

on their path to ensuring recovery plans meet recovery needs. Security and
risk management leaders can use this template to create and conduct a
tabletop exercise for a scenario relevant to their organization.

FOUNDATIONAL DOCUMENT
This research is reviewed periodically for accuracy. Last reviewed on 9 January 2023.

When to Use
This document was revised on 8 March 2017. The document you are viewing is the corrected
version. For more information, see the Corrections page on gartner.com.

Exercising recovery plans is the best way to know whether they are viable — other than having to
use them for an actual disaster. Fully exercising your recovery plans requires a life cycle approach.
The life cycle starts with discussion-based exercises (walk-throughs and tabletops) through to
recovery site exercises, and eventually to production cutovers of business or IT operations to
alternate production sites (see Figure 1).
 Figure 1. A Life Cycle Approach to a BCM Recovery Plan Exercise

Source: Gartner (March 2017)

Page 2 of 7 Gartner, Inc. | G00224225

 Best practice for business continuity management (BCM) exercise management is to develop an
annual exercise schedule. The schedule should map each recovery plan to the type of exercise in
which it will participate for the year. One recovery plan can easily be included in more than one
exercise type over a 12-month time frame.

This Toolkit was developed to provide a template for organizations to create and conduct their own
tabletop exercises. Use this template to ensure recovery plans undergo at least one test per year.
Using a scenario-based approach, organizations craft the specific content of the scenario and play
it out in elapsed time. As we move toward digital business as a way to deliver goods and services,
scenario planning becomes a key practice for resilient business delivery (see "Use Scenario
Planning to Make Business and IT Strategies More Resilient in an Increasingly Volatile World"). BCM
professionals have been using this "new" digital business best practice as a "standard practice" in
the business impact analysis and exercise management for over 20 years.

Downloadable Attachments
224225_Tabletop_Exc.pptx — Tabletop exercise presentation

224225_Post_Evaluation.docx — Post-exercise evaluation form

224225_Lessons_Survey.docx — Pre- and post-exercise individual key lessons assessment survey

224225_After_Action.docx — After-action report template

Directions for Use

Tabletop exercises can be used for any type of recovery plan — crisis management, emergency
response, IT disaster recovery, cyberattack, business recovery, supplier contingency, stand-down
and more. Based on tabletop exercises Gartner has participated in, as well as client inquiry
discussions, we estimate that the typical time spent in each phase of the overall exercise life cycle
is as follows:

■ Developing the scenario, materials and scheduling: 60%.

■ Exercise facilitation: 25%.
■ Debrief activities, reporting and follow-up: 15%. This follow-up time does not include the time
needed to update recovery plans as a result of gaps and other findings from the exercise.

It is important to understand that the time needed to develop actual recovery plans is not part of the
life cycle percentages noted above.

The following considerations and recommendations ensure an effective and successful tabletop
exercise:

■ Begin planning the tabletop exercise at least two to three months ahead of the exercise date,
especially when engaging lines of businesses (LOBs).

Gartner, Inc. | G00224225 Page 3 of 7

 ■ Develop exercise objectives and metrics (attendance, participation and recovery plan update
status).
■ The total exercise time frame should span three to four hours in duration, but obviously adjust
timing according to the scope of the exercise and the type of business unit. The actual scenario
play-out should be no more than two hours. More mature teams may require longer exercises.
After that amount of time, people become tired and antsy, and could become distracted by real-
world events.
■ Exercise participants may not be your normal recovery team members. Therefore, more time
may need to be added for the scenario play-out, or the scope should be reduced. Don't be
discouraged if you do not get through the entire planned scenario and all of its scenes. What
you are looking for is quality over substance. Far too often, facilitators will rush through a
scenario for the sake of the clock, and not consider the value participants are getting from
extended discussions.
■ Make sure that all participants clear their schedules for one hour before and one hour after the
exercise. This will ensure they have time to get to the exercise and can stay later if the exercise
goes slightly over the allotted time.
■ When defining scenario(s) for the exercise, consider the following:
■ The scenario used in the exercise must be realistic and plausible for your organization, e.g.,
it covers the way your organization conducts business, and includes the resources
(potentially including service providers) used by your business and IT operations. Do not
bring in events that make no sense to the business, as it will distract and frustrate
participants and possibly bring the exercise to a quick end.
■ The scenario should be focused on specific recovery plans and associated recovery team
members. Make sure that each exercise participant will have a role to play within the
exercise; bored participants will lead to ineffective results.
■ Determine whether injects will be used, and if so, when and by which team member. An
inject (sometimes referred to as an "exercise message") comes in two forms: as a
programmed element, usually time-bound, that is used to forward the exercise scenario; or
as a "pop-up" event (dynamic, random). Injects represent events, information, constraints,
problems or other modifiers that can affect the play-out of the scenario. Injects are shared
with one or more recovery teams and may or may not be applicable to the scenario scope.

It is probably safest to not use injects in your first tabletop exercise; gain some experience
first and then add them after a successful tabletop exercise or two. Even if the inject is
intended as a distractor, it should not affect the exercise scope and course of play, and
should be consistent with the general intent of the exercise. Pay attention to how the
team(s) respond to the information: What you are looking for is their ability to identify its
applicability to the exercise scenario, and appropriateness and effectiveness of actions
taken (or not taken).
■ The scenario should be developed by personnel who understand the full scope of business and
IT operations for the scenario event. Getting the content specifics, flow, timing, resources,

Page 4 of 7 Gartner, Inc. | G00224225

 dependencies and injects right should be walked through at least three times once you have a
good draft. Every detail of the scenario should be investigated to ensure the planning team and
facilitator know every aspect of the real operation and where it can be derailed. For example,
you may plan to test production IT server recovery operations at an alternate site. Using a
power outage as the cause of the event may not be realistic for your organization if there is an
on-site power backup system.
■ Develop test scripts, explanatory background material (roles and responsibilities, business unit
descriptions), Lesson surveys, event logs and other collateral required for the exercise
implementation.
■ Establish the following players for the exercise:
■ Players — Exercise participants who respond to the situation presented, based on expert
knowledge of response procedures, current plans and procedures, and insights derived
from training.
■ Facilitator(s) — The person responsible for moderating and keeping participant
discussions focused on exercise objectives and core capabilities. Facilitators ensure
relevant issues are explored. They provide situational updates and additional information,
and resolve questions as required. Often, the facilitator is an external party who is skilled in
exercise management, but doesn't know the in-depth workings of your organization.
■ Observer(s) — People from your organization who know the business well, but do not
directly participate in the facilitated discussions. They may support the development of
player responses to the situation during the discussion by asking relevant questions or by
providing subject matter expertise.
■ Evaluator(s) — People from your organization who know the business well so that they can
observe, document and evaluate exercise objectives and player discussions.

Note: Observers and evaluators may be the same people, depending on the size of the
organization.
■ Scribe(s) — People from your organization who know the business well, and can document
the key actions, issues and findings of the exercise. Scribes may work with the facilitator
and overall exercise planner to ensure the full set of feedback is documented in the exercise
after-action report.
■ Recovery team communicator(s) — Communicators are selected for each recovery team
participating in the exercise at the time of the event. They are responsible for liaising with
other recovery teams during the exercise. They present details of the team's response
during the exercise situation status update, and acting as the spokesperson for the
"Lessons Learned" section of the exercise.
■ Supply refreshments for the duration of the exercise (e.g., breakfast and lunch).
■ Conduct a pre- and post-exercise key lessons assessment of all exercise participants to see if
the exercise was successful in improving their understanding of your organization's recovery

Gartner, Inc. | G00224225 Page 5 of 7

 practices. The form to use for these assessments is part of this Toolkit: Pre- and Post-Exercise
Individual Key Lessons Assessment Survey.
■ Conduct a post-exercise debriefing meeting to capture early lessons learned and observations,
as well as top-of-mind suggestions for improvement and next steps. If time permits, also review
exercise results against stated objectives, and identify training requirements and/or updates to
the plans or processes.
■ If time does not permit a more thorough debrief before adjourning the exercise, be sure to host
debriefing sessions with exercise participants to capture their Lessons, observations, plan
updates and improvement suggestions. You can conduct this post-exercise review by using a
post-exercise evaluation data-gathering form, which is part of the Toolkit. The form to use for
this after-action report is also part of this Toolkit: Post-Exercise Evaluation Form.
■ Publish a final exercise after-action report to all participants and responsible management
personnel. The form to use for this after-action report is part of this Toolkit: After-Action Report
Template, a modified version of the U.S. Federal Emergency Management Agency's (FEMA)
After-Action/Improvement Plan template.

Gartner Recommended Reading

Some documents may not be available as part of your current Gartner subscription.

"How to Develop an IT DR Exercise Plan for On-Site and Cloud-Based IT Services"

"Toolkit: Assessing the Effectiveness of Recovery Plans Following a Business Disruption"

Disclaimer
Unless otherwise marked for external use, the items in this Gartner Toolkit are for
internal noncommercial use by the licensed Gartner client. The materials contained in
this Toolkit may not be repackaged or resold. Gartner makes no representations or
warranties as to the suitability of this Toolkit for any particular purpose, and disclaims all
liabilities for any damages, whether direct, consequential, incidental or special, arising
out of the use of or inability to use this material or the information provided herein.

Page 6 of 7 Gartner, Inc. | G00224225

 GARTNER HEADQUARTERS

Corporate Headquarters
56 Top Gallant Road
Stamford, CT 06902-7700
USA
+1 203 964 0096

Regional Headquarters
AUSTRALIA
BRAZIL
JAPAN
UNITED KINGDOM

For a complete list of worldwide locations,

visit http://www.gartner.com/technology/about.jsp

© 2017 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This
publication may not be reproduced or distributed in any form without Gartner's prior written permission. It consists of the opinions of
Gartner's research organization, which should not be construed as statements of fact. While the information contained in this publication
has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of
such information. Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment advice
and its research should not be construed or used as such. Your access and use of this publication are governed by Gartner Usage Policy.
Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research
organization without input or influence from any third party. For further information, see "Guiding Principles on Independence and
Objectivity."

Gartner, Inc. | G00224225 Page 7 of 7