The intake queue is growing. A partner sends a file the wrong way. A funder asks for numbers by Friday, and nobody trusts the spreadsheet. Meanwhile, everyone knows a security incident would land harder here than in most workplaces, because you hold sensitive client data tied to safety, immigration status, housing, family stability, and legal outcomes. That’s where annual readiness exercise plans come in. They’re short, structured ways to practice decisions before a real incident: tabletop exercises (talk it through), drills (practice one action), and reviews (check a list, confirm ownership). For a time-starved leadership team, the goal isn’t a “big cyber event.” It’s a capacity-aware rhythm that reduces surprises and creates board-ready confidence.
This post lays out an annual readiness exercise plan nonprofit leaders can actually run, one small exercise per month, with clear limits and a simple topic picker.
Key takeaways, a capacity-friendly annual readiness exercise plan nonprofit leaders can stick with
- Plan for a 60 to 90 minute monthly time budget, including notes and follow-ups.
- Rotate three exercise types: tabletop (decisions), drill (muscle memory), review (lists and ownership).
- Use one simple topic rule: pick the most likely failure that would harm clients or stop services.
- Keep attendance small: frontline staff who touch the workflow, one exec sponsor, and a technical contact (internal or vendor).
- Bring in leadership for decision points, and invite the board at least once a year (or anytime risk tolerance is being set).
- Define success as faster decisions, fewer repeat incidents, clearer owners, and fewer “we thought someone else had that.”
Build the plan first, scope, roles, and guardrails that protect capacity
A readiness plan fails for one predictable reason: it grows teeth. It becomes a two-hour meeting. Then a half-day workshop. Then “we’ll do it next quarter.” Capacity doesn’t collapse because leaders don’t care. It collapses because the plan has no guardrails.
Start with scope that matches justice work reality. In civil legal aid and court support programs, the “incident” is often a human story: a survivor’s address exposed, a client’s documents sent to the wrong partner, a compromised mailbox that quietly forwards messages for weeks. Keep the scope centered on what you actually run: email, file storage, case management, intake forms, and the vendors that host them.
A practical boundary: one theme per month, one artifact updated per month, and no more than three follow-up tasks. Everything else becomes backlog. If your team is already juggling fragile systems, it helps to name the pattern out loud (and to stop blaming staff for workarounds). If that’s your world, https://ctoinput.com/technology-challenges-for-legal-nonprofits is a useful framing for why “small, consistent fixes” beat big transformations.
One “stop doing this” that creates capacity fast: stop trying to write perfect policies during the exercise. Capture decisions, assign an owner, and move on. The goal is readiness, not paperwork.
Pick your pace, 30, 60, or 90 minutes per month, and what you get at each level
30 minutes: a mini-tabletop. One scenario, one decision: “Who’s notified, and what’s the first containment step?”
60 minutes: tabletop plus 10 minutes to assign owners and deadlines, then a short recap email the same day.
90 minutes: tabletop plus a tight drill (10 to 15 minutes) to practice one action, like disabling an account or testing a restore.
Consistency beats intensity. A small monthly rhythm builds trust, because people stop guessing.
Assign clear owners without creating a new committee
You only need four roles:
- Executive sponsor (sets priorities, breaks ties).
- Exercise lead (runs the session, keeps time).
- Note taker (captures decisions, owners, dates).
- Technical contact (IT staff, MSP, or vendor support).
Plain-language RACI: the sponsor decides, the exercise lead does, program and privacy leads are consulted, and everyone impacted is informed.
When client data is in scope, always include someone who understands intake, confidentiality practices, and client safety (often program leadership, privacy counsel if you have it, and the person who owns the case system workflow). If you want a simple way to anchor this inside broader planning, a https://ctoinput.com/technology-roadmap-for-legal-nonprofits can keep security, operations, and reporting aligned instead of competing.
Your 12-month readiness exercise calendar, one focused theme per month
This calendar mixes tabletops, drills, and reviews. Each month includes a “minimum viable” option and one artifact to update. If you have to skip a month, don’t double up later. Just continue.
You can also pull free scenario starters from CISA tabletop exercise packages when you need a prompt that’s ready to run.
The calendar (January to December) with a minimum viable option for each month
| Month | Type | Theme (focus) | Time | Minimum viable option | Artifact to update |
|---|---|---|---|---|---|
| January | Tabletop | Kickoff, inventory, phishing refresher; fake invoice or donor fraud | 60 | List top 10 systems and who owns each, run 1 scenario | System inventory + owner list |
| February | Drill | Access control and MFA; password reset path and timing | 45 | Confirm who can reset passwords and how to reach them | Admin access list + reset steps |
| March | Tabletop + test | Backups and recovery; ransomware talk-through, verify restore time | 90 | Identify what must be restored first, test one file restore | Backup checklist + RTO notes |
| April | Drill | Patching and updates; timeboxed update sprint | 60 | Update one high-risk device group and confirm success | Patch cadence + exceptions list |
| May | Tabletop | Vendor breach; contacts, contract basics, notification duties | 75 | Confirm vendor escalation contacts and where contracts live | Vendor contact sheet |
| June | Drill | Reporting habits; report a suspicious email in under 5 minutes | 45 | Practice the report path once, on real devices | “Report phishing” one-pager |
| July | Tabletop | Incident roles with leadership; privacy and client safety exposure scenario | 90 | Decide who approves client notifications and partner comms | Incident role map + call tree |
| August | Drill | Remote work and lost device; lock, wipe, revoke access | 60 | Walk through lost laptop steps, confirm who can do each step | Lost device runbook |
| September | Tabletop | Scams and deepfakes; impersonation by voice or email, verify steps | 60 | Adopt one verification step for money, data, and access requests | Verification checklist |
| October | Drill | Service disruption (outage, DDoS); manual workarounds and comms plan | 75 | Practice a “systems down” day for one workflow | Outage comms template + workaround notes |
| November | Tabletop | Data quality and reporting continuity; grant data is wrong, fix owner | 60 | Pick one key metric, define it, name the data owner | Data definition sheet |
| December | Review + drill | Year-end lessons learned; quick phishing drill; next-year priorities | 60 | Review open action items, run one short drill | After-action list + next-year themes |
Two vendor months are baked in (May and October), because real incidents often run through third parties. If you want a lightweight way to formalize vendor steps without starting from scratch, https://ctoinput.com/vendor-incident-response-plan-maker can help you capture who calls whom, what evidence to request, and what timelines matter.
Topic picker, how to choose the right exercise when you are overloaded
When the month is already on fire, choosing the “right” exercise can feel like one more decision you don’t have room to make. Here’s a 5-minute picker that keeps it honest.
Use three signals to pick the month’s topic, recent pain, biggest exposure, upcoming change
Recent pain: What nearly broke in the last 30 days? Example: a staff mailbox compromise scare, or a client document sent to the wrong partner.
Biggest exposure: What would most harm clients or stop services? Example: case management access shared too widely, or intake forms storing sensitive files in the wrong place.
Upcoming change: What’s about to shift? Example: a new intake channel, staff turnover in a key role, a new vendor, or a workflow redesign.
Simple rule: if you had an incident or near-miss, that becomes next month’s theme. No debate.
Right-size the exercise, tabletop, drill, or review, and when to use each
Use a tabletop when the risk is about decisions, communications, and tradeoffs. Use a drill when timing matters (password resets, device wipe, reporting path). Use a review when the failure is “we can’t find the list” (contacts, vendor contracts, admin access).
Invite the board at least once a year, and anytime leadership needs a clear risk tolerance call (for example, “Do we pause services to contain this, or keep operating with safeguards?”). If you want examples of what board-ready outcomes look like in practice, https://ctoinput.com/legal-nonprofit-technology-case-studies shows how small, structured work can turn fear into a manageable routine.
FAQs about readiness exercises for nonprofits with limited staff
FAQs
What is a tabletop exercise, and how is it different from a drill?
A tabletop is a talk-through of a scenario. A drill is practice of one concrete action, like locking an account or reporting a suspicious email.
How often should we run readiness exercises if we are short-staffed?
Monthly is ideal if you keep it small (30 to 90 minutes). If that’s too much, do quarterly and keep the same structure so it doesn’t turn into a special event.
Who should be in the room for an incident tabletop at a legal aid nonprofit?
A sponsor (ED, COO, or CFO), someone who owns intake or program workflow, the technical contact (IT or MSP), and someone who can speak to privacy and client safety. Add comms if you’d have to notify partners or funders.
What if we do not have an incident response plan yet?
Start anyway. Your first tabletop can create a one-page “who does what” and a contact list, then you build from there. For ransomware scenario structure, the Nacha ransomware tabletop participant workbook is a solid reference.
How do we measure if this is working?
Look for shorter decision time, fewer repeat mistakes, and fewer “single points of failure.” Also track whether action items actually get closed before the next exercise.
Should we include vendors in our exercises?
Yes, when they host key systems or hold client data. At minimum, confirm escalation contacts and expected response timelines.
How do we keep this from turning into busywork?
Tie each exercise to one real risk, update one artifact, and limit follow-ups to three tasks. If it doesn’t reduce confusion next month, cut it.
Conclusion
Readiness isn’t a binder. It’s a habit. One small exercise per month gives your team a place to practice decisions, tighten ownership, and protect client safety without pulling people away from service for days.
Start next week with a 60-minute kickoff: name your top systems, confirm owners, and run one simple tabletop (fake invoice or donor fraud). Then ask the question that keeps this real: which single chokepoint, if fixed, would unlock the most capacity and trust in the next quarter?
If you want help setting a calm cadence your team can sustain, schedule a clarity call: https://ctoinput.com/schedule-a-call.