Skip to main content
KestralisKestralis

— Business Continuity

When Your Business Continuity Plan Doesn’t Work: What Tabletop Exercises Actually Reveal

John Scheffler, CBCP · Principal, Kestralis Group
8 min
Team gathered around a table reviewing planning documents during a working session

Most organizations with a business continuity plan believe it will work when needed. This belief is almost always untested. A plan that has never been exercised is a collection of assumptions — about who will do what, how long it will take, which systems will be available, how leadership will communicate, and whether the people who need to execute have ever actually practiced.

Tabletop exercises are the most reliable way to test those assumptions. They are also one of the most consistently underused tools in the continuity professional's toolkit — frequently budgeted for, often scheduled, and regularly postponed in favor of more immediately pressing priorities.

This article describes what tabletop exercises actually reveal when they are done well — because understanding what they find is the best argument for doing them.

What a Tabletop Exercise Is — and Is Not

A tabletop exercise is a structured, facilitated discussion in which key stakeholders work through a simulated disruption scenario in real time. It is not a drill. It does not require activating emergency systems, relocating personnel, or testing technical recovery processes. It is a conversation — a structured, pressure-tested conversation — that surfaces the gaps between what the plan says will happen and what will actually happen when people are in the room making decisions under uncertainty.

A well-designed tabletop exercise has:

  • A realistic scenario calibrated to the organization's actual risk profile
  • Injects — new information introduced during the exercise that complicates or changes the picture
  • Decision points that require leadership to act, not just discuss
  • A facilitator who challenges assumptions, probes reasoning, and keeps the scenario moving
  • A documented after-action review that captures what worked, what did not, and what needs to change

It is not a compliance exercise. It is not an opportunity to demonstrate that the plan works. It is a controlled environment in which the plan's weaknesses are exposed safely — so they can be addressed before they are exposed in an actual disruption.

What Tabletop Exercises Consistently Reveal

After running tabletop exercises across industries and organization sizes, the same categories of failure appear with remarkable consistency.

1. Nobody Actually Knows Where the Plan Is

This sounds like an exaggeration. It is not. In exercise after exercise, when facilitators ask participants to reference the business continuity plan, someone has to search for it. It is in a file share that has not been organized in three years. It is on a laptop that the person who built it took when they left the company. It is in a format that requires a specific application to open.

The plan that cannot be found in the first ten minutes of a crisis is a plan that will not be used.

2. The Recovery Time Objectives Are Not Achievable

Recovery Time Objectives (RTOs) are the cornerstone of a business continuity plan — the maximum acceptable time to restore critical functions after a disruption. Most organizations set them during a planning process and never test them.

Tabletop exercises routinely reveal that the RTOs in the plan bear no relationship to what is actually achievable. The plan says a critical system will be restored in four hours. The IT team, when walked through the actual recovery steps in the exercise, estimates 48 to 72 hours. The gap is not a failure of effort — it is a failure of the planning process to engage the people who know what recovery actually involves.

3. Decision-Making Authority Is Unclear

Every business continuity plan has a command structure. Most of those command structures were designed in conference rooms by people who were not thinking about the specific dynamics of who will actually be available, willing, and capable of making decisions at 2:00 AM during a Category 4 disruption.

Tabletop exercises expose this in two ways: first, when a decision needs to be made and everyone looks at someone else; second, when two people with different interpretations of the plan's command structure reach different conclusions about who has authority.

Unclear decision-making authority is not a minor procedural gap. It is the primary driver of organizational paralysis during actual crises.

4. The Communication Plan Does Not Account for the Scenario

Most communication plans are built around the assumption that the organization's primary communication channels are available. A ransomware event takes email down. A facility loss takes the phone system with it. A regional emergency makes cellular unreliable.

Exercises that include injects simulating communication disruption consistently reveal that organizations have no functional alternative to their primary communication systems — and that the contact lists in the plan are either out of date, in a format that requires those systems to access, or in a location that is physically inaccessible if the primary facility is the subject of the disruption.

5. Third-Party Dependencies Were Not Included in the Planning

Every organization has critical vendors, suppliers, and service providers. Most business continuity plans address internal systems and personnel in detail and address third-party dependencies superficially or not at all.

Exercises that introduce scenarios involving a critical vendor failure — a cloud provider outage, a payroll processor disruption, a key logistics provider unable to deliver — routinely reveal that organizations have no recovery strategy for these situations and have not verified that their critical vendors have adequate BCP of their own.

6. The Plan's Author Has Left the Company

This finding is embarrassingly common. The person who built the business continuity plan — who knows its assumptions, its gaps, and the decisions that shaped its structure — left eighteen months ago. Their replacement has not reviewed the plan. The contacts listed in the plan are out of date. The systems described in the plan have been replaced with different systems. The plan is an accurate description of an organization that no longer exists.

7. People Do Not Know Their Roles

When participants in a tabletop exercise are asked to describe their specific responsibilities under the plan, a significant proportion — even among people who were nominally involved in the planning process — cannot do so accurately. They know the plan exists. They may have attended a presentation about it. They have not internalized their specific role in executing it.

A plan that is not known and practiced is not a plan that will be executed under pressure. This is one of the structural reasons mid-market BCPs fail.

What a Good After-Action Review Does

Every tabletop exercise should conclude with a structured after-action review — a documented assessment of what the exercise revealed, what the plan got right, what it got wrong, and what needs to change.

The after-action review is not a criticism session. It is a learning process. The findings from the exercise should directly drive plan updates, procedural changes, and training priorities. An exercise without an after-action review is an event. An exercise with a rigorous after-action review is a program improvement.

The three questions the after-action review must answer:

  1. What specific gaps did the exercise reveal?
  2. What changes to the plan, the procedures, or the training will address those gaps?
  3. Who is responsible for making those changes and by when?

How Often to Exercise

The minimum standard is annual. The organizations that derive the most benefit from their continuity programs exercise more frequently — alternating between full tabletop exercises and targeted component exercises that test specific plan elements.

Annual tabletop exercises should be supplemented with:

  • Quarterly reviews of the contact lists and resource inventories in the plan
  • Annual verification of third-party vendor BCP status
  • Exercise-triggered plan updates — not just annual scheduled review

The question to ask is not “how often are we required to exercise?” The question is “how confident are we that this plan will work if we need it tomorrow?” If the honest answer is “not very,” the exercise frequency is insufficient.

Kestralis Group designs and facilitates business continuity tabletop exercises — scenario development, facilitation, and written after-action review — led by a Certified Business Continuity Professional with hands-on enterprise BCP experience. Contact us to discuss your organization's exercise program.

— About the author

John Scheffler, CBCP

Principal, Kestralis Group

— Further reading

More from Kestralis.

  1. April 14, 2026

    What Cal/OSHA Actually Looks for in a WVPP Inspection

    Most California employers created a Workplace Violence Prevention Plan in 2024 and hope for the best. Here is exactly what a Cal/OSHA inspector evaluates — and where most programs fail.

  2. April 3, 2026

    What to Do When an Employee Becomes a Concern: A Step-by-Step Guide for HR and Legal

    A practical framework for HR and Legal when an employee’s behavior raises concern — from first recognition through assessment, intervention, and documentation.

  3. March 23, 2026

    Virginia HB-1919: What Employers with 100+ Employees Must Do Before January 2027

    Virginia’s workplace violence prevention law takes effect January 1, 2027. Here is what covered employers need to know, what the law requires, and why starting now is the right move.

— Get in touch

Questions about what you just read?

We're happy to discuss how this applies to your organization. Reach out for a confidential conversation.

Schedule a ConsultationSend a Message