A tabletop exercise is not a presentation. It is a structured conversation about what your team would actually do when things go wrong. Yet in many small and medium enterprises, these exercises consistently fall short of their potential. The most common reason is a fundamental misunderstanding of their purpose: organisations treat them as IT exercises rather than business decision exercises.
The IT trap
When a tabletop exercise is framed as a technical test, the wrong reflexes are exercised. The IT team spends the session discussing how they would isolate a server, review logs, or restore a backup. Meanwhile, the managing director and operations lead sit passively, treating the session as an educational briefing on cyber threats.
This approach fails because operational resilience is not solely about technical recovery. During a genuine disruption, the most pressing challenges are operational and regulatory. If your primary IT infrastructure supplier fails on a Tuesday afternoon, the immediate questions are not about malware signatures. They are: who has the authority to halt production? When do we notify our enterprise clients? How do we meet the 24-hour early warning notification window mandated by NIS2?
If your tabletop exercise does not force your leadership team to answer these questions, it is not preparing your organisation for a crisis.
How to run a useful tabletop exercise
To turn a tabletop from a technical briefing into a robust operational drill, shift the focus from ‘how do we fix the IT?’ to ‘how do we manage the business?’
1. Base it on business impact, not threat types
Do not build scenarios around abstract threat actors. Build them around the loss of critical business functions. A scenario where a core back-office application is unavailable for 48 hours forces the team to discuss manual fallback procedures, minimum viable service levels, and customer communications.
2. Test the decision authority matrix
Crises often occur when primary decision-makers are unavailable. The exercise should test your documented chain of succession. Introduce injects — such as the managing director being uncontactable — to verify that designated deputies understand their authority to initiate failovers, approve regulatory notifications, and authorise public communications.
3. Include the whole business
A resilient response requires collaboration across the enterprise. Security, IT, legal, HR, communications, and leadership must all participate. The IT lead manages the technical response, but operations must manage the downtime, and leadership must manage the liability.
4. Document the lessons identified
The value of an exercise lies in what happens after it concludes. Use an After-Action Report to document how the incident was identified, what decisions were made, and where the gaps in your Standard Operating Procedures lie. These findings must feed directly back into updating your Incident Response Plan.
A tabletop exercise should expose the gaps in your documented processes during peacetime. When run correctly, it is the most effective tool an SME has to transform a theoretical resilience plan into a tested, dependable operational capability.