Using a Tabletop Exercise to Plan in These Uncertain Times

Dec 4, 2020 | Business Continuity, Cybersecurity, Planning & Strategy, Security Products and Services | 0 comments

With Canada solidly in a “second wave” situation and Alberta’s infection rates soaring, businesses have good reason to be concerned.

Do you know how your business will survive if a key person on your team needs to quarantine for 2 weeks or worse? Does your business have documented processes to know where to get login IDs, passwords when a manager can’t make it in for a week? Do you have alternate contractors, suppliers, and other resources if your primary source is unavailable?

When it comes to planning, we don’t know what we don’t know. But one way to shine some light in the darkness of our plans is to conduct a “Tabletop Exercise.”

Tabletop Exercises for Business Continuity PlanningWhat’s a Tabletop Exercise?

A tabletop exercise is a team activity that encourages an entire work group to pool their knowledge, questions, and concerns with a view to:

  1. Identifying the knowledge that you do have on your team.
  2. Identifying the areas where your team’s knowledge base is lacking.
  3. Prioritizing the risks, problems, and challenges on which you should focus your attention first.

It is a great way to strengthen your teams’ resourcefulness and resilience as well as a good team building activity and a welcome break from the routine daily rhythm of work during some of the dark days of winter.

Kicking Off the Plan

The best exercises start with one or more realistic scenarios that involve the entire company or at least more than one team or department:

  • What if your business was hit with a ransomware attack?
  • What if your chief financial officer ends up in ICU in the hospital?
  • What if a police action next door meant that your office location was off-limits for a couple of days?
  • What if your file server crashed?

You get the idea.

To get started, choose a facilitator from your team or bring one in from outside your organization. If you’ve ever played “Dungeons and Dragons”, a facilitator is like a good Dungeon Master. Then book a half-day or more for your exercise team and choose a comfortable space for people to gather–preferably one which doesn’t show the “badges of managerial power.” After all, we want people to be candid, creative, and honest about how they would work a problem and not just agreeing with whatever they think their boss wants to hear.

Holding the Exercise

The session typically involves the following steps:

  1. The facilitator comes up with a dastardly plan and timeline of events in mind and unveils the first part to the group.
  2. The group decides on initial action.
  3. The facilitator asks questions and helps them evaluate their proposed actions:
    1. What information did you use to decide your steps?
    2. How did you get this information? (eg. Training, documentation, other knowledge)
    3. What are the benefits and risks of this action?
  4. Then, the group gets another “injection.” For example, the facilitator says, “It’s 2 hours later, and you get a call from an employee who says they were the one who opened a malicious email, and they have a ransom note on their laptop.”
  5. The group discusses what actions to take, and so on and so forth.

Debriefing and Incorporate Learnings

At the end of the exercise, the group will have a better idea of how to build their incident response plan. Deficiencies noted in the exercise should be recorded and rectified. For example:

  • if someone noted that they need the root password to a server but nobody knew where it was, then an action item would be to track down that password and then store it in a password safe or some other mechanism so it would be available to those people who need it next time.
  • Documentation might need to be improved. Key information might need to be stored digitally instead of on the binder in the manager’s office.

Other Tips

  1. A good facilitator is very important. If you don’t have one in-house who can do the job, then it is worth the price to bring one in. After a couple of exercises, maybe you will have an internal resource who can now fill the role. Atlas Solutions has a wealth of experience in business continuity planning and can help you with this.
  2. Document the decisions and learnings during the exercise or immediately afterwards. Memories fade quickly. Doing an exercise on a Friday and then trying to capture the notes on Monday will lose a lot of important detail.
  3. Assign action items from the exercise to actual people. Track progress on completing them. Be relentless. It is typical for people to pick off the “bottom fruit” and leave it at that. But the best value is often in fixing the hard problems.
  4. Disaster planning exercises usually group scenarios along 2 variables: Are people (staff, contractors, suppliers) impacted? Is infrastructure/systems (computers, buildings, transportation) impacted? A possible matrix might look like this:
    XPeople ImpactedPeople Not Impacted
    Infrastructure ImpactedEarthquake
    Terror attack
    Building explosion during work hours
    Large scale civil emergency
    Ransomware attack
    Server or network failure
    Utility failure (heating/HVAC)
    Building fire outside office hours
    Infrastructure Not ImpactedPandemic
    Death or accident involving key manager(s)
    Snow day
    Police tape around building
    Transit strike
    Business as usual

 

Check Out These Related Posts

0 Comments

0 Comments

Trackbacks/Pingbacks

  1. How to Charge your Phone for $107 Million – Atlas Business Solutions - […] an attack happens, do you have a plan on how to respond? Conducting regular table-top exercises with your management…

Submit a Comment