The Real Cost of a Tabletop Exercise: What Goes Into Creating a Successful One

According to IBM’s 2022 Data Breach Report, the average cost of a breach in the US is $9.44 million. The report goes on to state that you can save millions of dollars by having a plan and testing it. “$2.66 million,” the report states, “(is) the average cost savings at organizations with an Incident Response Team that tested their plan versus those who didn’t.” 

Of course, it’s not just cyber-security incidents that may impact your organization’s ability to operate. What about active shooter situations, supply chain issues or activism related crises? Most crisis scenarios can be studied in depth — gamed out as we say –through tabletop exercises that enable organizations to identify gaps and weakness in their plans and response teams before a real crisis hits.  

In this blog post, we will discuss the actual costs of tabletop exercises (the testing piece) and what goes into making them successful, potentially saving your business millions.  

Before Anything Else, Consider Your Goals for the Tabletop Exercise  

Ultimately, the success of your tabletop exercise will be judged by whether it achieves its objectives. Therefore, it is important to take some time upfront to consider what you want to accomplish with the exercise. Do you want to test the crisis management plan with one team? What about testing your backup team on their roles and responsibilities? Or test the whole organization based on a major IT outage or significant cyber-security incident? Once you have a clear understanding of your goals, you can begin to develop your exercise. 

The Cost of the Tabletop Exercise Itself  

Now that you understand your goals and whether or not you need a budget, you can begin to develop your exercise. The cost of the exercise itself will vary depending on the size and scope of the project. A small exercise with a limited scope may only cost a few thousand dollars ($5,000 to $7,000), while a larger exercise with a more complex scope can easily cost tens of thousands of dollars.  

At the time I was researching for this blog, a quick Google search for “How much does a tabletop exercise cost?” revealed $30,000 to $50,000. You might be saying ‘Wow that’s a lot” but when you understand what goes into a well-designed and executed exercise versus ones that are not, you’ll understand why. And, when compared to the many millions of dollars that could be lost because of a poorly handled crisis, the cost for exercises that maximize your organization’s preparedness are a wise investment. 

I’m basing the cost parameters that are outlined further down this blog on an average PreparedEx tabletop exercise service engagement. Consider a typical example: one tabletop exercise with twenty to thirty participants, four hours in length, with a PreparedEx delivery team of two crisis experts at the client’s location within the US (we are US based but do travel overseas when asked). These sessions sometimes involve multi-media work such as pre-read videos, scenario visuals, breaking news videos as well as image manipulation to replicate various situations such as social media or a cyber-attack “you’ve been hacked” image. These simulated injects create engagement which is essential to the success of tabletop exercises.  

Train Like You Fight with Tabletop Exercises  

In the military we had a saying “Train Like You Fight,” which is no different than the phrase “Train Like You Respond.” It’s a term I coined in the early days of PreparedEx. Crises don’t start and end in fifteen minutes, in fact, according to research conducted by Dataminar, the average corporate crisis lasts four days. So, there is merit in conducting longer exercises at least annually, or more often depending on your business structure. Take the team through its paces so you can add a little more pressure over a period of hours rather than minutes. With that being said, there is a place for shorter scenario planning sessions, and they should take place regularly. Mini scenarios, as they are often called, can accomplish one or two objectives within a short window of time. One example is the activation of the crisis management team, a thankless task that often needs practice. It doesn’t take long to go through the activation process, gather the team, ensure there are no gaps in the activation process, then go back to your day. Of course, there are many other mini scenarios / trainings you can design based on your environment.  

Resource: I would like pricing for Tabletop Exercise Services  

The Cost of Training in Preparation for a Tabletop Exercise  

Don’t skip this step. In addition to the cost of the exercise itself, you will also need to consider the cost of training. If you are looking to train your staff on their roles and responsibilities, you will need to allocate resources for this purpose. The cost of training will vary depending on the size of your staff and the complexity of the plans you need to train them on, such as a crisis management plan for a senior leadership team or training on the new Ransomware playbook. Training can be accomplished in-house, but don’t just ask the team to read and understand the plan as it inevitably necessitates more formal training later. Trust me, I know. I’ve seen too many teams that are not familiar with their plans which slows down the exercise, and in real life would slow down and impact the response. Don’t let this happen to you. Take the time early on to get the team up to speed and iron out any issues or questions before you must activate the team and plan in a real situation.  

You may decide to look for an external professional training partner for specific topics such as crisis management and exercise design. One resource is The International Crisis Management Conference and their training program which has a number of training courses that support preparedness. These courses can be tailored to your specific preparedness program and environment.  

Breaking Down the Cost of Designing, Delivering and Evaluating a Tabletop Exercise  

Let’s start with breaking down each step in the exercise process, both from a  requirement standpoint as well as cost. The Five Steps to Creating Crisis Simulation Exercises process is one that we created to help support exercise design for businesses. Costs can be broken down into hourly rates based on the different roles of the design and delivery team, or they can be fixed based, which reduces scope creep and usually ensures an on-time execution. In the following example, I use fixed costs from a master exercise design spreadsheet formula we use. The five steps and associated costs are:  

Step 1 – Pre-Tabletop Exercise Planning ($2,500 – $4,000)  

This phase is critical to the success of the exercise and will typically take no longer than two weeks. The objectives of this phase are to:  

• Understand the goals and objectives of the tabletop exercise  
• Develop an understanding of the organization’s culture  
• Identify potential stakeholders including players, partners, and observers
• Select appropriate scenario ideas and create a scenario overview structure  
• Determine the logistics of the exercise such as dates, times, and locations  

Step 2 – Tabletop Exercise Scenario Design ($8,500 – $15,000)  

The scenario design step is where the bulk of the work will be done in developing the actual content of the exercise. The wide range of pricing noted above is because some exercises simply require more complexity. For example, and as often is the case, more meetings are needed to gather the specific details. (Cyber or IT specific scenarios are two examples of scenarios that may take longer to create.) The design step will typically take three to five weeks and will involve:  

• Research (which takes up a good amount of time) and write the draft scenario 
• Create player guides (we like to produce a nice pre-read video to support player preparations)  
• Confirmation and any required modifications of draft scenario with the delivery team or client (if you’re a vendor) 
• Design and production of injects, which may include multi-media breaking news videos, social media posts, photo manipulation to replicate a situation (fire, flooding, etc.) 
• Final scenario and exercise approval meeting   

 

Step 3 – Final Tabletop Exercise Logistics and Preparation ($2,500 – $3,500)  

Once the scenario has been finalized, the logistics and preparation step can begin. This will typically take one week and will involve:  

• Creating a final schedule for the exercise  
• Sending out the pre-read video that was created in step 1  
• Reviewing injects with the delivery team  
• Coordinating with stakeholders  
• Validating technology if its a virtual exercise or checking equipment if it’s in an office or other facility  
• Ensuring you have refreshments and any other needed arrangements for the exercise participants 
• Can you think of any others? Let us know in the comments section at the end of the blog.  

Resource: PreparedEx’s Tabletop Exercise Services  

Step 4 – Tabletop Exercise Delivery ($5,500 – $8,500)  

The delivery step is where all of your planning will come together. This phase will typically take five-to-six hours when you include set up, delivery and close down. Also consider that there might be travel-associated costs if you’re bringing in out-of-town vendors. For a crisis management team of twenty you may have one facilitator and one evaluator. The delivery step will involve:  

• Travel to the venue (if vendor is involved)
• Setting up the venue for the session  
• Facilitating the exercise  
• Documenting the results 

Step 5 – Post-Exercise Analysis and After Action Report ($3,500 – $5,500)  

The Tabletop Exercise After Action Report development phase is the final step in the five-step process and will take two-to-three weeks. This phase will involve:  

• Analyzing the results of the exercise  
• Identifying areas of improvement 
• Developing the draft After Action Report (AAR) 
• Presenting the AAR to a select audience  
• Make any changes to the AAR 
• Creating the remediation plan 

The More Complexity, The Higher the Cost of the Tabletop Exercise  

As you can see, the cost of a tabletop exercise can vary depending on the size and scope of the project. If you are looking to test, say, only your crisis communications plan, you may not need a large budget. On the other hand, if you are looking to run an enterprise-wide ransomware exercise, you will likely need to allocate more resources. In either case, it is important to consider your goals carefully before determining budget requirements.  

Benefits of Conducting Tabletop Exercises  

There are many benefits to conducting tabletop exercises including:  

1. Build Awareness – Tabletop Exercises help build awareness of potential threats and how they could impact the organization.  

2. Improve Coordination – Tabletop Exercises improve coordination between different departments, agencies, and other critical stakeholders.  

3. Identify Gaps – Tabletop Exercises help identify gaps in plans, processes, and procedures. Finding out what could have been potentially costly mistakes in an exercise is far better than finding them out during a crisis.  

4. Validate Assumptions – Tabletop Exercises help validate assumptions about how plans, processes, and procedures will work in a real-world situation.  

5. Build Confidence – Tabletop Exercises help build confidence in the ability of the organization to respond to a crisis.  

What About Those Hidden Benefits From Conducting Tabletop Exercises?  

Team Building – Tabletop Exercises provide an opportunity for team building as participants work together to solve problems and build trust. 

Develop Young Leaders – Tabletop Exercises provide an opportunity for young leaders to develop their skills in a safe environment. 

Develop New Skills – Tabletop Exercises provide an opportunity for participants to develop new skills like decision-making under stressful and time constrained conditions.  

Cross-Training – Tabletop Exercises provide an opportunity for cross-training as participants from different departments and disciplines work together. 

“Tabletop exercises are a great way to improve organizational resilience and build confidence in your origination’s ability to respond to crises. By understanding the real cost of a tabletop exercise, you can ensure that you’re getting the most bang for your buck.”  

Rob Burton

What About Other More Cost-Effective Tabletop Exercise Options?  

Not every organization needs or has the budget for a full-fledged, facilitated tabletop exercise. There are more cost-effective options that can still provide value. These include:  

1. Self-Designed and Facilitated Tabletop Exercises – Self-facilitated tabletop exercises can be conducted using materials readily available online or in commercial, off-the-shelf (COTS) products. Although we don’t recommend these options as they are not designed with your organization’s objectives in mind, they could provide some insight into lower-level tabletop exercise discussions and planning.  

2. Peer-to-peer Tabletop Exercises – Peer-to-peer tabletop exercises are conducted between two or more organizations with similar mission sets. These types of exercises can be very beneficial as they provide an opportunity to build relationships and share best practices. Sitting in on your peer organization’s exercises and inviting them to yours can sometimes be a good practice.  

3. Virtual Tabletop Exercises – Virtual tabletop exercises use computer simulations to create a realistic environment for exercising plans, processes, and procedures. These types of exercises benefit organizations with geographically dispersed employees or for those who want to exercise plans without the need for travel. 

4. Services like FirstLook from PreparedEx are also an option. FirstLook is a scenario designed by PreparedEx but delivered by you. It comes in a kit with simple instructions to walk you and your team through a mini scenario. These packages start at $6,500, but scale down to around $5,000 when multiple scenarios are ordered.  

Planning a Well-Rounded Tabletop Exercise Takes Time and Resources  

So, to summarize, tabletop exercises come in all shapes and sizes, but there are certain elements that are essential to making them successful. First and foremost, among these is planning. A well-executed tabletop exercise will have the comprehensive five-step plan as mentioned above or something similar in terms of a process. If you’re new to the tabletop exercise worlds, take time to do your research before jumping in. The cost varies to a certain degree, but you shouldn’t be paying hundreds of thousands for an average-sized tabletop exercise. The cost for a full-service tabletop exercise should be between $25,000 and $40,000, (so I guess Google’s $30k-$50k was close enough).  

What They Say About PreparedEx’s Tabletop Exercise Service  

“Our company has grown quickly, and recently a dedicated risk resource was tasked to build a true crisis management program.  With the help of PreparedEx, we were able to not only template a crisis management plan, but also create a tabletop exercise to truly get our senior leadership team’s thoughts on if the plan was actionable and if the right players were designated.  PreparedEx did a great job designing the exercise and was able to keep everyone engaged and on task in a virtual environment, which I never thought would be possible!  Even better, they were able to share best practices with the senior leaders when it came to crisis response so everyone felt comfortable, we were heading in the right direction.  We are truly grateful for their partnership and look forward to growing our program.” - Director of Enterprise Risk, Healthcare Company  

Do you think tabletop exercises are worth the investment? Let us know in the comments section below. 

Resource: I would like to receive the PreparedEx Tabletop Exercise Service Pricing