The objectives of the tabletop exercise are as follows:
- Demonstrate viability of the Business Continuity Plan by applying well defined and relevant disruption scenarios that may highlight discrepancies or inconsistencies.
- Use the results of the tabletop exercise to update and improve the plan.
- Educate the responsible persons on the workings of the plan.
Prior to the scheduled tabletop exercise, the following activities should be performed by the business process owners and management:
- Selection of simulation exercise scenario(s)
- Determination of BCPs or BCP sections to be tested
- Identification of all participants
- Scheduling of tabletop exercise, and all participants, in an appropriate facility
- Communicate roles and expectations to all participants.
The participants in the tabletop exercise will be any or all of the following, depending on the scope and objectives of the particular exercise:
- Exercise Facilitator - This may be a BCP Subject Matter Expert (SME), BCP Management Consultant, or other individual identified by management. It might be most appropriate to identify an independent facilitator, an individual with no vested interest in either the business process itself or the BCP strategy and plan that is in place. This person's responsibilities are to:
- Keep the session flowing (see Facilitator Leading Questions below)
- Introduce 'roadblocks' during the exercise
- Ensure issues are documented
- Keep the session on schedule
- Provide summary comments at the conclusion
- Discuss next step activities and time frames
- Recovery Team members - Individuals with assigned tasks and responsibilities within the Business Continuity Plan to be exercised within the selected scenario. Their responsibilities are to:
- Review the business continuity plan prior to the exercise
- Describe, during the exercise, the actions to be taken based on: the disruption scenario; time frames following the disruption; and, the documented BCP instructions (i.e., who does what, and when following an interruption).
- Suggest responsible groups or individuals for action items identified during the exercise.
- Business process owners - Individuals with ownership responsibility for business processes whose Business Continuity Plans will be exercised within the selected scenario. Their role is to:
- Participate (if required) on recovery teams
- Monitor the description of business continuity plan roles and responsibilities
- Recorder or Scribe - This individual documents the proceedings of the tabletop exercise. They are asked to:
- Record tabletop exercise proceedings
- Capture issues as they arise
- Record corrective actions and responsible group/department
- Create Exercise Report.
- Observers - Often, interested parties may be invited to the BCP tabletop exercise. These individuals might be from many different areas: senior management; internal or external audit teams; other departments or sites; regulatory agencies; business partners; or, key clients.
It is expected that each tabletop exercise will require approximately two to four hours of scheduled participant's time. An appropriate facility (conference room) should be arranged for the exercise.
The business process management team should select one or two disruption scenarios for discussion during the simulation exercise. Example scenarios are presented below. The team should select or create an appropriate tabletop exercise scenario(s) using criteria such as those listed here:
- The ability to concurrently exercise multiple elements of the BCP
- The contingency plans and strategies require significant communication and coordination
- The scenario may be unlikely or severe, but not beyond possibility.
- Reduced electrical power
- Power failure
- Loss of heating or cooling facilities
- Facilities access disruptions (Access doors, elevators, etc.)
- Fuel supply failure
- Government services failures (Import/Export etc.)
- File servers fail
- PCs fail
- Telecommunications lines disrupted
- Essential peripherals (printers, etc.) fail
- Software application fails
- Data corruption issues arise
- Production line equipment fails
- R&D equipment failure
- Warehouse equipment failure
Supply Chain Disruption
- Key vendor product or service disrupted
- Distribution channel failure
The agenda for the tabletop exercise should include the following:
1. Overview of exercise objectives
2. Introduction of participants and roles
3. Business process overview
4. Presentation of scenario
5. Description of team procedures and assigned tasks
6. Evaluation of business continuity plans and strategies
7. Review issues, corrective actions, and responsible parties
8. Repeat steps 4 through 7 for next scenario (if appropriate)
9. Closing Discussion/Next Steps
Tabletop exercise "rules" often apply, as follows:
- Everyone is free to contribute
- "Silence" indicates agreement
- The scenario can/will change as needed
- This is not a "test", but an exercise
- Facilitator has the right to table any issue for later resolution
- No outside interruptions permitted.
FACILITATOR LEADING QUESTIONS
The primary role of the facilitator is to ensure that the tabletop exercise proceeds on schedule and achieves the desired result of determining the viability of the Business Continuity Plans. To achieve that result, there are several questions that can be asked as the exercise begins and through the discussion of issues and assignment of responsibility for corrective actions. The facilitator also has the option to introduce "roadblocks" ("*" in list below) to the recovery teams, to try and identify gaps or weaknesses in the documented business continuity strategies and plans. The facilitator is encouraged to add additional failure conditions during the tabletop exercise.
- Are all the right people here?
- Has everyone read the relevant BCP information for their areas?
- Does everyone understand his/her role in the continuity process?
- Does everyone understand the disruption scenario?
- Are there any questions or assumptions that we should agree upon (as a group) before proceeding? (Put on white board or flip chart)
- Who makes the decision to activate the Business Continuity Plan?
- On what basis?
- Is there a central meeting point or communication for initiation of BCP tasks?
- Who does what first/next?
- What is the timing or sequence of this action?
- How long will it take?
- Can the next step begin?
- Are there any anticipated barriers? What could prevent activity from proceeding?
- Are there any possible accelerators? What could be done to assist recovery?
- What is the alternative (i.e., if "Plan A" is unavailable)
- Who else needs to be notified or involved?
- Are they in the plan(s)?
- Is contact information complete, current and accurate?
- What if a key person is unavailable?*
- What if a key resource is unavailable?*
- Does additional detail need to be in the plan?
- Are any steps missing?
- Are any required resources missing?
- If so, who will add them?
- If not, why? (Existing BCP, SOP, common practice etc.)
- Are other listed documents available?
- Are we now "back in business'?
- What can we do?
- What can't we do?
- At what point does this contingency procedure become a problem?
- What can be done at that point?
- Have personnel been trained in the alternate procedure?
- How do we check to ensure that all records are entered and accurate?
- What is required to Return to Normal?
- Are Team resources different than those assigned to recovery and operations?
- Have we captured all issues/concerns/questions?
- Identify the person responsible for updating the plan for each issue?
A discussion with key personnel of those groups involved in the tabletop exercise should be conducted immediately following the exercise. The exercise results will be presented at that time and action plans will be initiated for all issues identified.
Issues arising during tabletop exercises often fall into a few categories:
- BCP documentation requires update (i.e., BCP out-of-date)
- BCP documentation requires additional detail
- Sequence of BCP task and strategies needs review or change
- Additional assignment of responsibilities, such as a backup person for all key BCP tasks.
- Awareness and training programs need improvement.
Planned properly, tabletop exercises are almost always viewed as a success. Most common feedback is that the exercises achieve the objectives of: demonstrating viability of the plan; improving the plan through the capture of issues during the exercise; and, educating participants on their roles and responsibilities in the event of an actual disruption.
Furthermore, it has been suggested that BCP tabletop exercises often bring together individuals with such disparate roles within the organization that, with the exception of an actual disruption, they may not otherwise have had any reason to meet. This enables BCP program team building to take place.
The tabletop exercise provides a cost-effective method of exercising BCPs, while causing minimal disruption to the business. Tabletop exercises effectively raise the level of awareness as to the actual state of BCP readiness within the organization.
This article Printed in Volume 13, Issue 1