What is a tabletop exercise in crisis communication?

A tabletop exercise is a facilitated discussion in which a crisis team works through a simulated incident scenario without activating real systems or responses. The team talks through who they would contact, what they would communicate, through which channels and in what order. The exercise identifies gaps in the plan — wrong assumptions, out-of-date contacts, unclear approval paths — before a real incident makes those gaps consequential.

How long does a tabletop exercise take?

Most crisis communication tabletop exercises run for between 90 minutes and three hours, depending on the complexity of the scenario and the number of injects. A focused 90-minute session with four to five injects is sufficient to test the core communication processes for most organisations. Larger or more complex organisations with multiple sites, regulated operations or multi-agency response requirements typically benefit from longer sessions.

Who should facilitate a tabletop exercise?

The facilitator should not be a member of the crisis team. Their role is to run the scenario, introduce injects and probe the team's assumptions without participating in the response. A good facilitator keeps the discussion moving, surfaces disagreements and hesitations, and takes detailed notes on findings. External facilitators from a specialist crisis management or communications firm are useful for organisations running their first exercises or those seeking an independent assessment of their capability.

What scenarios make the best tabletop exercises?

The most useful tabletop scenarios are drawn from the organisation's own risk register and designed to stress the specific aspects of the communication plan most likely to fail. Common high-value scenarios include cyber incidents (because they affect the communication channels themselves), multi-site emergencies (because they test audience segmentation), and regulatory notification events (because they test the intersection of legal, communications and leadership functions). Generic scenarios are less valuable than scenarios that reflect the organisation's actual operating environment.

Crisis Communication Tabletop Exercise Guide

A tabletop exercise does not test whether your plan is good. It tests whether your people can execute it under pressure. Those are different questions.

What is a tabletop exercise?

A tabletop exercise is a structured discussion in which a crisis team works through a simulated scenario together, without deploying real resources or activating live systems. The facilitator introduces a scenario and a series of developments — called injects — and participants discuss how they would respond at each stage. The exercise is not a test of whether people can physically execute a plan; it is a test of whether the plan itself is sound and whether the team can make good decisions under pressure.

For crisis communication specifically, tabletop exercises surface the gaps that are invisible until a real incident exposes them: the approval chain that has too many steps, the channel that fails when the systems it depends on are affected, the spokesperson who does not know they are the spokesperson. Finding these gaps in a two-hour exercise is considerably less costly than finding them at 09:00 on a Tuesday morning.

How to structure a tabletop exercise

Stage 1: Briefing (15–20 minutes)

The facilitator sets the scenario, confirms the ground rules (no blame, no wrong answers, the goal is learning), and introduces the participants and their roles. The scenario should be plausible and specific enough to feel real: not "a cyber incident" but "at 08:30 on a Monday morning, your IT team reports that the email system is unavailable and investigation is underway." The more specific the scenario, the more useful the discussion that follows.

Stage 2: Inject sequence (60–90 minutes)

The facilitator introduces a series of developments — each one is an inject. After each inject, the team discusses: what they know, what they would communicate, to whom, through which channel, and who approves the message. The facilitator's role is to observe, probe and introduce complications. Good injects escalate the scenario: the email system turns out to be a ransomware attack; the IT team discovers patient data may be affected; a journalist calls the press office.

Stage 3: Discussion (20–30 minutes)

After the inject sequence, the facilitator leads a structured discussion: which decisions were hard and why? Where did the team disagree? What information did people find themselves lacking? What would they have done differently with 20 minutes' more preparation? This is where the most valuable learning usually happens.

Stage 4: Debrief (30 minutes)

The debrief produces a written action list: specific gaps identified, the change required to close each gap, and the name of the person responsible. Without this step, the exercise produces useful conversation but no lasting change. The action list should be reviewed at the next exercise, typically six to twelve months later.

What tabletop exercises most commonly find

Roles and ownership

The most common finding is that no one is clearly responsible for making the communication decision under pressure. When three people all think someone else is drafting the holding statement, the holding statement does not get drafted. Exercises expose this pattern and create the mandate to fix it: every scenario type should have a named communication lead and a named deputy.

Channels and tools

The second most common finding is channel dependency. Many organisations default to email as their primary internal communication channel and discover during an exercise that their chosen scenario — an IT outage, a ransomware attack — is precisely the scenario in which email is unavailable. The exercise creates a clear, evidence-based case for investing in channel redundancy: a desktop alert system that operates independently of email infrastructure, or an emergency notification channel that works when primary systems are down.

Plan gaps

Tabletop exercises frequently reveal that the plan does not cover the scenario at hand. There is no holding statement template for a data breach. The approval process requires sign-off from someone who is on holiday. The escalation path goes to a role that no longer exists. These are exactly the gaps the exercise is designed to find. Each one should become a named action item in the debrief.

The improvement cycle

A single tabletop exercise is useful. A programme of regular exercises is transformative. The organisations that communicate best during crises are not those with the most talented communicators; they are those that have run the exercise enough times that the decision-making is instinctive, the channels are tested, and the templates are ready. The debrief action list from one exercise becomes the test for the next.

Practical guidance for running your first exercise

Choose the right scenario

The scenario should be plausible for your organisation and sector, and it should test the specific gaps you most want to identify. A financial services firm should run a data breach scenario. A healthcare organisation should run a system outage. A manufacturing company should run a site safety incident. Generic scenarios produce generic findings; specific scenarios produce actionable ones.

Invite the right people

The crisis communication tabletop should include everyone who would have a communication role in a real incident: the communications lead, a senior executive, a representative from IT or operations, legal or compliance if relevant, and HR for incidents that affect employees. The exercise is also an opportunity to test the relationship between these roles — to check that the communications lead has the authority and the information access they need in a real incident.

Brief the facilitator properly

The facilitator should understand the organisation well enough to make the injects plausible and to probe the team’s responses constructively. They should not be a participant in the exercise — they cannot observe and respond simultaneously. An external facilitator brings a useful outsider perspective and removes the awkwardness of a senior person facilitating a team that includes their direct reports.

Commit to the action list

The most important step happens after the exercise ends. The action list from the debrief should be assigned to named individuals with deadlines, reviewed at the next leadership meeting, and tracked to completion. An exercise that produces a list that is not acted on does not improve the plan. It just produces a record of the gaps that were known but not addressed. The goal is a crisis communication plan that is demonstrably better after each exercise than it was before it.

See Heed in Action

See how Heed streamlines internal communication across desktop, mobile, and shared screens - so every message gets noticed.

We’ll walk you through creating, targeting, and tracking notifications in real time, tailored to your organisation’s goals.

Schedule a Demo

FAQ

Common Questions

Common questions about running crisis communication tabletop exercises.

What is a tabletop exercise?