Handrails
Tabletop exercises

Tabletops. On-demand.

Scenario, facilitation, report. The complete tabletop in one session under 60 minutes.

No long lead time, no calendar juggling, no post-session scramble. Your team shows up virtually, responds, goes back to work.

Get startedSee how it works
<60m
Session length
50+
Frameworks covered
24/7
Schedule any time
0
Seats needed
Live · tabletop in progress
Live
Live · virtual47:32
Holly, the Handrails AI agent, facilitating a session
Speaking
Holly · Handrails AI
Alex · IR lead, participantAlex · IR lead
Nadia · Legal, participantNadia · Legal
Transcript
Holly
What gets in the way

Why tabletops fall flat

01

They take weeks to stand up

Even a well-resourced team loses the better part of a quarter to scheduling, scoping and pre-reads. Holly compresses that into the time it takes to send the calendar invite.

02

The scenario rarely fits the company

Generic templates produce generic conversations. Holly generates a scenario tuned to your industry, organization and regulations.

03

The evidence gets lost in the room

Decisions get made, then lost in Slack threads and post-session emails. Every decision, every Directly Responsible Individual (DRI), every clause cited, auto-recorded during the session. No post-session scramble. Fully controlled and efficient.

Two ways to run a tabletop

Bespoke engagement, or on-demand. Both have a place.

Consultant-led tabletops are built for complex, multi-entity scenarios and deep advisory engagements. Handrails is built for speed and execution: the quarterly rehearsal, the post-incident re-run, the renewal-window evidence, the SOP that needs a pressure-test before Friday.
The old way

Bespoke engagement · Consultant-led tabletop

  • Built for complex, multi-entity scenarios where the design itself needs expert hands
  • Deep industry expertise shapes the scenario, the room and the debrief
  • Custom scoping, bespoke write-up
  • Often used for annual flagship rehearsals with a consultant who knows your sector
With Handrails

On-demand · Handrails

  • Built for speed and execution between flagship exercises
  • Schedule any day, any time, no facilitator to book
  • Transparent PAYG pricing
  • Report ready before your team signs off
  • Re-run any time, same scenario or a new twist
  • Track progress and insights between tabletops (coming soon)

Many of our partners are consultancies who use Handrails to extend their own programs. See Partner with Handrails.

Clauses covered

One exercise. Fifty-plus frameworks.

Handrails runs tabletops mapped to the real clauses your auditors, regulators and boards are asking about. Not a generic best-practice walk-through.
SOC 2 / ISO 27001 / NIST CSF
Incident Response
At least annually
SOC 2 TSC · CC7.3ISO 27001:2022 · A.5.24NIST CSF 2.0 · RS.AN / RS.MI

The IR plan must be documented, communicated and tested. Auditors and underwriters look for evidence that scenario-based exercises happen on cadence, not just that the plan exists.

Sample exercises: Cyber incident response · Ransomware response · OT cybersecurity · Connected-device cybersecurity.

If skipped: Qualified SOC 2 report; ISO nonconformity at surveillance audit; cybersecurity maturity gap flagged by insurers and assessors.
APRA CPS 230 + EU DORA + PRA SS1/21
Business Continuity
At least annually; on material change
Prudential Standard CPS 230 · §41-45Regulation (EU) 2022/2554 · Articles 24-25PRA SS1/21

Regulated entities must test continuity plans against severe-but-plausible scenarios across critical operations and material service providers. Identify important business services, set impact tolerances, then prove the tolerances hold.

Sample exercises: Operational resilience · Third-party disruption · Supply chain integrity.

If skipped: Supervisory intervention; capital add-ons; FAR consequences for accountable executives; s.166 skilled-persons review.
BRCGS / SQF / FSSC + US SEC
Crisis Management
At least annually; separate from the recall test
BRCGS Issue 9 · Clause 3.1117 CFR 229.106Form 8-K Item 1.05

The crisis-management plan must be tested annually as a separate exercise from the recall procedure. For US SEC registrants, material cybersecurity incidents must be disclosed within four business days of materiality determination.

Sample exercises: Crisis management · Mass-casualty response.

If skipped: Major BRCGS non-conformance; SQF and FSSC scheme finding; SEC enforcement; shareholder litigation.
SQFI + FSANZ + FSMA + FDA + TGA + EU MDR
Recall & Safety
At least annually; retailers often require every 6 months
SQF Edition 9 · Clause 2.6.3FSANZ Standard 3.2.2FDA FSMA Section 204TGA PRACEU MDR Art. 87-92

Documented mock recalls verify the recall and withdrawal procedure works in operational conditions. Medical device manufacturers face equivalent obligations under FSCA and post-market surveillance frameworks. Pharma sponsors face market-action and pharmacovigilance reporting clocks.

Sample exercises: Mock recall & traceability · Food defence (TACCP) · Food fraud (VACCP) · Outbreak response · Sentinel event · Recall & FSCA · Pharmacovigilance signal · Vigilance & post-market surveillance.

If skipped: Loss of certification; retailer delisting; FDA enforcement under FSMA; FSANZ regulatory action; TGA mandatory recall; notified-body certificate suspension.
US FDA + TGA + EU GMP + ICH
Quality & Compliance Process
Periodic effectiveness verification
21 CFR Part 211PIC/S GMP GuideEU GMP Ch. 1ICH Q10

CAPA framed as an investigation-and-effectiveness system. CAPA discipline is the single most-cited Form 483 deficiency. The TGA adopts the PIC/S Guide to GMP for medicinal products by reference, so equivalent expectations apply to Australian licensed manufacturers.

Sample exercises: Quality escalation & CAPA.

If skipped: Form 483; warning letter for systemic failure; TGA GMP Clearance suspension; EMA and PIC/S non-conformance; notified-body action.
How a tabletop runs on Handrails

From zero to evidence in three steps.

Under 60 minutes, virtual, with your team on a link. Holly handles the scenario, the session and the write-up.
1Context in
Context
FormatVirtual · on-demand
Length60–90 minutes
TeamUnlimited on link
Covers15+ frameworks
ScenarioAI-generated · bespoke
ScheduleAny day, any time
FormatVirtual · on-demand
Length60–90 minutes
TeamUnlimited on link
Covers15+ frameworks
ScenarioAI-generated · bespoke
ScheduleAny day, any time
Popular todayRansomware · BEC · vendor breach
InputURL · plans · policies
OutputClause-mapped report
ExportPDF · CSV · GRC push
Re-runSame seed, new twist
NarrationLive, human-quality
Popular todayRansomware · BEC · vendor breach
InputURL · plans · policies
OutputClause-mapped report
ExportPDF · CSV · GRC push
Re-runSame seed, new twist
NarrationLive, human-quality

Context in

Paste a policy, share a URL, or describe your setup. Holly writes a scenario that looks and feels like your business, not a textbook. Tuned to your architecture, customers and framework, in minutes.

2Virtual session
Live · virtual47:32
Holly, the Handrails AI agent, facilitating a session
Speaking
Holly · Handrails AI
Alex · IR lead, participantAlex · IR lead
Nadia · Legal, participantNadia · Legal
Transcript
Holly

Virtual session

Nominate a team to join a single live video call. Engineers, legal, comms, exec, observers, everyone in the same room at the same time. Holly facilitates, asks the hard questions, injects twists, and keeps the clock so the exercise finishes on time.

3Report out
Tabletop · vendor breachReady
Vendor exposure map34 integrations triaged in 18 min
Customer impact list214 tenants, severity tagged
Breach-notification SLAContract says 24h; ours says 72h
Support holding statementPre-approved · sent
Executive briefing docNo 1-pager template ready

Report out

Holly writes the after-action report while the session runs. What went well, what broke, what to fix, mapped to the clauses and frameworks you care about.

What you walk away with

Four artifacts, in the shape audits accept.

Auditor-ready evidence pack

Clause-mapped write-up with decisions, DRIs and recommended actions. Drop into the audit folder as-is.

Board and exec-ready summary

A one-page narrative for the audit committee or risk committee. What was tested, what held, what didn't, what we're doing about it.

Owner-tagged action list

Findings paired with DRIs and actions. Drop straight into your tracker the minute the call ends.

Gap and remediation register

Severity-ranked gaps, missed escalations and process failures with clear remediation actions and owners.

Your next tabletop is sixty minutes away.

Sign up, describe your setup, pick a scenario. Hand the report to your auditor the same afternoon.

Get startedSee how it works