Tabletop Testing for Resilience
By Agility Recovery
March 22, 2024
When it comes to business continuity and disaster recovery planning, resilience professionals know that no plan is ready for the real world before it is tested.
There are different test types to choose from, including:
- Tabletop tests: Employees participate in an actual exercise during a scenario-based, role-playing exercise. Everyone involved practices their roles and responsibilities during an emergency, such as an earthquake, hurricane, or active shooter.
- Plan reviews: Similar to a business continuity (BC) plan audit. The BCP team and the C-level management or department heads get together to review the plan and decide if any components are missing or need revision.
- Walk-through/simulation tests: A simulation test combines real recovery actions, like data loss, restoring backups, live testing of redundant systems, network outage, physical recovery, emergency notification, and other relevant processes.
In this article, we'll focus on tabletop testing. With guidance from Agility recovery manager Alysha Hester, we will explore what a tabletop test is, what scenarios it's best suited to address, and how you can use tabletop testing to enhance your credit union’s resilience.
What Is a Tabletop Test?
A tabletop test is a walkthrough of an actual disaster scenario – like a hurricane, active shooter, or power outage – in real time. This walkthrough allows you to talk through reactions and strategies to ensure that department strategies are aligned with all areas of the credit union.
The walkthrough also allows credit unions to gauge individual teams' readiness levels if a disaster were to occur at that moment.
“Think of this as a business continuity plan brainstorming session in real time, but in the safety of your office, outside of the actual disaster,” said Hester.
What Are Tabletop Tests Used For?
Credit unions use tabletop tests to test for gaps in written continuity plans. They allow credit unions to explore the scenario and identify any dark corners in those plans, providing the opportunity to answer any questions before experiencing an actual event.
Why Do Businesses Use Tabletop Tests?
Tabletop tests are useful for several reasons, including:
- Identifying recovery gaps in plans, resources, and communication strategies
- Implementing new training protocols for safety that are identified post exercise
- Meeting compliance requirements
According to expert Alysha Hester, "I would say the main reason businesses use tabletops is to deep dive into a specific potential disaster to determine findings that could be further explored after the exercise. Once a post-event investigation has been completed, plans would be updated accordingly (and then the cycle of testing starts over so you can explore if these new adjustments provided greater resilience during a disaster."
Pros and Cons of Tabletop Testing vs. Other Types of Tests
Why implement tabletop exercises instead of other types of tests and exercises? Ultimately, we advise utilizing all types of exercises, but tabletop tests are a great place to start.
Pros:
- Test the specific people and processes documented in your credit union’s BCP
- Can be done virtually to conveniently include all staff (including hybrid employees or third-party vendors/MSPs)
- Low- to no-cost option
Cons:
- Creating exercises internally can be extremely time consuming and take some creative thought
- Tabletop tests can't test the physical components of the recovery, so it still may be unknown if some IT and manual processes will function as expected at the time of the disaster as discussed in an exercise
“For additional value, consider involving a third-party perspective in facilitation if you feel your tabletop exercises have become more of a check-the-box type of event or a BCP/incident response read-through,” adds Hester.
After the Tabletop Exercise
So, you've completed your tabletop exercise – now what?
One of the most critical outputs of any test or exercise is identifying gaps and areas for improvement. These could include realizing there is no personnel redundancy, not knowing how to get in touch with remote employees, or not having enough people who know how to access important information.
Document this information and use it to update your credit union's business continuity plan. Then, be sure to update your employees on any new plans and procedures. In doing so, you'll be more prepared for any interruption that may affect the credit union.
Ready to get started? Agility provides free tabletop exercise templates and can also create a custom tabletop exercise and run it with your credit union. Connect with Agility Recovery to get started.
About Agility Recovery
Through its business continuity management platform, called Agility Central, Agility works to reduce the impact of business interruptions on credit unions and the communities they serve. They help businesses be prepared before, during, and after an incident happens. After decades of helping businesses recover from real disasters and streamline emergency preparedness and incident response, they bring the collective experiences of thousands of hours in the field.