10 Tabletop Exercise Scenarios for Business Continuity: Cyberattack, Pandemic, Cloud Outage, and More

On July 19, 2024, a faulty content update pushed by CrowdStrike’s Falcon Sensor software took down approximately 8.5 million Windows systems worldwide — the largest IT outage in recorded history. Hospitals canceled surgeries. Airports reverted to whiteboards and handwritten boarding passes. Financial institutions lost access to trading platforms mid-session. Delta Air Lines canceled over 7,000 flights across five days and reported $500 million in disruption costs.

The organizations that recovered fastest were not the ones with the thickest BCP binders. They were the ones who had actually run exercises.

Here’s the uncomfortable reality about business continuity planning: research consistently shows that roughly 55% of organizations do not regularly test their disaster recovery or BCP procedures. Of those that do test, 56% don’t engage in full simulations — they conduct discussion-based reviews and mark the checkbox. Meanwhile, data shows that organizations that test their BCPs regularly experience significantly fewer disruptions and recover faster when incidents do occur.

Tabletop exercises are where plans meet reality before reality arrives uninvited.

TL;DR

• 55% of organizations don’t regularly test their BCP; 56% of those that do test skip full simulations — your tested plan is a competitive advantage
• The CrowdStrike July 2024 outage proved that security tools can be the failure point — a scenario most organizations had never modeled
• FFIEC requires annual testing of critical services; ISO 22301 requires regular exercises at defined intervals — tabletop-only isn’t enough for critical functions
• CISA offers over 100 free pre-built tabletop exercise packages (CTEPs) covering ransomware, pandemics, cloud failures, and more
• A tabletop exercise is only as valuable as its after-action report — document findings, assign owners, set timelines

Exercise Types: Know Where Tabletops Fit

Before the scenarios, a quick framework. FEMA’s Homeland Security Exercise and Evaluation Program (HSEEP) classifies exercises into two categories:

Discussion-based exercises (lower complexity, lower resource requirements):

• Seminars and workshops
• Tabletop exercises — key personnel discuss responses to a scenario in a low-stress environment; no actual system activation
• Games (competitive decision-making simulations)

Operations-based exercises (higher complexity, resource-intensive):

• Drills (single-function testing)
• Functional exercises — realistic, real-time environment; actual decisions made, some resources deployed
• Full-scale exercises — maximum realism; full activation of personnel, systems, and recovery sites

For regulated organizations, the FFIEC BCM framework expects progression. Tabletops establish baseline familiarity. Functional exercises test the coordination machinery. Full-scale tests validate that your recovery systems actually work under load. FFIEC examiners want to see documented evidence of this progression for critical functions.

Now — the scenarios.

Scenario 1: Ransomware Attack

The setup: Monday morning. Your IT team reports that multiple systems are throwing encryption errors. By 9 a.m., you have confirmation: ransomware has encrypted your file servers, backup repositories, and several production databases. The attacker has posted a $2 million ransom demand with a 72-hour deadline. Your cyber insurance carrier’s breach coach is on the phone.

Key discussion questions:

• Who has authority to decide whether to pay the ransom? Is that person reachable right now?
• What systems are encrypted, and what’s the fallback for each critical business process?
• How long can you operate on paper-based or manual backup processes?
• When do you notify regulators, and who makes that call?
• How do you communicate to customers/members without using compromised systems?

What this surfaces: Decision authority gaps (especially for the pay/don’t-pay question), backup integrity issues (many organizations discover backups are encrypted too), and notification timeline confusion. Colonial Pipeline’s 2021 attack — which shut down fuel supply to the U.S. East Coast for six days — began with a single compromised VPN password.

Scenario 2: Major Cloud Provider Outage

The setup: Your primary cloud provider (AWS, Azure, or Google Cloud) reports a major service disruption in the region hosting your core workloads. Your SaaS applications, data warehouse, and collaboration tools are unavailable. The provider’s status page says “investigating” — ETA unknown. It’s 10 a.m. on a business day.

Key discussion questions:

• What workloads are affected, and what’s the business impact per hour of downtime?
• Do you have a documented multi-region or multi-cloud failover capability? Has it been tested?
• What’s your customer-facing SLA commitment, and at what point does it breach?
• How do you communicate status to customers and vendors without your normal communication tools?
• Who owns the relationship with the cloud provider, and what’s the escalation path?

What this surfaces: SLA commitments that outpace DR architecture, missing multi-region failover, and communication plan gaps. The December 2021 AWS us-east-1 outage — which took down Venmo, Disney+, Instacart, and hundreds of others simultaneously — was particularly notable because AWS’s own status dashboard went down before they could communicate the problem publicly.

Scenario 3: Pandemic or Mass Workforce Unavailability

The setup: A rapidly spreading respiratory illness has resulted in 40% of your workforce calling out sick simultaneously. Public health authorities recommend, but have not mandated, remote work. Your critical functions depend on personnel who require on-site presence. It’s week two — the 40% figure is expected to persist for four to six weeks.

Key discussion questions:

• Which critical functions require physical presence that cannot be performed remotely?
• What’s the minimum staffing level for each critical function, and do you have cross-trained backups?
• How do you prioritize which services to maintain when operating at 60% capacity?
• What regulatory obligations (filing deadlines, service-level requirements) must be maintained regardless?
• When do you activate backup staff arrangements (temporary staff, vendor support, mutual aid agreements)?

What this surfaces: Single-point-of-knowledge risks (the one person who knows how to process X), inadequate cross-training, and unclear prioritization frameworks when you can’t run everything. COVID-19 exposed that many BCPs assumed workforce unavailability would be localized, not simultaneous across the entire organization.

Scenario 4: Critical Vendor Failure

The setup: Your core processing vendor — the system that handles your primary operational workflows — notifies you at 6 a.m. that they are experiencing a major outage. They estimate 8 to 24 hours to restore service. This vendor processes all of your core transactions. You have no contractual SLA that covers this specific failure mode.

Key discussion questions:

• What is your manual backup capability for core functions, and how long can you sustain it?
• Does your contract require the vendor to maintain a BCP and provide you with recovery time commitments?
• Have you reviewed this vendor’s BCP documentation in the past 12 months?
• At what point do you need to notify your regulators about the service disruption?
• What’s your contractual remedy if the vendor breaches their recovery time commitments?

What this surfaces: Vendor BCP documentation gaps, contractual inadequacies (most vendor contracts have generous force majeure provisions that limit remedies), and regulatory notification timeline confusion. The June 2023 interagency third-party guidance from the OCC, Federal Reserve, and FDIC specifically requires institutions to assess whether vendors maintain appropriate BCM practices, including specified recovery timeframes.

Scenario 5: Cybersecurity Breach — Data Exfiltration

The setup: Your security operations center detects outbound data transfers to an external IP address. Forensic analysis confirms that an attacker had persistent access for approximately 60 days. Sensitive customer data — names, account numbers, social security numbers — appears to have been exfiltrated for an estimated 50,000 records. The access vector was a compromised third-party vendor credential.

Key discussion questions:

• What are your breach notification obligations (state laws, federal regulators, contractual)? What are the specific timelines?
• Who is on the breach response team, and what is each person’s role?
• How do you preserve evidence while continuing to operate?
• What customer communication do you issue, and who approves it?
• Does your cyber insurance cover this scenario, and what are the notice requirements to the carrier?

What this surfaces: Notification timeline confusion (state breach notification laws vary from 30 days to 72 hours, and federal financial regulators have separate notification requirements), incomplete breach response team rosters, and evidence preservation procedures that conflict with business continuity (you need to keep running, but IR needs to contain the environment).

Scenario 6: Natural Disaster — Facility Loss

The setup: An overnight weather event has caused significant structural damage to your primary facility. The building is declared unsafe and inaccessible for an indeterminate period — possibly weeks. Your servers, paper records, and on-site equipment are physically inaccessible. It’s 7 a.m. and you need to open for business in two hours.

Key discussion questions:

• What is your alternate work location arrangement? Where specifically do key personnel report?
• How quickly can critical systems be accessed from backup locations or cloud environments?
• What physical records (documents, physical keys, backup media) are stored off-site?
• How do you communicate the location change to customers, counterparties, and regulators?
• What’s your salvage and access procedure for the damaged facility once it’s cleared?

What this surfaces: Alternate site arrangements that exist on paper but haven’t been tested (keys that no one has, access credentials that have expired), physical records that aren’t backed up digitally, and customer communication plans that depend on infrastructure at the affected facility. Hurricane Katrina wiped out the physical infrastructure of dozens of Gulf Coast financial institutions in 2005 — those with tested alternate site arrangements recovered significantly faster.

Scenario 7: Key Person Loss

The setup: Your Chief Technology Officer and your core systems administrator are both in a car accident and are hospitalized indefinitely. They are the primary contacts for your core platform vendor, the sole holders of several critical system credentials, and the only people who know the undocumented recovery procedures for your primary database.

Key discussion questions:

• What critical knowledge exists only in these individuals’ heads, and what’s the fallback?
• Are critical credentials and access information documented in a secure location accessible to authorized backups?
• Who are the designated backups for their critical vendor relationships?
• What undocumented procedures exist for critical systems, and how would you execute them without those individuals?
• What’s your plan for sustaining operations through an extended absence (not just the first 48 hours)?

What this surfaces: Knowledge concentration risks that no BCP document captures, credential management gaps, and the difference between “short-term absence” procedures (typically documented) and “extended indefinite absence” (usually not). This scenario is especially revealing for smaller organizations where individuals hold multiple critical roles without formal succession planning.

Scenario 8: Supply Chain Disruption

The setup: A critical component used in your operational infrastructure (hardware, specialized software, or a key raw material if you’re in manufacturing) becomes unavailable due to a supplier bankruptcy and geopolitical trade restrictions. Lead times for alternatives are 90 to 180 days. You have a 30-day inventory of the current component.

Key discussion questions:

• Have you mapped your critical operational dependencies to their upstream supply chains?
• What are your alternative sourcing options, and what would it take to qualify them?
• Can you prioritize operations to extend existing inventory across the 90-day procurement gap?
• What customer and contractual commitments would you need to renegotiate?
• How does this scenario affect your BIA assumptions about recovery time?

What this surfaces: Supply chain visibility gaps — most organizations don’t have visibility beyond their Tier 1 vendors. The 2021 global semiconductor shortage demonstrated how deeply a single input material could affect industries that had never considered themselves dependent on semiconductor supply chains.

Scenario 9: Insider Threat — Sabotage

The setup: A recently terminated employee with elevated system access has deleted critical configuration files and altered production database records before their access was fully revoked. Your IT team discovers the damage during the morning system check. Reconstruction will take an estimated three to five days. Criminal referral procedures are unclear.

Key discussion questions:

• What is your offboarding procedure for immediate access revocation, and how long did it actually take in this case?
• Which backup systems are unaffected, and what’s the recovery scope?
• What’s your criminal referral obligation and procedure? Who makes that call?
• How do you communicate with the affected employee’s manager and team during the investigation?
• What audit logging exists to scope the full extent of the damage?

What this surfaces: Access revocation process failures (privileged access often persists longer than expected after termination), backup integrity gaps, and unclear criminal referral procedures. Insider threats cause significant operational damage — the 2019 case of a former Amazon Web Services engineer who compromised Capital One’s data for over 100 million customers began with privileged cloud credentials.

Scenario 10: Simultaneous Multi-System Failure (The CrowdStrike Scenario)

The setup: At 8 a.m., your IT team begins receiving calls: workstations across the organization are crashing and rebooting in a continuous loop. Within 30 minutes, it’s clear that a software update pushed by your endpoint security vendor has bricked every Windows workstation in the organization. Remote management tools are inaccessible — the affected systems can’t receive the rollback update remotely. Each machine requires manual intervention.

Key discussion questions:

• How many workstations are affected, and how many IT staff are available to physically touch each machine?
• What is your operational capability on unaffected systems (Linux, Mac, mobile)?
• At what point do you declare a business continuity event versus an IT incident?
• How do you prioritize which workstations to recover first (by business function)?
• How do you communicate status internally when your primary communication tools are on affected systems?

What this surfaces: The scenario most organizations hadn’t considered: your security tool as the failure point. When CrowdStrike’s actual outage occurred on July 19, 2024, organizations discovered their crisis communication plans depended on Teams and Slack — both inaccessible on affected systems. Recovery required a USB drive and physical access to each machine, making remote-workforce recovery procedures largely useless.

Running an Effective Exercise

A tabletop exercise is only as valuable as its facilitation and documentation. Key practices:

Before: Define specific objectives (not just “test the BCP” — choose 3 to 5 specific capabilities to evaluate). Brief participants on their roles without pre-reading the scenario. Ensure a facilitator who is not a participant runs the discussion.

During: Present the scenario in escalating injects — don’t reveal everything upfront. Push participants to make actual decisions, not theoretical ones. Document gaps, surprises, and decision points in real time.

After: Produce an after-action report within two weeks of the exercise. Document findings, assign owners to each gap, and set completion timelines. Schedule the remediation review as part of the next exercise planning cycle.

For more on the testing framework, see the Business Continuity Testing Guide and the Tabletop Exercise Template for a structured facilitation format. For bank and credit union-specific testing requirements under FFIEC, see the OCC and NCUA BCP Examination Guide.

So What?

The CrowdStrike incident gave every BCM practitioner a forcing function: the failure you didn’t model is the one that will find you. The organizations that fared best on July 19, 2024, had two things in common — they had run exercises that included third-party vendor failure scenarios, and they had practiced the communication cascade when primary systems were unavailable.

A tabletop exercise doesn’t need to be perfect to be valuable. The value is in the gaps it surfaces before a real incident does. Run the ransomware scenario before your response team learns, mid-crisis, that they don’t know who has authority to call the cyber insurance carrier. Run the cloud outage scenario before your customers discover your SLA commits to a four-hour RTO that your architecture can’t support.

CISA’s Tabletop Exercise Packages offer over 100 free, pre-built exercise scenarios with facilitator guides, situation manuals, and after-action report templates. There’s no budget barrier to starting.

The plan that hasn’t been tested isn’t really a plan. It’s a hypothesis.

Run your exercises against a solid plan: The Business Continuity & Disaster Recovery (BCP/DR) Kit includes BCP templates, BIA worksheets, tabletop exercise facilitation guides, and after-action report templates — everything you need to build and test a credible program.