A practical guide to tabletop exercises for workplace security teams

Most companies have a plan for emergencies. The question is whether that plan will actually work when something goes wrong. Tabletop exercises help teams answer that question by walking through realistic scenarios, testing assumptions, and identifying gaps before a real crisis exposes them.

Below, we’ll cover how tabletop exercises work, common scenarios to test, and how security teams can use them to strengthen emergency preparedness.

What is a tabletop exercise?

A tabletop exercise (TTX) is a discussion-based session where the people responsible for responding to emergencies walk through a realistic scenario together. The goal is to talk through how the organization would respond, make decisions, communicate, and coordinate if the event were actually happening.

Unlike running a drill, a TTX is about stress testing emergency decision-making. Who calls what? When does the notification go out? What happens when the floor warden doesn’t show? What if two sites are affected simultaneously and the response team has to split its attention? These are the kinds of questions the exercise is designed to answer.

Why is a tabletop exercise important?

Emergency plans fail in predictable ways. Maybe the distribution list hasn’t been updated in months, the floor warden is on PTO with no backup assigned, or the visitor log is sitting on paper at a front desk nobody can access. Sometimes the people who need to authorize a response are both traveling, and nobody has established what happens next.

These examples are failures of assumption not intent. They’re things the plan took for granted that turned out not to be true under real conditions. A tabletop surfaces those assumptions so teams can amend their plans before an emergency.

For organizations with multiple sites, the stakes are even higher. When multiple locations are affected at once, teams need to coordinate quickly and make decisions with limited information. Tabletop exercises help them practice that before a real emergency puts the plan to the test.

Who should be included in a workplace security tabletop exercise?

One of the most common tabletop mistakes is running the exercise with only the security team. A real crisis involves every function in your organization, so your tabletop exercise should, too.

• Security and safety leadership. These are the people who own the response plan and will lead execution during a real event. If they’re not in the room, the exercise doesn’t reflect how decisions are actually made.
• Facilities and operations. They control building access, utilities, and physical infrastructure, all of which become active variables in almost every emergency scenario. They’ll also be the ones managing site closures, shelter space, and backup systems if primary infrastructure fails.
• IT. Relevant for far more than cyber scenarios. Emergency notification platforms, access control systems, digital signage, and visitor management tools all run on infrastructure IT owns or manages, so they should be in the room to answer for them.
• HR. Responsible for employee communications, welfare tracking, and policy questions that arise during any incident, from pay during closures to managing employees who can’t be reached. In an emergency, HR decisions start immediately.
• Legal and compliance. Regulatory notification requirements kick in faster than most teams expect. Depending on the incident type and jurisdiction, legal may need to authorize external communications or flag disclosure obligations within hours. They need to know the plan before they’re executing it under pressure.
• Communications. Both internal messaging to employees and any external-facing statements during or after an incident. The worst time to establish communications authority and protocols is mid-crisis.
• An executive sponsor. Someone with the authority to make major decisions without delay. In a real incident, those decisions (think approving a site closure or authorizing a regulatory notification) will need to be made. 
• Local site leads (for multi-site organizations). A centralized team running a tabletop without representation from the locations being simulated will miss site-specific realities. Local leads know what the floor warden coverage actually looks like, whether the basement shelter is usable, and where the operational gaps are on the ground.

{{protip-1}}

How to run a tabletop exercise in 5 steps

Step 1: Start with the right scenario

The most common mistake is choosing a scenario that feels safe, such as a generic “natural disaster” with no specific geography, realistic timeline, or complications that force hard decisions. These exercises produce the same conclusions every time: communication could be improved and plans should be updated more regularly.

Instead, be specific. A useful scenario is based on a threat that’s plausible for your actual locations. It has a realistic timeline with pressure points and includes complications, like unexpected developments that disrupt the obvious response path and force the team to improvise.

The threats most worth building scenarios around are the ones actually facing your sites. If your offices are in a coastal region, that means hurricanes. If you operate in a dense urban area, civil unrest is a legitimate planning scenario. If your team relies heavily on cloud-based systems, a vendor outage affecting your emergency notification platform deserves its own exercise.

Organizations that track real-time risk signals across their locations have a natural advantage here because they can build tabletop scenarios around threats that are geographically relevant and currently active, rather than hypotheticals that may never actually take place.

Step 2: Define what you’re testing

Before the session, write down what you’re specifically trying to learn. “Test our emergency response” is too broad to evaluate afterward.

Good objective statements look like:

• Evaluate whether our notification system reaches contractors and visitors, not just employees
• Identify decision-making bottlenecks when two or more sites are affected simultaneously
• Test whether our floor wardens can execute headcount procedures without support from the central security team
• Assess how quickly legal can be looped in when a regulatory notification is required

Specific objectives help your team measure whether the exercise succeeded and prioritize what gets fixed first.

Step 3: Assign roles

• Facilitator. Runs the session, introduces the scenario, injects complications, and keeps the discussion moving without letting it stall. 
• Participants. The decision-makers who would actually be responding during a real event. They should be actively involved in the session. The value of the exercise degrades quickly if key people are checking email.
• Evaluator. Observes the discussion and tracks where the plan holds up, where it breaks down, and what questions the team can’t answer. Their notes become the foundation for the after-action report.
• Observer: Optional, but useful for functions that need situational awareness without decision-making authority. This could be a board member, an external consultant, a regulator in some contexts.

Step 4: Run the scenario in phases

Instead of dropping the full scenario at once, structure it in phases. Add new developments (“injects”) that change the situation and force the team to adapt. Here’s a basic structure for a two-hour exercise:

• Phase 1 – Onset (20 min): The triggering event. What just happened? Who’s notified? What are the first three decisions that need to be made?
• Phase 2 –Escalation (40 min): The situation develops. Introduce a complication here, such as a key person being unavailable, a system not responding, a second location now affected. How does the response adapt?
• Phase 3 – Decision point (30 min): A high-stakes decision needs to be made with incomplete information. Who makes it? How? What’s the process for getting authorization?
• Phase 4 – Wind-down and debrief (30 min): Walk back through the scenario. What did the team do well? Where did the discussion stall? What couldn’t be answered?

Step 5: Debrief while it’s fresh

The debrief (or “hot wash”) happens immediately after the exercise so key learnings and important details aren’t lost. Think of it as a structured review of how the plan performed. 

Make sure this isn’t framed as a performance review, so you create a psychologically safe environment where people will surface real gaps rather than defending their decisions.

Three questions to anchor the debrief:

1. What worked better than expected?
2. Where did the plan’s assumptions not hold up?
3. What do we need to add, change, or test before the next exercise?

Everything that surfaces goes into an after-action report with named owners and deadlines.

{{protip-2}}

Scenario-specific tabletop guides

Different threats require different planning assumptions, different participants, and different complications. Here’s how to structure a tabletop exercise for four of the scenarios most relevant to workplace security teams.

Hurricane tabletop exercise

Active shooter tabletop exercise

Power outage tabletop exercise

Severe weather tabletop exercise

How often should you run tabletop exercises?

At minimum, once per year, but it depends on how much your organization changes.

There are so many scenarios that would warrant conducting a tabletop exercise, including the opening, of a new office, a significant headcount shift, and a new emergency management platform. Any of these can create gaps in a plan that previously worked. 

A practical cadence for most multi-site locations is to conduct one tabletop annually covering your highest-priority scenario, plus site-level exercises at each major location on a rotating basis. 

New sites should run their first tabletop within six months of opening before an incident teaches them what their plan missed.

Don’t forget: every exercise should produce an after-action report with specific findings and named owners. That report, and whether those owners actually closed out their action items, is what determines whether the exercise changed anything.

{{protip-3}}

A sample tabletop exercise agenda

Here’s a two-hour agenda template you can adapt for any scenario.

Before the session

• Distribute the scenario overview to participants 48 hours in advance (incident type and initial conditions only — don’t share the injects)
• Confirm all roles: facilitator, evaluator, note-taker
• Verify that all relevant plans and contact lists are accessible in the room

Session agenda

After the session

• After-action report drafted within 72 hours
• Action items assigned with named owners and deadlines
• Next exercise scheduled before this one is closed out

— 

The teams that get the most value from tabletops are the ones that ground their scenarios in current, location-specific risk intelligence. When scenarios are built from real signals rather than hypotheticals, the discussions are sharper, the gaps that surface are more relevant, and the improvements that follow are more likely to matter when something actually happens.

Want to strengthen emergency response and risk awareness across your locations? Learn more about Envoy for emergency management.