In October 2025, the Federal Financial Institutions Examination Council (FFIEC) updated its business impact analysis results.

Before we get to the scenarios, let us establish the framework that makes tabletop exercises effective, anchored in ISO 22301 Clause 8.5 exercise and testing requirements and field-tested facilitation practices.

What Makes an Effective Business Continuity Tabletop Exercise

A tabletop exercise is a discussion-based session where key personnel walk through a simulated disruption scenario, making decisions in real time without activating actual recovery procedures.

ISO 22301 Clause 8.5 requires organisations to conduct exercises that are consistent with business continuity objectives, based on realistic scenarios, and produce formal post-exercise reports with identified improvements.

The FFIEC BCM Handbook classifies exercises along a complexity spectrum: tabletop (lowest resource, discussion-only), walk-through drill (teams execute initial steps), functional drill (single function recovers), and full-scale (enterprise-wide activation).

Tabletop exercises sit at the foundation because they are fast to organise, low-cost, and highly effective at exposing gaps in decision-making, communication, and escalation.

Five Principles of Effective Tabletop Exercises

1. Scenario realism: Base scenarios on your risk register and business impact analysis, not generic templates. If ransomware is your top-rated cyber risk, your exercise should simulate ransomware, not a generic data breach.
2. Timed injects: Pre-script 3 to 5 escalation points (injects) that introduce new information, complications, or failures mid-exercise. Injects force participants out of scripted responses and into genuine decision-making.
3. Cross-functional participation: Include IT, operations, legal, communications, HR, finance, and executive leadership. Business continuity failures rarely stay within one function.
4. Facilitation discipline: Assign a facilitator who does not participate in decisions, a timekeeper, and a scribe. The facilitator uses probing questions to expose assumptions and gaps.
5. After-action closure: Every exercise produces an after-action report with findings, assigned owners, due dates, and a mechanism for tracking closure. Findings feed back into your BCP, risk register, and next exercise cycle.

Exercise Structure Template

Each of the 15 scenarios below follows this structure:

Category 1: Cyber Attack Scenarios

Cyber incidents remain the number-one business continuity threat for US organisations. The FBI Internet Crime Complaint Center reported over USD 12.5 billion in losses from cybercrime in 2023, and ransomware attacks on critical infrastructure surged 74 percent year-over-year. These three scenarios cover the most common and damaging cyber disruption patterns.

Scenario 1: Enterprise Ransomware Attack

Threat Category: Cyber | Duration: 120 minutes | Difficulty: High

Participants: CISO, IT Director, Legal Counsel, CFO, COO, Communications Director, HR Director, Crisis Management Lead

Situation Brief

It is Tuesday at 06:45 AM. Your SOC receives alerts that multiple file servers across three office locations are encrypting data simultaneously. Within 30 minutes, a ransom note appears on affected systems demanding 75 Bitcoin (approximately USD 4.8 million) with a 72-hour deadline.

Your ERP system, email server, and shared drives are inaccessible. The attackers claim to have exfiltrated 2.3 TB of data including customer PII and threaten to publish it on a leak site if the ransom is not paid.

Your IT team confirms that backup systems in one data centre appear intact, but the other site’s backups are encrypted. Initial forensics suggest the attackers gained access via a compromised vendor VPN credential 18 days ago.

Injects

1. Inject 1 (T+20 min): Your largest client calls asking if their data has been compromised. They reference a regulatory obligation to report breaches within 72 hours and threaten to invoke the termination clause in your contract if you cannot confirm data integrity by end of day.
2. Inject 2 (T+40 min): A journalist from a major business publication contacts your communications team stating they have received a tip about the attack and plan to publish within two hours. Simultaneously, an employee posts on social media that systems are down.
3. Inject 3 (T+60 min): Your IT team discovers the attackers have also compromised your Active Directory, meaning password resets across the enterprise are required before any systems can be safely restored. Estimated recovery time with clean backups jumps from 48 hours to 5-7 days.
4. Inject 4 (T+80 min): Your cyber insurance carrier requires a forensic investigation by their approved firm before authorising any coverage. Their firm estimates a 48-hour engagement timeline before they can begin. Payroll processing is due in three days and cannot be completed without the ERP system.

Discussion Questions

• Who has the authority to make the ransom payment decision, and what criteria guide that decision?
• What are the legal notification obligations under state breach notification laws and any federal sector requirements?
• How do you communicate with employees, customers, regulators, and media simultaneously with email systems down?
• What is the manual workaround for payroll, invoicing, and order processing during a 5-7 day outage?
• How do you prioritise system restoration, and does your BIA-defined RTO align with actual recovery capability?
• What contractual obligations to clients are triggered, and who is responsible for client communication?

Expected Outcomes

A mature response includes: immediate activation of the cyber incident response plan and crisis management team, engagement of external forensics and legal counsel within two hours, activation of pre-drafted holding statements for media and clients, manual workaround procedures for critical business functions (payroll, order processing, client service), and clear escalation to the board with a decision framework for the ransom question. Post-exercise, the after-action report should identify gaps in backup segmentation, vendor access controls, and communication protocols during system outages.

Scenario 2: Third-Party Data Breach via Cloud Provider

Threat Category: Cyber | Duration: 90 minutes | Difficulty: Medium

Participants: CISO, IT Director, Legal Counsel, Procurement/Vendor Manager, Privacy Officer, COO, Communications

Situation Brief

It is Wednesday at 14:00. Your IT security team receives a notification from your primary SaaS CRM provider that they have experienced a data breach affecting customer-facing databases.

The provider’s initial assessment states that an unauthorized party accessed their multi-tenant environment for approximately 11 days before detection. Your organisation stores customer contact details, transaction histories, and service records in this platform.

The provider cannot yet confirm which tenants’ data was accessed and estimates a detailed forensic report in 7-10 days. You have 340,000 customer records in the affected system.

Injects

1. Inject 1 (T+15 min): The CRM provider’s status page goes public with the breach disclosure. Customers begin contacting your support team asking if their data is safe. Your support team has no approved talking points.
2. Inject 2 (T+35 min): Your legal team confirms that under the provider contract, they are responsible for notification, but your organisation remains the data controller under state privacy laws and bears primary notification obligation to affected individuals.
3. Inject 3 (T+55 min): A second SaaS vendor that integrates with the compromised CRM emails you stating they have proactively severed the API connection, breaking your automated order fulfilment workflow. Orders are backing up.

Discussion Questions

• What does your third-party risk management programme require when a critical vendor has a breach?
• Who owns the customer notification decision when the breach occurred at a vendor but you are the data controller?
• How do you assess the impact without the vendor’s forensic report for 7-10 days?
• What is the manual fallback for order fulfilment when the API integration is severed?
• What contractual remedies and SLA credits can you pursue, and who initiates that process?

Expected Outcomes

Mature response: immediate activation of third-party incident protocol, designation of a single point of contact with the vendor, legal review of contractual breach notification provisions and data processing agreements, proactive customer communication with approved messaging, activation of manual order processing workflows, and documentation of financial impact for SLA claims.

Post-exercise findings should cover vendor concentration risk, API dependency mapping, and the adequacy of your third-party risk management framework.

Scenario 3: Business Email Compromise and Wire Fraud

Threat Category: Cyber | Duration: 90 minutes | Difficulty: Medium

Participants: CFO, Controller, IT Security, Legal Counsel, Internal Audit, COO

Situation Brief

It is Thursday at 11:30 AM. Your accounts payable team processed a wire transfer of USD 2.1 million yesterday afternoon to what they believed was a long-standing supplier’s updated bank account.

The payment was authorised by a senior VP following an email thread that appeared to originate from the supplier’s CFO requesting the account change. This morning, the real supplier calls asking about an overdue payment. Investigation reveals the email was a sophisticated spoofed communication that used a look-alike domain (one character difference).

The funds were sent to an overseas account. Your bank confirms the wire was processed and funds have been moved.

Injects

1. Inject 1 (T+15 min): Your bank’s fraud department states that a recall request has been submitted, but recovery prospects are less than 15 percent given the funds have already been transferred to a second intermediary account. FBI IC3 reporting is recommended.
2. Inject 2 (T+35 min): Internal audit discovers two additional payment change requests from different suppliers in the past 30 days that match the same pattern. One has already been processed (USD 380,000); the other is pending approval.
3. Inject 3 (T+55 min): Your cyber insurance policy has a social engineering fraud sublimit of USD 500,000, well below the total exposure. The board chair calls demanding an explanation and asks whether any executives approved payments outside established dual-control procedures.

Discussion Questions

• What controls should have prevented this, and where did the dual-authorisation process break down?
• What immediate actions can you take to freeze or recover the funds?
• How do you assess whether additional payment changes are compromised?
• What are the regulatory reporting obligations (FinCEN SAR, FBI IC3, state regulators)?
• Who communicates the financial loss to the board, and what remediation plan accompanies that communication?

Expected Outcomes

Mature response: immediate wire recall initiation and FBI IC3 filing, freeze of all pending vendor payment changes pending verification through out-of-band confirmation (phone call to known contacts), full audit of vendor payment changes over the past 90 days, review and strengthening of payment authorisation controls, staff awareness training on business email compromise red flags, and board report with quantified loss, insurance coverage gap, and corrective actions.

Category 2: Pandemic and Workforce Disruption Scenarios

COVID-19 exposed critical gaps in workforce continuity planning. But pandemic risk is only one slice of workforce disruption.

Organisations must also plan for regional health emergencies, mass absenteeism, critical skills concentration, and the cascading impact of workforce loss on operations. These three scenarios stress-test your people-related continuity plans.

Scenario 4: Novel Respiratory Pandemic with Staged Escalation

Threat Category: Pandemic | Duration: 120 minutes | Difficulty: High

Participants: CEO, COO, HR Director, Facilities, IT, Legal, Communications, Health & Safety Officer

Situation Brief

It is Monday morning. The CDC has issued a Health Alert Network advisory about a novel respiratory pathogen identified in Southeast Asia with confirmed cases now appearing in California and New York.

The pathogen has an estimated R0 of 3.2 and a case fatality rate of 1.8 percent, higher than COVID-19 but lower than SARS. No vaccine exists. Your organisation has 2,400 employees across five US locations, with 30 percent of your workforce in roles that cannot be performed remotely (manufacturing, warehousing, customer-facing service).

Injects

1. Inject 1 (T+20 min): The WHO declares a Public Health Emergency of International Concern. Two employees at your Dallas facility report symptoms consistent with the pathogen and are sent for testing. Absenteeism at that location rises to 12 percent within 24 hours as employees self-isolate or stay home with sick family members.
2. Inject 2 (T+45 min): The Governor of your primary operating state issues a recommendation (not yet a mandate) for non-essential businesses to implement remote work where possible. Your manufacturing operations require on-site presence. Absenteeism across all locations rises to 25 percent. A key supplier in Mexico notifies you that their government has imposed movement restrictions, disrupting component deliveries.
3. Inject 3 (T+70 min): One confirmed case in your Dallas facility. Local health department requires contact tracing and recommends a 14-day facility closure for deep cleaning. Your Dallas operations represent 35 percent of total production capacity. Customer orders are at risk of missed delivery commitments totalling USD 8.4 million.
4. Inject 4 (T+95 min): Multiple employees refuse to report to on-site roles citing safety concerns. Your union representative requests a meeting about hazard pay and enhanced protective measures. Simultaneously, your IT infrastructure begins to strain under the load of 70 percent of office staff working remotely simultaneously.

Discussion Questions

• At what absenteeism threshold does each critical business function become non-viable, and do you know those thresholds from your BIA?
• How do you shift production capacity to unaffected locations, and what is the lead time?
• What is your legal obligation regarding employees who refuse to work due to safety concerns?
• How do you handle the financial impact of missed customer commitments while managing employee safety?
• What trigger points activate each stage of your pandemic response plan?

Expected Outcomes

Mature response: staged pandemic response plan activation with clear trigger criteria, MTPD-informed workforce minimum thresholds for each critical function, cross-training records showing backup capability for key roles, pre-negotiated agreements for temporary staffing, IT capacity plan for mass remote work, clear communication protocol to employees covering safety measures, HR policies, and operational changes, and supplier diversification assessment.

Scenario 5: Critical Skills Loss and Key Person Dependency

Threat Category: Workforce | Duration: 90 minutes | Difficulty: Medium

Participants: COO, HR Director, IT Director, Department Heads for affected functions, Legal Counsel

Situation Brief

It is Monday at 08:00 AM. You receive notification that your Chief Technology Officer and two senior engineers have resigned effective immediately to join a competitor. These three individuals are the only people with deep knowledge of your proprietary manufacturing control system, your custom ERP integrations, and your cybersecurity architecture.

They collectively hold administrative credentials for 14 critical systems. Additionally, your Head of Regulatory Compliance is on extended medical leave (expected 8 weeks), and the compliance function has no trained backup. Annual regulatory filing deadlines are in 45 days.

Injects

1. Inject 1 (T+20 min): The departing CTO’s non-compete agreement is reviewed by legal and found to have an enforceability gap due to recent FTC rule changes. Meanwhile, IT discovers that one departing engineer still has active VPN access and remote desktop sessions were logged over the weekend.
2. Inject 2 (T+40 min): Your manufacturing control system generates an error that only the departing engineers know how to resolve. Production line 2 is down, costing approximately USD 45,000 per hour in lost output.
3. Inject 3 (T+60 min): Your HR team reports that two additional engineers in the same department have received offers from the same competitor and are considering leaving. If they depart, your entire technical team for the manufacturing system would be gone.

Discussion Questions

• Does your BIA identify key person dependencies, and do you have documented succession plans?
• What immediate steps do you take to secure systems and revoke access for departing employees?
• How do you retain remaining at-risk employees while maintaining fairness and budget discipline?
• What is your plan for maintaining regulatory compliance when the function lead is unavailable?
• How do you capture institutional knowledge before it walks out the door?

Expected Outcomes

Mature response: immediate access revocation and credential rotation for all departing personnel, legal review of non-compete and IP assignment agreements, retention conversations with at-risk staff (including emergency retention bonuses if authorised), engagement of specialised contractors or consultants for manufacturing system support, documented system runbooks and knowledge transfer programme, and HR policy review on key person dependency identification and mitigation.

Scenario 6: Workplace Violence and Facility Lockdown

Threat Category: Workforce | Duration: 90 minutes | Difficulty: High

Participants: CEO, HR Director, Facilities/Security Director, Legal Counsel, Communications, Employee Assistance Programme Coordinator

Situation Brief

It is Wednesday at 13:15. Security at your main campus (450 employees on site) reports that a recently terminated employee has entered the building through a side entrance and is behaving aggressively in the second-floor open office area. The individual is shouting at former colleagues and refusing to leave. Security has called 911.

The building is not yet in lockdown. Employees on the second floor are frightened; some are attempting to leave while others are hiding in conference rooms. Your reception area on the first floor has 15 visitors, including two clients in a meeting with your sales team.

Injects

1. Inject 1 (T+15 min): Police arrive and establish a perimeter. They recommend a full building lockdown. The intruder is now barricaded in a conference room. Three employees report minor injuries from the initial incident. Your mass notification system is configured for email and SMS but has not been tested in three months.
2. Inject 2 (T+35 min): Local media arrives with a news van. An employee livestreams the police response on social media, and the video is gaining traction. Parents of employees begin calling the main switchboard. The lockdown is disrupting operations at your adjacent data centre, which shares the campus but has a separate entrance.
3. Inject 3 (T+55 min): The situation is resolved without further injury. Police clear the building after 90 minutes. However, multiple employees report they are too distressed to return to work. Two employees indicate they want to file workplace safety complaints with OSHA. Your client visitors are demanding to know what happened.

Discussion Questions

• What are your immediate actions to protect life safety, and who has authority to order a lockdown?
• How do you account for all employees, visitors, and contractors during a lockdown?
• What is your communication plan for employees, families, media, and clients during and after the incident?
• How do you support employee wellbeing in the aftermath, including trauma counselling and return-to-work support?
• What security gaps allowed the terminated employee to access the building, and how are those closed immediately?

Expected Outcomes

Mature response: activation of workplace violence response protocol with clear chain of command, mass notification to all building occupants with shelter-in-place or evacuation instructions, law enforcement liaison designated, visitor accountability through sign-in records, immediate engagement of Employee Assistance Programme for trauma support, professional crisis communications (internal and external), post-incident security review including access badge deactivation procedures for terminated employees, and OSHA-compliant incident documentation.

Category 3: Supply Chain Disruption Scenarios

Supply chain resilience has become a board-level concern since the COVID-19 pandemic, the Suez Canal blockage, and the ongoing Red Sea shipping disruptions.

The World Economic Forum Global Risks Report 2025 ranks geoeconomic confrontation and supply chain breakdowns among the top risks for the next two years. These scenarios test your organisation’s ability to maintain critical operations when suppliers fail.

Scenario 7: Sole-Source Supplier Failure

Threat Category: Supply Chain | Duration: 90 minutes | Difficulty: Medium

Participants: COO, Procurement Director, Manufacturing/Operations Lead, Finance Director, Legal Counsel, Logistics Manager

Situation Brief

It is Monday at 09:00 AM. Your sole-source supplier of a critical component (a specialised semiconductor used in your main product line) notifies you that a fire at their manufacturing facility has destroyed their primary production line.

They estimate a minimum 16-week recovery timeline. You hold 3 weeks of safety stock. This component has no drop-in alternative; qualifying a new supplier historically takes 12-18 months due to testing and certification requirements. This supplier provides 100 percent of this component for your three largest product lines, which represent 62 percent of annual revenue.

Injects

1. Inject 1 (T+20 min): Your largest customer (representing 18 percent of revenue) contacts you asking for confirmed delivery dates on their next three orders. They have a contractual right to source from alternative suppliers and charge you the price differential if you cannot meet committed delivery dates.
2. Inject 2 (T+40 min): A potential alternative supplier in Taiwan can produce a compatible component but requires USD 2.4 million in non-refundable tooling investment and estimates 10-week lead time for first articles. Qualification testing would take an additional 4 weeks.
3. Inject 3 (T+60 min): Your CFO reports that a 16-week revenue disruption on the affected product lines equates to approximately USD 28 million in lost revenue and USD 6.5 million in fixed costs that cannot be reduced. The board requests a financial impact briefing by end of week.

Discussion Questions

• Does your BIA identify sole-source supplier dependencies, and are they mapped to revenue impact?
• What is your decision framework for the USD 2.4 million alternative supplier investment?
• How do you allocate remaining safety stock across customers to minimise contractual exposure?
• What financial mitigation options exist (business interruption insurance, force majeure provisions, customer renegotiation)?
• What structural changes do you recommend to prevent recurrence (dual-sourcing, increased safety stock, supplier auditing)?

Expected Outcomes

Mature response: immediate supplier war room with procurement, operations, finance, and legal, allocation strategy for remaining safety stock prioritised by contractual obligation and revenue, parallel-path decision on alternative supplier qualification with board-approved investment, force majeure review and customer communication plan, business interruption insurance claim initiation, and a strategic recommendation to the board on dual-sourcing policy for all critical components. This scenario directly tests your supply chain risk management maturity.

Scenario 8: Geopolitical Trade Disruption

Threat Category: Supply Chain | Duration: 90 minutes | Difficulty: Medium-High

Participants: CEO, COO, CFO, General Counsel, Head of Supply Chain, Government Affairs/Regulatory

Situation Brief

It is Tuesday morning. The US government announces new export control restrictions effective in 30 days that will restrict the export of certain technology components to specific countries where two of your key manufacturing partners are located.

Separately, retaliatory tariffs of 35 percent are announced on a category of imported goods that includes a major raw material you source from that region.

Your current supply agreements are based on pre-tariff pricing. You operate a just-in-time inventory model with 10 days of raw material stock. Approximately 40 percent of your finished goods are assembled at the affected overseas facilities.

Injects

1. Inject 1 (T+20 min): Your overseas manufacturing partner’s legal team notifies you that they may be unable to continue production under the new export controls without a specific licence, which historically takes 90-180 days to obtain with no guarantee of approval.
2. Inject 2 (T+40 min): Your CFO models the tariff impact: the 35 percent tariff on raw materials will reduce gross margins on affected products from 38 percent to 19 percent at current pricing. Passing the full cost to customers risks losing market share to domestic competitors not affected by the tariff.
3. Inject 3 (T+60 min): A competitor publicly announces they have secured domestic manufacturing capacity and are targeting your customers with aggressive pricing. Your sales team reports three major accounts requesting meetings to discuss pricing and supply continuity.

Discussion Questions

• Does your geopolitical risk assessment cover trade policy scenarios, and were these risks on your risk register?
• What is your 30/60/90-day action plan for shifting manufacturing or sourcing?
• How do you make the pricing decision: absorb margin erosion, pass to customers, or find alternative sourcing?
• What government affairs or trade compliance expertise do you need, and do you have it in-house?
• What is the board communication and decision ask for this scenario?

Expected Outcomes

Mature response: immediate cross-functional task force, 30/60/90-day scenario modelling for revenue and margin impact, parallel evaluation of domestic or allied-country manufacturing alternatives, trade compliance legal review of export licence requirements, customer communication strategy balancing transparency with competitive positioning, and board briefing with decision framework for pricing and capital allocation to supply chain restructuring.

Scenario 9: Logistics Network Collapse

Threat Category: Supply Chain | Duration: 90 minutes | Difficulty: Medium

Participants: COO, Logistics/Distribution Director, Customer Service Lead, IT Director, Finance, Legal

Situation Brief

It is Friday at 16:00. Your primary third-party logistics provider (3PL), which handles 75 percent of your warehousing and distribution, notifies you that a cyberattack has shut down their warehouse management system across all facilities. They are unable to receive, process, or ship any orders.

Your secondary 3PL handles only regional distribution for 15 percent of volume and has no spare capacity. You have USD 12 million in customer orders scheduled for shipment in the next 5 business days, including USD 3.8 million to a major retailer with contractual penalties for late delivery. Your own company does not operate any warehousing facilities.

Injects

1. Inject 1 (T+15 min): Your 3PL’s CEO issues a public statement estimating 10-14 days to restore systems. They offer to process orders manually at 20 percent of normal capacity. Your e-commerce platform continues to accept orders, and the backlog is growing.
2. Inject 2 (T+35 min): The major retailer contacts you citing their vendor compliance programme and states they will begin charging USD 25,000 per day in late delivery penalties starting Monday, plus a potential delisting review if deliveries are not resumed within 10 days.
3. Inject 3 (T+55 min): An alternative 3PL can take on emergency overflow but requires a minimum 6-month contract commitment and a setup fee of USD 180,000. Their nearest facility is 340 miles from your primary distribution zone, adding 2 days to delivery times.

Discussion Questions

• What is your contractual recourse with the 3PL, and does their cyber event constitute a force majeure?
• How do you prioritise which customer orders ship first during constrained capacity?
• Should you pause e-commerce order acceptance, and what is the revenue and reputation impact?
• What is the decision framework for the emergency 3PL contract (6-month commitment vs short-term need)?
• How does this event change your long-term logistics strategy regarding provider concentration?

Expected Outcomes

Mature response: immediate customer triage based on contractual penalties and strategic importance, negotiation with secondary and emergency 3PL providers, temporary pause or messaging on e-commerce platform setting customer expectations, legal review of 3PL contract including indemnification and liability provisions, and a post-incident strategic review of logistics provider diversification.

The exercise should reveal whether your BCP addresses third-party operational dependencies beyond IT.

Category 4: Cloud and Technology Outage Scenarios

Cloud concentration risk has become one of the most underappreciated threats to business continuity. When a major cloud provider goes down, hundreds of organisations lose access to critical systems simultaneously, and recovery timelines are entirely outside your control. These scenarios test your resilience when technology fails.

Scenario 10: Major Cloud Provider Regional Outage

Threat Category: Cloud/Tech | Duration: 90 minutes | Difficulty: High

Participants: CTO/CIO, IT Director, Cloud Architecture Lead, COO, Customer Service Lead, CFO

Situation Brief

It is Tuesday at 10:15 AM. Your primary cloud provider (AWS US-East-1) experiences a regional outage affecting compute, storage, and database services. Your entire production application stack, customer-facing website, internal collaboration tools, and data analytics platform are hosted in this region. Your cloud architecture does not include multi-region failover for cost reasons. The provider’s status page reports investigating increased error rates with no estimated time to resolution. Historically, major regional outages at this provider have lasted between 4 and 18 hours.

Injects

1. Inject 1 (T+15 min): Two hours into the outage, the provider updates their status page to severe degradation with no ETA. Your customer support queue has 400 unresolved tickets. Your SaaS product SLA guarantees 99.95 percent uptime, and you are now below that threshold. Three enterprise clients invoke their SLA credit provisions.
2. Inject 2 (T+40 min): Your engineering team proposes spinning up a disaster recovery environment in US-West-2 using stored infrastructure-as-code templates. Estimated time: 6-8 hours for core services, with potential data loss for transactions in the last 4 hours (RPO gap). Cost: approximately USD 85,000 per day for the DR environment.
3. Inject 3 (T+60 min): The cloud provider restores partial service at hour 5, but database consistency checks are required before your application can safely reconnect. Your engineering team estimates an additional 3-4 hours to validate data integrity. Meanwhile, a competitor’s sales team is actively contacting your customers offering free migration.

Discussion Questions

• What is the decision framework for activating the DR environment vs waiting for provider recovery?
• How do you communicate with customers during an outage where you have no control over the timeline?
• What is the financial impact of SLA credits, lost transactions, and customer churn?
• Does your current cloud architecture align with your BIA-defined RTO and RPO for critical applications?
• What architectural changes should you prioritise after this event?

Expected Outcomes

Mature response: pre-defined RTO-based decision tree for DR activation vs provider wait, customer status page and proactive communication cadence, financial impact tracking from hour one, pre-tested DR runbooks with documented RPO capabilities, and post-incident architectural review prioritising multi-region deployment for critical services. The exercise should expose the gap between theoretical cloud resilience and actual tested capability.

Scenario 11: SaaS Platform Cascading Failure

Threat Category: Cloud/Tech | Duration: 90 minutes | Difficulty: Medium

Participants: CIO/IT Director, Department Heads (Finance, HR, Sales, Operations), Procurement, Legal

Situation Brief

It is Monday at 08:30 AM, the start of a busy week. Your identity provider (SSO platform) experiences a critical authentication failure. Because your organisation uses this SSO for single sign-on across 28 SaaS applications, employees cannot log into email, CRM, HR systems, project management tools, finance/accounting platforms, or document management.

The identity provider reports a failed database migration as the root cause and estimates 12-24 hours to full restoration. Your IT team confirms that no local credentials exist for any of these systems because SSO was implemented as the sole authentication method.

Injects

1. Inject 1 (T+15 min): Payroll processing is due today. The HR system is inaccessible. Your payroll provider requires submission by 14:00 to meet the Friday pay date. HR has last month’s payroll data in a downloaded spreadsheet but this month’s changes (new hires, terminations, overtime) are locked in the HR system.
2. Inject 2 (T+35 min): The sales team has three critical contract signings scheduled today with a combined value of USD 4.2 million. The contracts are in your document management system (inaccessible), and the CRM (also inaccessible) contains the negotiated terms. Sales leadership asks if they can recreate the contracts from email history on personal phones.
3. Inject 3 (T+55 min): The identity provider issues a correction: the restoration timeline is now 36-48 hours. Your IT team discovers they can create emergency local accounts for 3-4 critical systems, but it will take 2 hours per system and requires vendor cooperation for each one.

Discussion Questions

• Does your SaaS dependency map identify authentication as a single point of failure?
• What manual workarounds exist for time-critical business processes (payroll, contract execution)?
• Which 3-4 systems should IT prioritise for emergency local account creation?
• What is the risk of employees using personal devices and shadow IT to maintain operations?
• How does this event change your identity architecture and vendor concentration strategy?

Expected Outcomes

Mature response: pre-identified critical system priority list for emergency access restoration, manual workaround procedures documented for time-sensitive processes, break-glass authentication procedures for top-5 critical applications, proactive employee communication setting expectations and prohibiting shadow IT workarounds, and post-incident review of identity provider concentration risk and the need for break-glass local authentication capability.

Scenario 12: Data Centre Environmental Failure

Threat Category: Cloud/Tech | Duration: 90 minutes | Difficulty: Medium

Participants: CTO/IT Director, Facilities Manager, Data Centre Operations, COO, Finance, Vendor Management

Situation Brief

It is Thursday at 02:00 AM. Your on-call IT engineer receives alerts that temperatures in your primary colocation data centre are rising rapidly. The cooling system has failed. The data centre operator initiates an emergency shutdown of one of four server pods to prevent hardware damage.

Your pod is one of two affected. Your servers begin automated thermal shutdown procedures. You lose access to your on-premises ERP system, legacy applications, and the primary database server that replicates to your cloud environment. The colocation provider estimates cooling repairs will take 18-24 hours, and servers will need 4-6 hours of controlled power-on procedures after cooling is restored.

Injects

1. Inject 1 (T+15 min): Your cloud-based applications remain functional but are showing errors because they depend on database replication from the on-premises primary. Your e-commerce site is displaying stale inventory data from 6 hours ago. Orders placed now may be for items no longer in stock.
2. Inject 2 (T+35 min): The colocation provider calls back: the cooling failure caused a power surge that damaged two of your four storage arrays. They believe data is recoverable but recommend engaging a data recovery specialist. Your last verified off-site backup is 22 hours old due to a backup job failure that was flagged but not resolved.
3. Inject 3 (T+55 min): Your insurance adjuster asks whether you have documentation of your equipment inventory, maintenance records, and evidence that the colocation provider’s SLA for environmental controls was met. Your facilities manager is on vacation and the documentation is not centralised.

Discussion Questions

• What is your decision process when cloud and on-premises systems have data consistency gaps?
• How do you handle customer orders placed against stale inventory data?
• What is your backup monitoring and escalation process, and why was the failed backup not resolved?
• What documentation do you need for insurance claims, and where is it maintained?
• What architectural decisions would reduce dependency on the on-premises data centre?

Expected Outcomes

Mature response: pre-defined failover procedures for hybrid cloud/on-premises architecture, automated monitoring with escalation for backup failures, e-commerce circuit breaker to prevent orders against stale data, centralised documentation of colocation SLAs, equipment inventories, and insurance requirements, and post-incident evaluation of migration path for remaining on-premises workloads.

Category 5: Insider Threat Scenarios

Insider threats are uniquely damaging because the threat actor already has authorised access, institutional knowledge, and trusted relationships.

The Ponemon Institute estimates that the average cost of an insider threat incident is USD 16.2 million, with a mean time to containment of 86 days. These scenarios test your ability to detect, contain, and recover from threats originating inside your organisation.

Scenario 13: Malicious Data Exfiltration by Departing Employee

Threat Category: Insider Threat | Duration: 90 minutes | Difficulty: Medium

Participants: CISO, HR Director, Legal Counsel, IT Security, Internal Audit, Department Manager of affected area

Situation Brief

It is Wednesday at 16:00. Your Data Loss Prevention (DLP) system flags an alert: a senior product manager who submitted their resignation last week (effective in 10 days) has downloaded 4,800 files from your product development SharePoint site over the past 48 hours.

The files include product roadmaps, pricing models, competitive analysis documents, and customer lists. The employee has also forwarded 23 emails containing confidential attachments to a personal Gmail account. The employee’s LinkedIn profile was updated yesterday showing their new role at your primary competitor, starting next month.

Injects

1. Inject 1 (T+15 min): HR confirms the employee’s separation agreement does not include a non-compete clause (the original offer letter had one, but it was removed during negotiation). However, the employee did sign a confidentiality and IP assignment agreement covering trade secrets and proprietary information.
2. Inject 2 (T+35 min): IT security discovers the employee also accessed the corporate GitHub repository and cloned three proprietary code repositories two days ago. Additionally, USB device logs show a personal external drive was connected to their workstation on Monday.
3. Inject 3 (T+55 min): The employee’s manager reports that two team members have mentioned the departing employee was openly critical of the company and encouraged others to consider moving to the competitor. One team member may have shared additional files at the departing employee’s request.

Discussion Questions

• What immediate technical containment actions do you take (access revocation, device seizure, forensic preservation)?
• What are your legal options for protecting trade secrets (cease and desist, TRO, Defend Trade Secrets Act)?
• How do you investigate potential collusion by other employees without creating a hostile work environment?
• What DLP controls should have detected this earlier, and what was the detection gap?
• How do you handle the employee’s remaining notice period (garden leave, immediate termination, restricted access)?

Expected Outcomes

Mature response: immediate access restriction to sensitive systems (not full revocation, which may tip off the employee before forensic preservation is complete), legal preservation hold on all employee devices and accounts, forensic imaging of corporate devices and email, legal letter to the employee and their new employer regarding trade secret obligations, review of DLP alert thresholds and response procedures, and policy review on offboarding controls including mandatory garden leave for employees joining competitors.

Scenario 14: Privileged Access Abuse by IT Administrator

Threat Category: Insider Threat | Duration: 90 minutes | Difficulty: High

Participants: CISO, CTO/IT Director, HR Director, Legal Counsel, Internal Audit, Compliance Officer

Situation Brief

It is Friday at 11:00 AM. An internal audit of privileged access management discovers that a senior database administrator has been accessing customer financial records outside the scope of their role for the past four months.

The DBA has accessed 12,400 customer records containing Social Security numbers, bank account details, and credit scores.

The access was technically authorised (the DBA has legitimate production database credentials) but violated the principle of least privilege and your data access policy. The DBA has no business justification for viewing this data. No evidence of external exfiltration has been found yet, but the investigation is preliminary.

Injects

1. Inject 1 (T+15 min): Forensic analysis of the DBA’s workstation reveals a personal cloud storage application (Dropbox Personal) installed and running. Synchronisation logs show data uploads, but the content of uploads is encrypted and cannot be determined without the DBA’s cooperation or a legal order.
2. Inject 2 (T+35 min): The DBA is confronted and claims they were accessing the data to build a report for management and forgot to mention it. HR notes the DBA has had two recent performance warnings and was passed over for promotion. The DBA becomes defensive and requests a union representative.
3. Inject 3 (T+55 min): Legal advises that if customer SSNs and financial data have been exfiltrated, this triggers state breach notification laws in 47 states, plus potential Gramm-Leach-Bliley Act implications if you are a financial institution. The estimated cost of breach notification and credit monitoring for 12,400 customers is USD 2.8 million.

Discussion Questions

• How do you balance the investigation (preserving evidence) with immediate risk mitigation (revoking access)?
• What privileged access controls should have prevented or detected this sooner?
• At what point do you involve law enforcement, and what are the considerations?
• How do you determine whether breach notification is required when exfiltration is unconfirmed?
• What changes to your identity and access management programme does this incident demand?

Expected Outcomes

Mature response: coordinated HR, legal, and IT security response preserving forensic integrity, immediate restriction of the DBA’s access while maintaining the appearance of normal operations during investigation, engagement of external forensics to determine whether data left the organisation, legal assessment of notification obligations with a bias toward proactive notification, review of privileged access management controls (PAM tool implementation, access reviews, segregation of duties, database activity monitoring), and policy strengthening around personal cloud applications on corporate devices.

Scenario 15: Social Engineering and Physical Security Breach

Threat Category: Insider Threat | Duration: 90 minutes | Difficulty: Medium

Participants: CISO, Physical Security Director, HR Director, IT Director, Legal Counsel, Facilities Manager

Situation Brief

It is Tuesday at 14:00. A security guard reports that an individual wearing a contractor’s uniform and carrying legitimate-looking credentials (badge, company polo shirt) has been observed in your server room and executive floor over the past two days. The individual was initially admitted by an employee who held the door open (tailgating).

Upon investigation, the contractor company confirms they have no one assigned to your building this week. Security camera review shows the individual photographing documents on executive desks, connecting a device to a network port in the server room, and accessing an unlocked workstation in the finance department.

Injects

1. Inject 1 (T+15 min): IT security discovers a rogue device (small network tap) connected to the server room network switch. It has been active for approximately 36 hours and has been capturing network traffic including internal communications, authentication credentials, and database queries.
2. Inject 2 (T+35 min): The finance department workstation that was accessed contained an open session to the banking portal. Transaction logs show two wire transfer initiations totalling USD 890,000 made during the time the individual was in the building. One transfer has already been processed; the second is pending.
3. Inject 3 (T+55 min): Law enforcement arrives and advises that the methods used match a known social engineering group that has targeted three other companies in your region over the past six months. They request preservation of all video footage, access logs, and network data. The media has picked up the story from a police scanner.

Discussion Questions

• What physical security controls failed, and what is the immediate remediation plan?
• How do you assess the full scope of compromised data from the network tap?
• What immediate financial controls do you implement to prevent further unauthorized transactions?
• How do you communicate this incident to employees, clients, and regulators?
• What convergence of physical and cyber security measures do you need going forward?

Expected Outcomes

Mature response: immediate removal and forensic preservation of the rogue network device, emergency freeze on all wire transfers pending verification, forced password reset for all credentials potentially captured by the network tap, law enforcement cooperation with evidence preservation, physical security remediation (anti-tailgating measures, visitor verification procedures, workstation lock policies), and board briefing on the convergence of physical and cyber security requirements.

Post-exercise findings should address the gap between physical security and cybersecurity teams that allowed the breach to go undetected for 36 hours.

How to Run These Exercises: Facilitation Guide

Running an effective tabletop exercise requires more than reading the scenario aloud. Here is a step-by-step facilitation guide that ensures you get maximum value from each session.

Pre-Exercise Preparation (2-4 Weeks Before)

1. Select the scenario based on your risk register priorities and BIA results. Choose the scenario that tests your highest-rated risks or most critical business functions.
2. Customise the scenario to your organisation. Replace generic details with your actual system names, vendor names, locations, and financial figures.
3. Identify and invite participants. Include decision-makers, not just their delegates. Senior leadership participation is critical for realism.
4. Distribute the ground rules in advance: this is a no-blame learning exercise, there are no wrong answers, all decisions should be made as if this were a real event, and phones/email should be off.
5. Prepare the logistics: book a room for 90-120 minutes, assign a facilitator, timekeeper, and scribe, print scenario materials, and have a whiteboard or flip chart available.

During the Exercise

1. Set the scene (5 minutes): Read the situation brief aloud. Give participants a moment to absorb the scenario.
2. Initial response discussion (20 minutes): Ask participants to describe their first actions. Who do they call? What do they activate? The facilitator probes for specifics.
3. Inject delivery (60-80 minutes): Introduce each inject at planned intervals. After each inject, allow 15-20 minutes for discussion. The facilitator uses the provided questions to steer the conversation toward gaps and assumptions.
4. Wrap-up and hot debrief (15 minutes): Capture immediate observations. What worked? What did not? What surprised participants?

Post-Exercise Actions

1. After-Action Report: Within 5 business days, the scribe produces a report documenting scenario description, decisions made, gaps identified, lessons learned, and recommended actions.
2. Action Tracking: Each finding becomes an action item with an owner, due date, and closure criteria. Track these in your risk register or issues log.
3. BCP/DRP Updates: Amend your business continuity and disaster recovery plans to address the gaps identified.
4. Next Exercise Planning: Schedule the next exercise to test the improvements made. ISO 22301 requires exercises at planned intervals; best practice is quarterly tabletop exercises rotating through different threat categories.

Annual Exercise Planning Matrix

Use this matrix to schedule exercises across the year, ensuring coverage of all five threat categories. Adapt the timing based on your regulatory requirements, business cycle, and risk profile.

10 Common Mistakes in Business Continuity Exercises

1. Running the same scenario every year. Rotate through threat categories and increase difficulty. Repeating the same exercise builds false confidence.
2. No injects. A scenario without injects is a reading comprehension exercise, not a decision-making simulation. Injects force participants to adapt and reveal genuine gaps.
3. Wrong participants. If the people who make decisions during a real crisis are not in the room, the exercise has limited value. Insist on senior leadership attendance.
4. No after-action report. An exercise without a documented after-action report is a conversation, not a compliance activity. ISO 22301 requires documented results.
5. Findings without owners or deadlines. Every finding must have an owner, a due date, and closure criteria. Unassigned findings never get resolved.
6. Not testing communication channels. If your exercise assumes email works, you are not testing your most likely failure mode. Simulate communication system failures.
7. Skipping the BIA connection. Exercises should directly reference your BIA’s critical activities, RTOs, RPOs, and MTPD. If they do not, you are testing a fantasy.
8. No external dependencies. Real disruptions involve vendors, regulators, customers, and media. Include external stakeholder interactions in your scenarios.
9. Treating exercises as pass/fail. The goal is learning, not grading. A blame culture discourages honest participation and hides the gaps you need to find.
10. Annual-only cadence. Annual exercises meet the minimum compliance bar but do not build muscle memory. Quarterly tabletop exercises, supplemented by annual functional or full-scale exercises, reflect best practice.

Business Continuity Exercise Readiness Checklist

Use this checklist to confirm your organisation is ready to run effective business continuity exercises.

• BIA completed and current (reviewed within the past 12 months) with defined RTOs, RPOs, and MTPD
• BCP and DRP documents updated and accessible to all recovery teams
• Crisis management team formally designated with alternates and contact details
• Communication plan tested including out-of-band channels (not dependent on email)
• Exercise programme documented with annual schedule covering all five threat categories
• After-action report template prepared with fields for findings, owners, due dates, and closure criteria
• Senior leadership committed to participate in at least two exercises per year
• Scenarios customised to your risk register and BIA critical activities
• Injects prepared for each scenario (minimum 3 per exercise)
• Facilitator, timekeeper, and scribe assigned for each exercise
• Post-exercise action tracking integrated into your risk register or issues management system
• Regulatory exercise requirements mapped (FFIEC, ISO 22301, OCC, industry-specific)
• Lessons learned from previous exercises documented and incorporated into BCP updates
• Exercise programme reviewed annually by internal audit or independent assessor
• Board reporting on exercise results and remediation progress established.
  

Frequently Asked Questions

How often should we run tabletop exercises?

ISO 22301 requires exercises at planned intervals but does not specify a frequency. Best practice is quarterly tabletop exercises, each covering a different threat category, supplemented by at least one annual functional or full-scale exercise. The FFIEC expects financial institutions to exercise their BCPs at least annually, with more frequent testing for critical functions.

What is the difference between an exercise and a test?

Per FFIEC guidance, an exercise validates decision-making, communication, and coordination under simulated conditions. A test confirms that a specific technical capability works as designed (e.g., a backup restoration test, a failover test). Both are required. Exercises answer ‘can our people make the right decisions under pressure?’ while tests answer ‘does this system recover as expected?’

Who should participate in a tabletop exercise?

At minimum: the crisis management team lead, representatives from IT, operations, legal, communications, HR, and finance, plus at least one executive decision-maker. The specific roles depend on the scenario. A cyber exercise needs the CISO; a supply chain exercise needs the procurement director. The key rule: include the people who would actually make decisions in a real event.

How do we measure exercise effectiveness?

Track four metrics: (1) the number of actionable findings per exercise, (2) the closure rate and speed of post-exercise action items, (3) improvement trends across successive exercises (are the same gaps recurring?), and (4) participant feedback on realism and value. Mature programmes also measure whether exercise findings lead to measurable improvements in RTO achievement during actual incidents.

Can we use these scenarios for regulatory compliance?

Yes, provided you document the exercise in accordance with your regulatory requirements. For ISO 22301 certification, document the exercise plan, scenario, participants, observations, after-action report, and corrective actions. For FFIEC-regulated institutions, ensure exercises are documented in your BCM programme with evidence of board or senior management review of results.

How do we handle sensitive scenarios like workplace violence?

Workplace violence tabletop exercises require careful facilitation. Brief participants in advance that the topic is sensitive. Make trauma-informed support available. Focus the discussion on procedures, communication, and decision-making rather than graphic scenario details. Consider engaging an external facilitator experienced in this topic, particularly if your organisation has experienced a prior incident.

Sources

• FFIEC Business Continuity Management Handbook (Updated October 2025)
• ISO 22301:2019 Security and Resilience – BCMS Requirements
• ISO 22398:2013 Guidelines for Exercises
• FEMA Homeland Security Exercise and Evaluation Program (HSEEP)
• BCI Good Practice Guidelines 2024
• NIST SP 800-84 Guide to Test, Training, and Exercise Programs for IT Plans
• World Economic Forum Global Risks Report 2025
• Ponemon Institute Cost of Insider Threats Global Report 2023
• FBI Internet Crime Report 2023
• DRI International Professional Practices for BCM

Chris Ekai

Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.