Crisis Management Exercise Examples – A Review of Real Exercises

Many organizations have fallen into the habit of conducting only one type of exercise, the cyber tabletop. In today’s blog, we’ll share examples of good exercises that envision impacts to areas other than technology and which require real-world responses, the best way to uncover overoptimistic assumptions.

[Related: How to Be a Mock Jock: Advice on Facilitating a Disaster Exercise]

The Cyber Tabletop Habit

Cyber tabletops are discussion-based exercises that envision a loss of IT functionality as a result of a cyberattack. They are far and away the exercise our clients perform most frequently. For many, it’s the only kind of exercise they do. In fact, cyber tabletops have become a habit at many organizations. For many, the cyber tabletop has become their comfort zone.

The prevalence of this type of exercise is no bad thing. Cyber attacks remain the likeliest cause of severe outages for most organizations. Companies who remain shaky in their cyber response would do well to prioritize this area.

In addition, the tabletop format has undeniable advantages. Discussion-based exercises are inexpensive, relatively easy to gain approval for and schedule, and can apply plenty of realistic stress.

Where Cyber Tabletop Exercises Fall Short

However, despite their many benefits, cyber tabletops also have significant limitations.

There are many other kinds of threats besides cyberattacks (e.g., weather events, power outages, incidents of workplace violence, reputational disasters, etc.). There are also many other kinds of outages than ones affecting technology systems, including losses of critical suppliers, facilities, and personnel.

Non-cyber events cause significant impacts to organizations around the world every day, but companies that only do cyber exercises get no practice in responding to them.

By the same token, tabletop exercises can only go so far in helping an organization prepare for disruptions. Tabletops leave too much room for organizations to make overoptimistic assumptions about how things would go during a real event. Companies that only do tabletops can go through life wearing rose-colored glasses, at least until a real disruption occurs.

Example Exercises to Broaden Your Testing Program

Companies that have developed competency in responding to cyberattacks, but which persist in only doing cyber tabletops, have much to gain from expanding their exercise programs.

Below are a few examples of real-world non-cyber exercises that MHA has performed with clients working in a variety of industries. These illustrate potential scenarios that could be used by organizations seeking to develop a more well-rounded approach to doing exercises.

They also show how active exercises can uncover gaps that discussion-based approaches might miss.

Exercise 1: Crisis Management with Real-World Actions

This exercise focused on crisis management and was planned for about two hours. In it, participants didn’t just review plans, they actually performed the required actions. During a scenario inject, the team was required to relocate to an alternate site, simulating what would happen if the primary location became unavailable.

Rather than simply estimating travel time and logistics, the participants performed the full relocation, physically moving from their building to the designated site across town.

This approach revealed the existence of large gaps between assumptions and reality. Planners had estimated relocation would take 30 minutes. It took closer to 90. Participants encountered long delays in obtaining transportation to the new site (personal vehicles were unavailable because the scenario supposed an impact to the company parking garage).

Delays continued even after staff reached the alternate site. Many people were unable to find the designated room.

The exercise proved highly instructive. Performing the actions uncovered gaps and issues that would not have been found by a thought exercise. In response, the team made and documented several changes to the plan to make it more efficient.

Variations on Exercise 1

The approach of performing actions in the real-world can be usefully applied to other aspects of responding to an emergency. Two such exercises that are well worth doing are assembling the crisis management team and simulating crisis communications.

Assembling the crisis management team is an activity that can seem straightforward until the organization actually attempts to do it. In this exercise, participants simulate the initial notification and assembly of the CMT.

Team members are contacted according to the organization’s procedures, via Teams, text, phone, or other channels. The process of gathering the team (whether physically or remotely) is timed and observed. This activity often reveals surprising gaps.

For example, we often find that executives who are used to relying on others to put them in touch with colleagues are unable to manage this task on their own, as they are obliged to under the scenario.

Simulating crisis communications is another activity that is usually harder than expected. This scenario focuses on the development and deployment of crisis communications. The communications are sent only to a safe test group.

Participants access and modify the organization’s prepared scripts or templates and simulate sending them through emails, internal portals, or press channels. The exercise frequently surfaces hidden assumptions about access, permissions, and practical use of the tools.

Exercise 2: Managing a Crisis Involving Workplace Violence and Supply Chain Impacts

This exercise focused on senior management’s response to a scenario in which a company facility was impacted by a workplace violence event. The event disrupted the organization’s supply chain. This exercise required participants to assess evolving information, make decisions under pressure, and prioritize actions despite incomplete data.

During the exercise, participants encountered situations where vital information (such as the number of products available and the specific operational impact) was not available. The team had to make assumptions in order to move forward while also avoiding treating assumptions as facts.

This generated considerable stress, as many participants noted during the debrief. “It was uncomfortable to not have the information,” said one participant. Despite that, the team successfully identified key milestones, made decisions based on the data at hand, and explored contingency actions (such as when to communicate with stakeholders or implement workarounds).

The exercise gave the team valuable experience in making vital decisions with incomplete information.

Variations on Exercise 2

Variations on the above exercise might include having senior management deal with criminal or police activity at a company facility or cope with the disruption of a critical supplier.

An exercise in which senior leadership has to deal with criminal or police activity at a company facility would have much to teach. The scenario might involve drug-dealing at a company location or the arrests of employees by law enforcement.

Such a scenario would compel leaders to confront operational and reputational challenges they might not anticipate. This would test their ability to assess the situation, communicate effectively, and make decisions without clear precedent.

As in Exercise 2, this scenario emphasizes decision-making under incomplete information. It highlights the importance of having flexible procedures that account for unexpected disruptions.

Dealing with the disruption of a critical supplier would provide top managers with a different sort of challenge. The question in this scenario is, what happens if a critical single-source vendor becomes unavailable and current inventory levels are insufficient to maintain operations?

This exercise tests senior management’s ability to evaluate risk, prioritize responses, and activate contingency plans quickly. It also mirrors the real-world challenge of acting with imperfect information and underscores the importance of defining thresholds and triggers for action before a disruption occurs.

Exercise 3: Reviewing BC Plans with the Crisis Management Team

We’ve performed this exercise at many organizations. It involves reviewing departmental business continuity plans with the Crisis Management Team (CMT) to ensure everyone understands how the organization will operate tactically during an outage.

Unlike discussion-only tabletops or large-scale simulations, the focus here is on alignment and verification: the CMT examines departmental procedures, identifies potential conflicts, and ensures that planned responses will work in practice.

The value of this exercise lies in the CMT’s ability to see the operational details behind each department’s plan. They can verify that actions, responsibilities, and contingencies make sense, and adjust them if necessary.

For example, a proposed departmental response might create an unexpected risk, duplicate effort, or conflict with another area; the CMT can catch this before a real disruption occurs.

By reviewing plans collaboratively, the organization gains a clearer understanding of expectations, strengthens coordination across teams, and reduces the likelihood of surprises during an actual outage.

Going Beyond the Tabletop to Improve Readiness

Many organizations have become comfortable relying primarily on cyber tabletops, leaving gaps in their preparedness for other types of disruptions. Expanding exercise programs to include real-world actions, senior-level decision-making, and departmental plan reviews helps uncover hidden assumptions and operational challenges.

The exercises highlighted here—from physical relocation and team assembly to crisis communications and supply chain disruptions—demonstrate the value of hands-on, practical testing.

Each approach reinforces that true preparedness requires more than discussion: it demands performing actions, making decisions under uncertainty, and verifying that plans actually work in practice.

MHA consultants have extensive experience designing and conducting exercises and full exercise programs for organizations across the full range of sizes and industries. Contact MHA for help in strengthening your program and ensuring your teams are ready to handle whatever disruption comes next.

Frequently Asked Questions

What type of business continuity exercise does most organizations perform most often?

Most organizations most frequently conduct cyber tabletop exercises—discussion-based scenarios that simulate a loss of IT functionality due to a cyberattack.

What are the benefits of conducting cyber tabletop exercises?

Cyber tabletop exercises offer several important benefits. They help organizations prepare for one of the most likely causes of disruption, are relatively inexpensive and easy to schedule, and allow teams to walk through response procedures in a structured way.

They can also introduce a degree of pressure and coordination, making them a useful starting point for organizations still building confidence in their incident response capabilities.

When companies limit their exercise programs to cyber tabletops, what are they missing out on?

Organizations that rely solely on cyber tabletops miss the opportunity to prepare for a wide range of non-cyber disruptions, such as facility outages, supplier failures, or workforce impacts.

They also miss the chance to test how their teams perform in real-world conditions. Discussion-based exercises often allow for optimistic assumptions, meaning gaps in execution, coordination, and timing may go unnoticed until an actual disruption occurs.

Why is it important to conduct exercises that envision outages to areas other than technology?

While cyber incidents are common, many significant disruptions originate outside of technology. Events such as natural disasters, workplace incidents, or supply chain failures can have equally severe impacts on operations.Exercising these scenarios ensures organizations are prepared to respond to the full range of disruptions they may face, not just those involving IT systems.

What are some ways organizations can benefit from holding real-world exercises as opposed to merely discussion-based ones?

Real-world exercises provide several key advantages. They expose gaps between assumptions and reality, reveal practical challenges, create realistic pressure, validate whether plans work, and lead to actionable improvements by uncovering issues that would not surface in a tabletop setting.

What are some good exercises organizations can perform to move beyond cyber tabletops?

Organizations can expand their exercise programs by incorporating a variety of practical, non-cyber scenarios, such as:

• • Relocation exercises, where teams physically move to an alternate site and perform their roles.

  • Crisis management team assembly exercises, testing how quickly and effectively the team can be convened.

  • Simulated crisis communications, where participants develop and send messages using actual tools and templates.

  • Senior leadership scenarios, such as workplace incidents or supply chain disruptions requiring decisions under uncertainty.

  • Departmental plan reviews with the CMT, to validate alignment, identify conflicts, and ensure plans are workable in practice.

These types of exercises help organizations build a more well-rounded and realistic level of preparedness.

Further Reading

• Exercise Smarter: Include 3rd Party Experts In Your Cyber Exercises

• Beginner’s Guide to Recovery Exercises

• How to Plan a Mock Disaster Exercise

• How to Be a Mock Jock: Advice on Facilitating a Disaster Exercise

• Let’s Get Real: The Limitations of Tabletop Recovery Exercises

• Overdoing It: People Who Overplan Their Mock Disaster Exercises