Quarterly Readiness Exercise Plan (12-Month Simulation Calendar + Topic Picker)

Your intake queue is exploding, a partner asks if you were breached, and someone on staff can’t access the case system. In that moment, the biggest risk usually isn’t “hackers.” It’s confusion: unclear roles, slow decisions, and nobody sure what to say to clients, courts, or funders.

A quarterly readiness exercise plan is a simple, repeatable way to practice those decisions before the pressure is real. It’s not security theater. It’s harm reduction. It keeps downtime shorter, protects sensitive client data, and lowers the chance that staff improvise in ways that create bigger problems.

This post gives you two things you can use immediately: a 12-month simulation calendar (one scenario per quarter, with an annual capstone), plus a fast “topic picker” so you don’t overthink next quarter’s exercise.

Key takeaways, a quarterly readiness exercise plan you can run with limited time

• Plan 60 to 90 minutes per quarter for a tabletop exercise, keep it tight and decision-focused.
• Run one longer annual capstone (2 to 3 hours) to test cross-team coordination and vendor response.
• Invite the people who own decisions, not just IT (program, intake, comms, HR, finance).
• Define “done” as updated artifacts (call tree, templates, access list), not a meeting that felt good.
• Always end with an action log that has owners and due dates.
• Hold a monthly 20-minute action review until findings are closed.
• Track a few simple timing and closure metrics, then report progress to leadership.

How to set up a quarterly readiness exercise plan that actually improves response

The minimum structure is surprisingly small. You need a cadence, a short invite list, and a shared definition of what “good” looks like.

Start by setting a standing quarterly meeting on the leadership calendar, even if the exact scenario changes. Don’t make it optional, and don’t push it until “things calm down.” They won’t.

Next, make the exercise about your real work. In mission-first organizations, the stress points are predictable: intake and referral handoffs, case management access, client communications, payments and payroll timing, and what happens when a partner or vendor is slow to respond. If your leadership team wants a broader planning frame that connects these drills to day-to-day systems decisions, use this technology planning guide for legal aid orgs as the umbrella, then slot exercises underneath it.

Finally, define “done” as follow-through. The meeting is practice. The value is the fixes you finish.

Pick the right participants and decision points, not just IT

Keep the room small, but empowered. A practical attendee list for legal aid and justice nonprofits looks like this:

Executive lead (ED/CEO/COO): owns risk calls and service continuity
Program lead: confirms what services can pause, what can’t
Intake lead: knows the real workflow and the workarounds
Comms lead (or assigned spokesperson): handles media, funders, partners
HR lead: staff guidance, device loss steps, insider risk concerns
Finance lead: payments, payroll timing, fraud exposure
IT lead or vendor contact: triage, escalation paths, access recovery
Note-taker: captures decisions, gaps, and action items

Then define the decision points you’ll practice, in plain language:

• When do we escalate from “ticket” to “incident”?
• Who calls the vendor, and what do they need ready (contract, support tier, admin contacts)?
• Who talks to clients, and what’s our threshold for outreach?
• Who approves public statements, even if we never publish one?
• When do we pause intake, switch to manual steps, or reroute to a partner?

This is where many exercises fail. People discuss tools, not decisions. Decisions are the muscle you’re building.

Use a simple exercise format, run it fast, then capture actions you will finish

A 60 to 90-minute tabletop can follow one repeatable flow:

1) Objectives (5 minutes)
Name 2 to 3 outcomes, like “confirm escalation path” or “draft client notice outline.”

2) Scenario brief (10 minutes)
Give a one-page setup. Keep it realistic, and relevant to your systems.

3) Injects (35 to 55 minutes)
Every 10 to 15 minutes, introduce new facts: a vendor update, a reporter email, a partner complaint, a new system alert. Ask, “Who decides? Who acts? What do we document?”

4) Debrief (10 to 20 minutes)
List what worked, what was unclear, what broke.

Stop doing this: don’t try to fix findings in the room. You’ll burn time and still won’t close them. Capture actions, assign owners, move on.

Require an action log with: action, owner, due date, and status. Then hold one monthly 20-minute action review until the list is cleared.

Metrics to keep it honest (and board-ready):

• Time to escalate to the right leader
• Time to reach the right vendor contact
• Time to draft a client-facing message (even if you don’t send it)
• Percent of actions closed by the due date

If you want a structured template for ransomware-focused practice materials, the Nacha ransomware tabletop participant workbook is a useful reference you can adapt to your environment.

Your 12-month simulation calendar and topic picker (copy, paste, and adjust)

A good calendar keeps your team from replaying the same scenario every time. It also avoids the trap of doing the hardest exercise first, then never scheduling another.

Below is a quarter-by-quarter plan designed for small teams. Quarter 3 is the longer annual capstone. If vendor coordination is usually the slowest part of response for your org, tighten it during the exercise by preparing a shared vendor runbook using https://ctoinput.com/vendor-incident-response-plan-maker.

The 12-month calendar, one clear scenario each quarter

• Q1 (60 to 90 minutes)
  
  Scenario: Credential theft from phishing (staff account used to access client data)
  
  Test: escalation, account lockout, intake continuity, basic client comms decision
  
  Update this artifact: call tree and escalation path (include vendor numbers)
• Q2 (60 to 90 minutes)
  
  Scenario: Public inquiry about a breach (reporter email plus a partner asking questions)
  
  Test: internal alignment, who approves messaging, what you can say, when to notify
  
  Update this artifact: client and partner comms templates (short, calm, accurate)
• Q3 (2 to 3 hours, annual capstone)
  
  Scenario: Ransomware disrupts case management and shared files
  
  Test: service continuity, manual intake, backup and restore decisions, vendor coordination, finance impacts
  
  Update this artifact: backup and restore checklist (roles, timing, and proof steps)
• Q4 (60 to 90 minutes)
  
  Scenario: Stolen device or after-hours alert (laptop taken, or suspicious login at 2 a.m.)
  
  Test: device response, HR steps, access review, what triggers password resets or MFA checks
  
  Update this artifact: access list (admins, shared accounts, and “break glass” access)

If you want a lightweight structure to guide tabletop planning, the Workiva tabletop exercise template can help you shape objectives and debrief questions.

The topic picker, choose next quarter’s scenario in 5 minutes

Don’t pick scenarios based on what feels scary. Pick them based on what would cause harm.

Use a 1 to 3 score (3 is highest) across four factors:

Client harm, likelihood, operational disruption, third-party dependency

Add the scores. Pick the top one. If there’s a tie, choose the scenario that tests a team you haven’t exercised recently.

Match scenarios to what changed lately (new tool, new partner, staff turnover, new grant reporting requirement). Change is where cracks show up.

Scenario prompts you can keep on a one-page list:

Identity and access: shared mailbox compromise, MFA fatigue prompts, former staff account still active
Data handling mistakes: mis-sent email attachment, public link to a client folder, intake form sending data to the wrong place
Vendor outage: case system down on clinic day, email outage, e-filing integration breaks
Fraud and finance: fake invoice from a “vendor,” compromised ACH instructions, gift card scam targeting HR
Device loss: stolen phone with email access, lost laptop in transit, personal device with client texts
High visibility event: partner notifies you first, reporter calls, funder requests assurance letter
Insider risk: staff downloads many files, unusual access pattern after a conflict
Physical disruption: office closed, power outage, staff working from personal networks

FAQs (board-safe, practical answers)

How often should we run a readiness exercise?
Quarterly is the right rhythm for most organizations. It’s frequent enough to build habits, but not so frequent it becomes noise.

Do we need a full incident response plan before we start?
No. The exercises will show you what’s missing. Start with roles, escalation, and a basic action log.

Should we include vendors in the exercise?
Once a year, yes, especially for the annual capstone. Vendor speed and clarity often decide your downtime.

What’s the main sign the plan is working?
You close actions on time, and decisions get faster and calmer quarter over quarter.

Conclusion

Readiness isn’t a binder on a shelf. It’s a habit your team can trust when the pressure hits. A quarterly readiness exercise plan works because it keeps practice small, repeatable, and tied to real operations: intake, case work, client communications, and the vendors you rely on.

Start next quarter with one 60 to 90-minute tabletop. Pick one scenario. Update one artifact. Then close the action items in the monthly review until the list is empty. That’s how confidence is built, without drama.

If you want help choosing the right scenario and setting decision rights that a board can stand behind, schedule a clarity call: https://ctoinput.com/schedule-a-call. Which single chokepoint, if fixed, would unlock the most capacity and trust in the next quarter?