What is a Tabletop Exercise, and Is It a Regulatory Requirement for My RIA?
Back to RIA Tech Advisors Blog
You're sitting across from an SEC examiner who asks, "Walk me through what happens if your office loses power for three days."
You pull up your 47-page business continuity plan. They nod and ask: "And how do you know this actually works?"
Crickets.
That's the question tripping up RIA owners in examinations right now. Having a plan isn't enough anymore. You need to prove you've tested it.
What You're Really Asking
Think of a tabletop exercise as a committee for your crisis plan. Nobody's actually shutting down your systems or evacuating your office. Instead, your key people gather around a table (or on a Zoom call) and talk through what would happen if disaster struck. You’re walking through your emergency response plan without pulling the fire alarm.
In that conversation, you discover things like:
The backup vendor contact in your plan retired 18 months ago
Nobody knows where the shared password vault lives
Your "emergency communication tree" assumes everyone still has the same cell numbers from 2023
The plan says to "notify clients within 24 hours" but doesn't say how, when email is down
Finding these gaps in a conference room costs time. Finding them during a real breach could cost you your firm.
It's about becoming the firm that doesn't panic when things go sideways.
What the SEC Actually Expects
Tabletop exercises aren't explicitly required by name, but they're practically required by Rule 206(4)-7.
That rule requires you to adopt policies and procedures reasonably designed to prevent violations. It also requires your Chief Compliance Officer to conduct an annual review of those policies. The SEC has been crystal clear in recent exam sweeps: having an untested business continuity plan is almost as bad as having no plan at all.
According to SEC examination findings, business continuity and disaster recovery deficiencies appear in roughly 15% of RIA examinations. That's not a small number. And the pattern is consistent. Examiners aren't just checking whether you have a plan. They're checking whether you've validated it works.
The loss you're trying to avoid isn't just regulatory. It's the moment you realize your carefully documented plan falls apart at step three because no one can access the backup system.
When an examiner asks, "How do you know your plan works?" what will you say? "We review it annually" doesn't cut it anymore. They want evidence. Documentation. Proof that someone actually walked through the steps.
That's where tabletop exercises come in.
Less Scary Than It Sounds
A typical tabletop exercise takes 2-3 hours. You don't need everyone. Just your key decision-makers, the people who would actually need to execute the plan.
A facilitator presents a realistic crisis scenario. Maybe it's a ransomware attack. Maybe it's a fire at your office.
Then you talk through it:
What would be our first three actions? (This is where you discover two people have different ideas about who's in charge)
Who would we call and in what order? (This is where you realize the vendor list is outdated)
Where are the passwords, the contacts, the backup systems? (This is where someone admits they've never actually logged into the backup portal)
What assumptions are we making that might not be true? (This is the gold)
The magic happens in the gaps. Someone says, "I'd call our IT vendor," and someone else says, "Which one? We’ve recently switched." The plan says "restore from backup," but who’s in charge?
This isn't added work. It's discovering problems before they cost you clients. Before they cost you sleep. Before they cost you your reputation.
Sleep Better. Lead Better.
Research from the Ponemon Institute shows that organizations with tested incident response plans save an average of $2 million per data breach compared to those without. But here's what matters more to you as an RIA owner:
You become the person who's actually prepared, not just technically compliant.
When systems go down (and they will), your team won't freeze. They'll execute. Because they've walked through it before.
Your clients trust you with their financial future. Shouldn't you be able to protect it when the power goes out?
Think about it this way. While other firms scramble to figure out how to communicate with clients during an outage, you're already two steps ahead. You know who's calling whom. You know where the backup contact list lives. You know the plan actually works because you've tested it.
The firm you save might be your own.
Where to Start
Next time an examiner asks how you know your plan works, you'll have an answer. Not because you have to. Because you chose to become the kind of owner who leads a prepared firm.
Pull out your business continuity plan this week. Actually read it. Then ask yourself one honest question: "Would this actually work?"
If you hesitated, even for a second, that's where tabletop exercises begin.
The conversation might feel uncomfortable at first. Good. Being uncomfortable in a conference room is better than being panicked during a crisis.
Start simple. Block three hours. Gather your key people. Pick one scenario. Talk through it. You'll know within the first 30 minutes whether your plan is more than words.
And when the SEC examiner asks that question, you'll be ready.
Key Takeaways
Tabletop exercises aren't explicitly required, but they're practically mandatory. The SEC expects you to prove your business continuity plan actually works, not just that it exists.
It's a conversation, not a drill. You gather key decision-makers for 2-3 hours to walk through crisis scenarios without disrupting operations or touching live systems.
The gaps you discover are the value. Outdated contacts, missing passwords, unclear responsibilities. Finding these problems in a conference room costs nothing. Finding them during a real crisis could cost you everything.
Your team won't panic because they've practiced. When systems go down, prepared firms execute while unprepared firms scramble.
Start simple. Pull out your plan this week, read it, and ask: "Would this actually work?" That question is where preparation begins.
Frequently Asked Questions
Q: How often should we conduct tabletop exercises?
A: At least annually, ideally twice a year. Your business changes. Vendors change. People change. Your plan needs to keep up. Some firms run a quick tabletop every six months and a comprehensive one annually.
Q: Who needs to participate in a tabletop exercise?
A: Your key decision-makers. That typically means owners, senior advisors, operations leads, and your CCO. You don't need everyone. Just the people who would need to make critical decisions during an actual crisis.
Q: Can we run our own tabletop exercise, or do we need an outside facilitator?
A: You can run your own, but an outside facilitator often yields better results. They bring objectivity, ask uncomfortable questions that no one internally wants to raise, and spot gaps you might overlook. Think of it like getting a second opinion.
Q: What scenarios should we test?
A: Start with your most likely threats: cyberattack or ransomware, power outage lasting multiple days, sudden loss of a key person, or natural disaster affecting your office. Pick the scenario that would hurt your firm most if it happened tomorrow.
Q: How do we document a tabletop exercise for the SEC?
A: Keep it simple. Document the date, participants, scenario tested, gaps discovered, and action items to fix those gaps. Then follow up by actually fixing them and documenting the fixes. The SEC wants to see that you found problems and addressed them, not that you wrote a perfect report.
