Published: 07 March 2017
Analyst(s): Roberta Witty, Ken Otis, Belinda Wilson
Tabletops are an early type of recovery exercise that organizations conduct on their path to ensuring recovery plans meet recovery needs. Security and risk management leaders can use this template to create and conduct a tabletop exercise for a scenario relevant to their organization.
This document was revised on 8 March 2017. The document you are viewing is the corrected version. For more information, see the Corrections page on gartner.com.
Exercising recovery plans is the best way to know whether they are viable — other than having to use them for an actual disaster. Fully exercising your recovery plans requires a life cycle approach. The life cycle starts with discussion-based exercises (walk-throughs and tabletops) through to recovery site exercises, and eventually to production cutovers of business or IT operations to alternate production sites (see Figure 1).
Best practice for business continuity management (BCM) exercise management is to develop an annual exercise schedule. The schedule should map each recovery plan to the type of exercise in which it will participate for the year. One recovery plan can easily be included in more than one exercise type over a 12-month time frame.
This Toolkit was developed to provide a template for organizations to create and conduct their own tabletop exercises. Use this template to ensure recovery plans undergo at least one test per year. Using a scenario-based approach, organizations craft the specific content of the scenario and play it out in elapsed time. As we move toward digital business as a way to deliver goods and services, scenario planning becomes a key practice for resilient business delivery (see ). BCM professionals have been using this "new" digital business best practice as a "standard practice" in the business impact analysis and exercise management for over 20 years.
224225_Tabletop_Exc.pptx — Tabletop exercise presentation
224225_Post_Evaluation.docx — Post-exercise evaluation form
224225_Lessons_Survey.docx — Pre- and post-exercise individual key lessons assessment survey
224225_After_Action.docx — After-action report template
Directions for Use
Tabletop exercises can be used for any type of recovery plan — crisis management, emergency response, IT disaster recovery, cyberattack, business recovery, supplier contingency, stand-down and more. Based on tabletop exercises Gartner has participated in, as well as client inquiry discussions, we estimate that the typical time spent in each phase of the overall exercise life cycle is as follows:
Developing the scenario, materials and scheduling: 60%.
Exercise facilitation: 25%.
Debrief activities, reporting and follow-up: 15%. This follow-up time does not include the time needed to update recovery plans as a result of gaps and other findings from the exercise.
It is important to understand that the time needed to develop actual recovery plans is not part of the life cycle percentages noted above.
The following considerations and recommendations ensure an effective and successful tabletop exercise:
Begin planning the tabletop exercise at least two to three months ahead of the exercise date, especially when engaging lines of businesses (LOBs).
Develop exercise objectives and metrics (attendance, participation and recovery plan update status).
The total exercise time frame should span three to four hours in duration, but obviously adjust timing according to the scope of the exercise and the type of business unit. The actual scenario play-out should be no more than two hours. More mature teams may require longer exercises. After that amount of time, people become tired and antsy, and could become distracted by real-world events.
Exercise participants may not be your normal recovery team members. Therefore, more time may need to be added for the scenario play-out, or the scope should be reduced. Don't be discouraged if you do not get through the entire planned scenario and all of its scenes. What you are looking for is quality over substance. Far too often, facilitators will rush through a scenario for the sake of the clock, and not consider the value participants are getting from extended discussions.
Make sure that all participants clear their schedules for one hour before and one hour after the exercise. This will ensure they have time to get to the exercise and can stay later if the exercise goes slightly over the allotted time.
The scenario should be developed by personnel who understand the full scope of business and IT operations for the scenario event. Getting the content specifics, flow, timing, resources, dependencies and injects right should be walked through at least three times once you have a good draft. Every detail of the scenario should be investigated to ensure the planning team and facilitator know every aspect of the real operation and where it can be derailed. For example, you may plan to test production IT server recovery operations at an alternate site. Using a power outage as the cause of the event may not be realistic for your organization if there is an on-site power backup system.
Develop test scripts, explanatory background material (roles and responsibilities, business unit descriptions), Lesson surveys, event logs and other collateral required for the exercise implementation.
Supply refreshments for the duration of the exercise (e.g., breakfast and lunch).
Conduct a pre- and post-exercise key lessons assessment of all exercise participants to see if the exercise was successful in improving their understanding of your organization's recovery practices. The form to use for these assessments is part of this Toolkit: Pre- and Post-Exercise Individual Key Lessons Assessment Survey.
Conduct a post-exercise debriefing meeting to capture early lessons learned and observations, as well as top-of-mind suggestions for improvement and next steps. If time permits, also review exercise results against stated objectives, and identify training requirements and/or updates to the plans or processes.
If time does not permit a more thorough debrief before adjourning the exercise, be sure to host debriefing sessions with exercise participants to capture their Lessons, observations, plan updates and improvement suggestions. You can conduct this post-exercise review by using a post-exercise evaluation data-gathering form, which is part of the Toolkit. The form to use for this after-action report is also part of this Toolkit: Post-Exercise Evaluation Form.
Publish a final exercise after-action report to all participants and responsible management personnel. The form to use for this after-action report is part of this Toolkit: After-Action Report Template, a modified version of the U.S. Federal Emergency Management Agency's (FEMA) After-Action/Improvement Plan template.
Some documents may not be available as part of your current Gartner subscription.
Unless otherwise marked for external use, the items in this Gartner Toolkit are for internal noncommercial use by the licensed Gartner client. The materials contained in this Toolkit may not be repackaged or resold. Gartner makes no representations or warranties as to the suitability of this Toolkit for any particular purpose, and disclaims all liabilities for any damages, whether direct, consequential, incidental or special, arising out of the use of or inability to use this material or the information provided herein.
Guiding Principles on Independence and Objectivity.