How to run a crisis response tabletop exercise

information Dec 20, 2021

First things first, this is a blog so will be light on the finer details, second thing, this blog assumes you have a crisis response plan – if you don’t, save yourself 4 or 5 minutes and instead google “how to create a crisis response plan”….

So, what exactly is a crisis response tabletop exercise? Well for us here at vBridge its an exercise that we complete at least twice per year, fundamentally it is about exercising our plans and ensuring that our team knows what to do when the inevitable happens. A crisis can occur at any time, and all of our team needs to know what to do, how to go about it and importantly when to put the “crisis” flag up and call in support.

Our crisis response plans are all based on the CIMS (Coordinated Incident Management System) structure, for us our response plans are focused on the people and roles that we will need to deal with any given situation.  Its not a DR or BC plan, we have these as well, and they sit alongside our crisis response plans. Crisis response is about how we deal with and manage the crisis at hand.

There are three main components to a crisis response tabletop exercise:

1 – Exercise & Scenario Planning

2 – Execution of the exercise

3 – Follow up and learnings

Exercise & Scenario Planning

This is an important facet of the exercise, its not just about dreaming up a scenario, although that part is fun. Really its about coming up with a scenario that will ensure that we test all components of the plan.  You need to think through the scenario and how you want this to evolve.  A crisis is generally not just a single event, it’s the causation event and then all the things that come afterwards.

We usually develop a timeline, the timeline is there to provide a sense of realism as well as a continual building of pressure and complexity. It’s a good idea to have two of you working on this.  The end goal of this component is to have a plan for how you will run the exercise and the key steps.  One consideration is, will the exercise be run in real time or in a compressed format?  Both have their place – compressed format exercises might run for an hour or two, but the scenario could be as long as 3 days as an example.

Its also a good idea to have milestones identified before you bring more info in to the mix.  Remember that in any crisis you will just about always be missing critical information initially, so the team needs to be able to evolve as new information comes to hand.

And remember to ensure that your scenario includes the “post event mop up”, you want to make sure that the response is completed fully. Crisis over does not mean the work is over!

Execution

Always start with explaining why you are running the exercise, and its essential that you remind the team that it’s not about “catching them out”, its about stress testing and giving the team the opportunity to grow “muscle memory” for responding to a crisis. And of course, it’s about improving the plan – no plan is perfect.

Its also good to have at least one person acting as an observer – they should take notes as these will be important later on when you review and follow up.

Depending on how you run the exercise, you may be bringing different people in at different times.  Its important that everyone knows whether they are involved early or not so that people are not jumping in when they shouldn’t be.  We sometimes keep people in another room so that when they are joined in, they need to be given an update like they would have in the real world.

Its OK if the team wants to stop and discuss the situation – a great time to reiterate points in the plan and why they exist etc. Remember its an exercise, not a test.

Don’t be afraid to go “off script” if the response from the team leads you down a different path, but if things do get out of hand, and they will sometimes, then bring the team back and reset.

Follow Up & Learnings

This is the part that is hard to plan for, so its hard to give advice here other than to say that its really important. Make sure that the whole team has their say – what worked well and what was a problem? If we did it again now, what would we have done differently and why?  Was the plan ambiguous or was it a lack of experience.

Running a crisis response exercise is quite hard, you will get better at it if you take feedback on board and do them regularly.  They are incredibly valuable, having a team that is comfortable in what they need to do in a crisis will ensure that when the bad day comes, you will be ready to act.

Want to discuss this more?  Always happy to help people out with this – just get in contact!

Todd Cassie

Todd is the CEO of vBridge - probably the best cloud compute provider in NZ!

Recommended for you