You’ve successfully executed the tabletop exercise (TTX). The discussions were intense, the pressure was high, and the gaps were exposed. But the learning curve starts after the exercise ends.
The true return on investment (ROI) of a TTX is not the event itself, but the structured process you use to translate observations into tangible improvements that harden your business resilience.
This post outlines the three essential steps to harvest the payoff, moving from raw data to a prioritized remediation plan.
Step 1: Data Harvesting and Synthesis
The first 48 hours after the TTX are crucial for capturing and synthesizing all observations before they fade.
The Hot Wash & Participant Feedback
Immediately after the exercise, gather the core participants (without executives) for a 15 minute “Hot Wash.”
- Focus Questions: What was the single most confusing part of the exercise? What decision point was missing a policy? What process felt slowest?
- Key Action: Collect all notes and capture raw, emotional feedback. The stress points identified here are often the most urgent gaps.
Consolidate and Categorize
The facilitator and note takers must quickly combine all raw observations into a single master document.
- Categorization: Group findings into actionable buckets that correspond to specific owners. Common categories include:
- Policy Gaps: (e.g., No documented authority for external system shutdown.)
- Process Gaps: (e.g., Cross-functional handoff between Legal and Comms was delayed.)
- Technology Gaps: (e.g., No current capability to isolate the compromised network segment.)
- Training Gaps: (e.g., Key personnel were unaware of the external communication policy.)
Step 2: The Remediation Action Plan
Every single finding must be assigned to an owner and a priority. This is the stage where you create the Remediation Action Plan – the TTX’s most valuable deliverable.
Assigning Severity and Priority
The severity of the finding should be based on its potential impact on the business, not just its technical difficulty.
| Severity Level | Definition (Business Impact) | Recommended Target Completion |
|---|---|---|
| High (Critical) | Findings that could lead to immediate, catastrophic business failure, major regulatory fines, or significant irreparable reputational damage. | 30 Days (Immediate Project) |
| Medium (Major) | Findings that cause significant business interruption or unnecessary delays but do not immediately halt operations. | 60-90 Days (Project Integration) |
| Low (Minor) | Findings that are non-critical policy clarifications or minor documentation updates. | 120 Days (Standard Workflow) |
Defining the Action and Owner
The Remediation Action Plan must be more than a list of problems. It must be a project plan. For every gap identified, define three things:
- The Specific Action: (e.g., Draft a new policy for CEO authorization of wire transfers.)
- The Owner: (e.g., General Counsel’s Office.)
- The Target Date: (Must align with the assigned Severity Level.)
Pro Tip: Avoid assigning actions to the Security Team if the gap is owned by another function. If the Communications team struggled with the media statement, they must own the action to revise the Communication Plan. This ensures accountability across the business.
Step 3: Integrating Findings into the Business Cycle
To prevent the TTX from becoming a one-off event, you must integrate the Remediation Action Plan into existing organizational workflows.
Leverage Existing Project Management Systems
Do not manage the Remediation Action Plan in a separate spreadsheet. Enter the high and medium-severity actions like formal projects or tickets into the organization’s existing project tracking system (e.g., JIRA, ServiceNow, Planner, etc.).
Update Documentation Immediately
The goal is to fix the policy before the next incident occurs. Key documents that must be updated based on TTX findings include:
- Incident Response Plan (IRP): Update the decision tree and contact lists.
- Business Continuity Plan (BCP): Revise Recovery Time Objective (RTOs) and Recovery Point Objectives (RPOs) based on actual test results.
- Communication Playbook: Incorporate templates for legal hold, media inquiries, and customer statements.
Moving to Action: Your Next Step
The Post-TTX Payoff is directly proportional to the discipline applied in the follow-up. Show the organization that the exercise delivers concrete, measurable improvements.
Your Action Item: Identify the top 5 High-Severity items from your Remediation Action Plan. Find the owner for each item and schedule a 15-minute follow-up meeting with them to confirm the target deadline and necessary resources. Ideally, this should be done within one week of the TTX completion.
You now have a validated, prioritized list of actions. How do you communicate the value of this work to the highest level of your organization?
In the final part of this series, we will cover: Translating TTX Finding into Business Resilience for the Board – creating a concise, high-impact report that speaks the language of risk governance and strategic investment. (Coming April 8th!)
