Tabletop Exercise Template: How to Run a 90-Minute BCP Exercise That Finds Real Gaps
Table of Contents
TL;DR:
- A tabletop exercise is a structured, discussion-based walkthrough of a disruption scenario — no systems go down, but you find out exactly where your BCP breaks
- You can run one in 90 minutes with a facilitator, a scenario, and the right people in the room
- This guide includes a facilitator blueprint, inject design methodology, and 3 ready-to-use scenario briefs (ransomware, critical vendor outage, key person loss)
The Best BCP Test Doesn’t Touch a Single System
When UnitedHealth Group’s subsidiary Change Healthcare was hit by the AlphV/BlackCat ransomware group in February 2024, the company faced $872 million in losses in Q1 alone — including $595 million in direct restoration costs. Recovery took months. The pharmacy claims platform didn’t reach 80% functionality until well after the attack. UnitedHealth ultimately paid a $22 million ransom that was reportedly stolen by the attacker’s own associates.
Now ask yourself: if your organization had walked through a ransomware scenario six months before an attack, would you have caught the gaps that turned a bad day into a catastrophe?
That’s what tabletop exercises do. They’re the highest-value, lowest-cost testing method in your business continuity toolkit — a structured, discussion-based simulation where your team talks through “what would we actually do?” without taking a single system offline. FEMA’s Homeland Security Exercise and Evaluation Program (HSEEP) classifies tabletop exercises as discussion-based exercises designed to familiarize participants with plans and validate decision-making processes.
If you’ve already read our guide on business continuity testing, you know tabletops are the sweet spot between effort and insight. This article goes deeper — a complete facilitator blueprint, scenario design methodology, and three ready-to-use scenario briefs you can run this quarter.
What Makes a Tabletop Exercise Work (and What Makes It Useless)
A good tabletop exercise surfaces gaps you didn’t know existed. A bad one is a two-hour meeting where everyone agrees the plan looks fine.
The difference comes down to three things:
1. Realistic scenario pressure. The scenario needs to force hard decisions — not confirm that people know the plan exists. If nobody’s uncomfortable, the scenario is too easy.
2. The right people in the room. You need decision-makers, not just the BCP coordinator presenting slides. The people who’d actually make calls during a disruption need to be the ones debating those calls.
3. A facilitator who pushes. The facilitator’s job is to probe, challenge, and inject complications — not narrate a timeline. “Your backup site is ready” is a slide. “Your backup site is ready but three key people are on PTO in different time zones” is an exercise.
Who Should Be in the Room
| Role | Why They’re There | What They Reveal |
|---|---|---|
| Business line leaders | They own the critical processes | Whether recovery priorities match reality |
| IT/Infrastructure lead | They execute technical recovery | Whether RTOs are actually achievable |
| Communications/PR | They manage stakeholder messaging | Whether crisis comm templates exist and work |
| Compliance/Legal | They handle regulatory notification | Whether notification timelines are mapped |
| HR representative | They manage people impacts | Whether key person dependencies are documented |
| Vendor management lead | They coordinate third-party recovery | Whether vendor SLAs cover your actual needs |
| Executive sponsor | They make escalation decisions | Whether escalation paths are clear |
Ideal group size: 8-15 people. Fewer than 8 and you miss perspectives. More than 15 and half the room checks out.
The 90-Minute Tabletop Exercise Blueprint
This structure is adapted from the CISA Tabletop Exercise Package (CTEP) framework — free, customizable exercise templates published by the Cybersecurity and Infrastructure Security Agency. CISA’s packages include scenario templates, discussion questions, and facilitator guides that any organization can adapt.
Pre-Exercise Setup (Do This a Week Before)
Before the exercise day:
- Select your scenario based on your organization’s top risks (use your BIA to identify what matters most)
- Draft 3-4 injects — escalating complications that force new decisions (see inject design below)
- Send a brief scenario overview to participants 2-3 days ahead — enough context to prepare, not enough to pre-script answers
- Prepare a facilitator guide with probing questions for each inject (the questions matter more than the scenario)
- Set ground rules: no wrong answers, no blame, stay in character, phones away
The 90-Minute Flow
| Time | Phase | What Happens |
|---|---|---|
| 0:00 - 0:10 | Opening | Ground rules, exercise objectives, scenario introduction |
| 0:10 - 0:30 | Inject 1: Initial Disruption | The incident hits. Who gets notified? What’s the first call? Who makes it? |
| 0:30 - 0:50 | Inject 2: Escalation | It’s worse than you thought. A complication changes the picture. Recovery assumptions break. |
| 0:50 - 1:05 | Inject 3: Extended Impact | Day 2-3 of the disruption. Stakeholders are asking questions. Regulators want updates. Customers are affected. |
| 1:05 - 1:15 | Inject 4 (Optional): Curveball | Something unexpected — media coverage, second incident, key resource unavailable |
| 1:15 - 1:30 | Hot Wash | What worked? What didn’t? What surprised us? What do we need to fix? |
Facilitator tip: Spend 60% of your time on Injects 1 and 2. That’s where the real gaps surface — initial response and escalation. Most BCPs look great on paper until you ask “who specifically calls the regulator, and what exactly do they say?”
How to Design Injects That Actually Test Your Plan
An inject is a new piece of information introduced during the exercise that changes the situation and forces a response. Bad injects are informational (“systems are being restored”). Good injects create decision points.
The inject formula:
Situation change + time pressure + incomplete information = good inject
Examples of weak vs. strong injects:
| Weak Inject | Strong Inject |
|---|---|
| ”IT has begun restoring from backups" | "IT reports backups exist but the last verified backup is 72 hours old — do you restore and accept 3 days of data loss, or try to recover the compromised system?" |
| "Communications team drafts a press release" | "A reporter from American Banker calls your CEO directly asking if customer data was compromised. You don’t know yet. What does the CEO say?" |
| "Vendor is working on the issue" | "Your core banking vendor says full service restoration will take 5-7 business days. Your RTO for that system is 4 hours. What’s Plan B?” |
Each inject should target a specific BCP component: communication, escalation, vendor coordination, regulatory notification, or recovery execution. Map your injects to the components you most need to validate.
3 Ready-to-Use Scenario Briefs
These scenarios are designed for financial services organizations but can be adapted to any industry. Each includes the opening scenario and four injects with facilitator probing questions.
Scenario 1: Ransomware Attack
Why this scenario: The IBM/Ponemon Cost of a Data Breach Report 2024 found the global average cost of a data breach reached $4.88 million — a 10% increase from the prior year. Ransomware remains among the most common and costly attack vectors. The Investment Company Institute’s 2024 Cyber Tabletop Exercise simulated a ransomware attack on a financial services firm over a three-day period, highlighting decision-making under pressure as a critical gap.
Opening Scenario: It’s Tuesday at 7:15 AM. Your SOC analyst receives automated alerts showing unusual encryption activity across multiple file servers. By 7:45 AM, employees begin reporting they can’t access shared drives. A ransom note appears on affected systems demanding $2 million in Bitcoin within 48 hours. Your endpoint detection shows the malware has spread to 40% of your Windows endpoints.
Inject 1 — Initial Response (T+1 hour): Your CISO confirms this is ransomware and recommends isolating all affected network segments immediately. However, isolating those segments means your customer-facing payment processing platform goes offline. Your call center is already receiving customer complaints. What’s the decision? Who makes it? How do you communicate it internally and externally?
Inject 2 — Escalation (T+6 hours): Forensics reveals the attackers have been in your environment for 3 weeks. They exfiltrated a database containing 150,000 customer records including names, account numbers, and SSNs before deploying ransomware. Your legal team says this triggers state breach notification laws in 12 states, plus federal banking regulator notification requirements. What’s your notification timeline? Who drafts the notices? Do you engage external counsel?
Inject 3 — Extended Impact (T+48 hours): The ransomware group posts a sample of your customer data on their leak site. A local news outlet picks up the story. Your largest commercial client’s CISO calls asking for a written incident summary and evidence that their data wasn’t compromised. Your backup restoration is 60% complete but the remaining 40% includes your core transaction database. How do you prioritize? What do you tell the client? What does the board need to know?
Inject 4 — Curveball (T+72 hours): Your cyber insurance carrier informs you they need 5 business days to approve incident response vendor costs above $500K. Your IR firm’s current invoice is $750K and counting. Meanwhile, regulators have opened a formal inquiry. Do you pause IR vendor work? Who negotiates with the carrier? What documentation does the regulator need?
Scenario 2: Critical Vendor Outage
Why this scenario: The July 2024 CrowdStrike outage demonstrated how a single vendor’s failure can cascade across entire industries. According to Parametrix estimates reported by CNN, the banking sector alone faced approximately $1.15 billion in losses from the incident — and that wasn’t even an attack. It was a faulty software update.
Opening Scenario: It’s Monday at 9:00 AM. Your core banking platform vendor notifies you of a “service degradation” affecting multiple clients. By 9:30 AM, your operations team confirms you cannot process transactions, view account balances, or run end-of-day settlement. The vendor’s status page says “investigating” with no ETA for resolution.
Inject 1 — Initial Response (T+2 hours): The vendor updates their estimate: partial service restoration in 24-48 hours. Full restoration could take up to 5 business days. Your RTO for core banking is 4 hours. Customers are lining up at branches. Your call center hold time exceeds 45 minutes. What manual workarounds do you activate? Who communicates with customers? Do you invoke your vendor SLA escalation clause?
Inject 2 — Escalation (T+8 hours): End-of-day settlement can’t run. Your treasury team estimates you have $12 million in unsettled trades. The Federal Reserve’s payment system requires settlement confirmation by close of business. Your regulators’ emergency hotline is asking for a situation report. Who calls the Fed? What’s your manual settlement contingency? How do you report this to your board?
Inject 3 — Extended Impact (T+3 days): The vendor restores service but warns that transaction data from the outage window may have integrity issues. Your operations team finds 2,300 transactions that need manual reconciliation. Two commercial clients are threatening to move their accounts. Your examiner calls to schedule a follow-up review of your vendor management program. How do you validate data integrity? What documentation do you need for the exam? How do you retain at-risk clients?
Inject 4 — Curveball: News breaks that the vendor outage was caused by a ransomware attack on the vendor — not the “service degradation” they originally reported. Your vendor’s security team confirms your data was stored on affected systems. Does this change your regulatory notification obligations? Do you need to issue breach notifications? What does your vendor contract require in terms of disclosure?
Scenario 3: Key Person Loss + Facility Disruption
Why this scenario: Key person dependencies are one of the most common — and most overlooked — gaps that tabletop exercises reveal. This scenario combines people risk with a physical disruption to test cross-training, succession planning, and alternate site readiness simultaneously.
Opening Scenario: It’s Wednesday morning. Your VP of Operations — the person who manages all vendor relationships, knows the core banking system configurations by heart, and is the primary contact for your largest regulator — has a medical emergency and will be unavailable for at least 6-8 weeks. That same morning, a water main break floods the ground floor of your main office, displacing 60 employees including your entire operations team.
Inject 1 — Initial Response (T+4 hours): You activate your alternate work site for the displaced team. But three critical operations staff don’t have VPN access configured for the alternate site, and the access provisioning process requires approval from the VP of Operations — who is unreachable. Your delegation of authority matrix hasn’t been updated in 14 months. Who has authority to approve emergency access? Where is the VP’s runbook for critical processes? Who’s the backup contact for the regulator?
Inject 2 — Escalation (T+48 hours): A major vendor contract renewal is due in 5 business days. Only the VP had the negotiation history and pricing details. The vendor’s account manager says the renewal terms have changed and they need a decision by Friday. Meanwhile, your quarterly regulatory filing is due next week, and the VP was the sole preparer. Where is the contract documentation? Who has authority to sign? Can the filing deadline be extended?
Inject 3 — Extended Impact (T+2 weeks): The building damage is more extensive than estimated — your team won’t return for 4-6 weeks. The alternate site is at capacity and wasn’t designed for long-term use. Employee morale is dropping. Two critical team members update their LinkedIn profiles. Your IT team discovers that certain legacy system procedures only exist in a notebook in the VP’s now-flooded office. What’s your extended alternate site strategy? How do you retain staff? How do you reconstruct undocumented procedures?
Inject 4 — Curveball: Your annual regulatory exam is moved up by 30 days. The examiner specifically wants to review your BCP testing documentation, key person contingency plans, and vendor concentration risk — three areas directly affected by the current situation. How do you prepare? What do you disclose about the current disruption? How do you demonstrate your program is working even under stress?
After the Exercise: Turning Findings Into Action
The exercise is only valuable if the findings drive change. Here’s the post-exercise process:
The Hot Wash (Last 15 Minutes)
Go around the room and ask three questions:
- What worked well? — What response actions or plan components held up?
- What surprised us? — What assumptions proved wrong?
- What do we need to fix? — What gaps need immediate attention?
Capture everything. Assign a dedicated note-taker (not the facilitator — they need to focus on the discussion).
The After-Action Report (Within 2 Weeks)
Document findings using this structure:
| Finding | Gap Description | Risk Level | Owner | Target Fix Date |
|---|---|---|---|---|
| 1 | No delegation of authority for vendor approvals | High | COO | 30 days |
| 2 | Crisis communication templates don’t cover vendor outages | Medium | Comms Lead | 45 days |
| 3 | Backup restoration not tested with current data volumes | High | IT Director | 60 days |
Every finding needs an owner and a date. Findings without owners are observations. Observations don’t fix anything.
The FFIEC Requirement
For financial institutions, the FFIEC Business Continuity Management booklet — updated in 2019 (announced via FDIC FIL-71-2019) — explicitly requires an exercise program as part of business continuity management. The booklet moved from “Business Continuity Planning” to “Business Continuity Management” to reflect that continuity is an ongoing management discipline, not a one-time planning exercise.
Examiners look for:
- Exercise program documentation — not just a single test, but a planned cadence
- Variety of exercise types — tabletops, walkthroughs, and functional tests over time
- Participation by senior management and the board — not just the BCP team
- Documented findings and remediation — the after-action report with tracked items
- Evidence that exercises inform plan updates — the feedback loop closing
A well-documented tabletop exercise with clear findings and remediation tracking is exactly what examiners want to see. It demonstrates your organization doesn’t just have a plan — it actively tests and improves that plan.
Building a Tabletop Exercise Cadence
One exercise per year checks a compliance box. It doesn’t build resilience. Here’s a practical cadence:
| Frequency | Exercise Type | Scope | Participants |
|---|---|---|---|
| Quarterly | Tabletop (90 min) | Rotate scenarios: cyber, vendor, people, natural disaster | Cross-functional team + rotating executive sponsor |
| Semi-annually | Extended tabletop (half-day) | Multi-phase scenario with realistic time pressure | Full leadership team including board representative |
| Annually | Functional exercise | Actual system failover or alternate site activation | IT + operations + business line leads |
Start with quarterly tabletops if you’re doing nothing today. You can run the three scenarios in this article across three consecutive quarters. By the fourth quarter, you’ll have enough findings to design a custom scenario targeting your organization’s specific weaknesses.
So What?
Every organization says they have a business continuity plan. Very few have tested whether it actually works. The Change Healthcare attack cost $872 million and took months to recover from. The CrowdStrike outage cost the banking sector over $1 billion in a single day. These aren’t hypothetical risks — they’re recent history.
A 90-minute tabletop exercise costs you nothing but time. It won’t find every gap. But it will find the gaps that matter most — the unclear escalation paths, the undocumented procedures, the vendor dependencies nobody mapped, the key person risks everyone assumed were covered.
Run one this quarter. Use one of the three scenarios above. Capture the findings. Fix them. Then run another one.
That’s how you turn a binder on a shelf into a program that actually protects your business.
Need a head start? The Business Continuity & Disaster Recovery Kit includes tabletop exercise templates, scenario injects, facilitator guides, and after-action report frameworks — ready to customize and run.
FAQ
How often should you run tabletop exercises?
At minimum annually — but quarterly is the cadence that builds real resilience. The FFIEC BCM booklet expects financial institutions to maintain an ongoing exercise program with varied exercise types. Rotating scenarios quarterly (cyber, vendor, people, natural disaster) ensures you test different BCP components throughout the year while keeping the content fresh for participants.
What’s the difference between a tabletop exercise and a full-scale exercise?
A tabletop exercise is discussion-based — participants talk through their response to a scenario without activating real systems or processes. A full-scale exercise involves actual system failovers, site relocations, or process activations. According to FEMA’s HSEEP framework, tabletop exercises are designed to validate plans and decision-making, while full-scale exercises test operational execution. Tabletops are lower cost and easier to schedule, making them ideal for frequent testing. Full-scale exercises are higher fidelity but require significant planning and coordination.
Can small organizations run effective tabletop exercises?
Absolutely — and they arguably need them more. Smaller organizations have more concentrated key person risk and fewer backup resources. You don’t need a formal exercise program or professional facilitator. Grab 5-8 people, pick a scenario from this guide, set a 90-minute meeting, and walk through it. The value comes from the discussion, not the production quality. CISA’s free Tabletop Exercise Packages provide ready-made templates any organization can customize regardless of size.
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.
Keep Reading
BIA vs Risk Assessment: What's the Difference and When to Use Each
Business impact analysis vs risk assessment — learn the key differences, when to use each, and how to integrate both into your BCM program.
Apr 3, 2026
Business ContinuityAI Operational Resilience: Making Sure AI Systems Don't Break the Business
How to build AI operational resilience for financial services — dependency mapping, vendor concentration risk, BCP planning, and tabletop exercises for AI failures.
Apr 1, 2026
Business ContinuityBusiness Impact Analysis Questionnaire Template: 50 Questions to Ask
A complete business impact analysis questionnaire template with 50 questions across 10 categories. Based on FFIEC, NIST SP 800-34, and ISO 22301 guidance.
Mar 30, 2026
Immaterial Findings ✉️
Weekly newsletter
Sharp risk & compliance insights practitioners actually read. Enforcement actions, regulatory shifts, and practical frameworks — no fluff, no filler.
Join practitioners from banks, fintechs, and asset managers. Delivered weekly.