10 Crisis Exercise Scenarios to Test Your BCMS in 2026

Testing your BCMS through regular exercises is not optional: it's an explicit requirement of ISO 22301 (clause 8.5), DORA (art. 25), and an unavoidable best practice for any serious continuity program. But finding relevant, realistic, and pedagogical scenarios is often the sticking point. Here are 10 turnkey scenarios for your 2026 tabletops, with briefings, objectives, and evaluation metrics.

Before the scenarios — methodological reminder

Exercise types (from lightest to most complete)

Tabletops offer the best value/investment ratio: they allow testing processes, roles, and decisions without impacting production.

Tabletop structure

1. Initial briefing (10 min) — scenario presentation
2. Injections (60-90 min) — new info gradually disseminated
3. Decisions (observed and timed)
4. Immediate debrief (15 min) — hot reactions
5. Structured post-mortem (1-2 weeks after) — written report + action plan

Scenario 1 — Multi-site ransomware

Context

An employee clicks on a phishing link. In 2 hours, ransomware has spread to 40 servers including the ERP. All files are encrypted. A ransom demand of €850,000 in bitcoins is discovered.

Objectives

• Test the crisis cell escalation procedure
• Verify the decision chain: pay or not?
• Test internal + external communication
• Validate the recovery plan without compromised backup
• Assess coordination with authorities (ANSSI, CNIL, Police)

Key injections (timeline)

• T0: SOC alert
• T+30min: First server unavailable
• T+1h: 10 business applications down
• T+2h: Journalist contacts Communications
• T+3h: Employee contacted by attackers
• T+4h: Restores fail (backup compromised)

Key points to observe

• "Cut the network" decision delay?
• Crisis cell assembled in how long?
• Customer message prepared?
• GDPR 72h and NIS2 notification started?
• Alternative device (paper, Excel) activated?

Scenario 2 — Prolonged AWS / Azure outage

Context

Major regional outage of the primary cloud provider. Estimated unavailability 12-48 hours. 60% of the company's applications are hosted in this region.

Objectives

• Test cloud dependency and alternatives
• Validate multi-region failover plans
• Assess impact on critical activities
• Test communication with customers

Key injections

• T0: AWS status announces incident
• T+1h: Confirmation eu-west-3 region down
• T+4h: No ETA given by AWS
• T+8h: Major customer complaint
• T+12h: Announced end delayed to H+24

Key points to observe

• Critical applications correctly identified upstream?
• Multi-region failover activatable?
• Degraded activities acceptable or not?
• Plan B activation decision?

Scenario 3 — Main data center fire

Context

Fire in the data center hosting the main server room. Firefighters controlled the fire but the data center is unusable for 2-4 weeks. Fortunately, a backup site exists.

Objectives

• Activate and validate the physical DRP
• Test the physical crisis plan (people safety, communication)
• Assess the failover delay to the backup site
• Verify resilience in prolonged degraded mode

Key injections

• T0: Fire safety alert
• T+30min: Building evacuation
• T+2h: Firefighters confirm data center down 2-4 weeks
• T+4h: Leadership requests backup site failover
• T+8h: First services failed over, but 3 remain down
• T+24h: Some business processes durably impacted

Key points to observe

• Backup site RTOs/RPOs respected?
• Technical teams mobilizable on-call?
• Clear communication to business users?

Scenario 4 — Targeted DDoS attack

Context

Massive DDoS attack (500 Gbps) against the main website and public API. The attack is claimed by a hacktivist group following a media stance by leadership.

Objectives

• Test coordination with anti-DDoS provider
• Validate the crisis communication plan
• Test degraded front-end scenarios
• Assess media and social media pressure

Key injections

• T0: Website slowed then inaccessible
• T+30min: DDoS confirmed by ISP
• T+1h: Claim on Twitter/X
• T+2h: Negative trending topic
• T+4h: Customers unreachable on mobile app
• T+6h: New wave on other vector

Key points to observe

• Effective anti-DDoS activation?
• Coherent leadership + comms messaging?
• Business impact quantified?

Scenario 5 — Executive crisis / critical absence

Context

The CEO is seriously injured in an accident. The CIO is on vacation (unreachable). The communications lead is on sick leave. A major production incident breaks out that day.

Objectives

• Test authority delegation and named backups
• Validate management in degraded human mode
• Assess decision-making without usual hierarchy

Key injections

• T0: Major product quality incident
• T+30min: Leadership escalation attempt → no one reachable
• T+1h: Customer + press pressure
• T+2h: Designated delegates mobilized (or not)
• T+4h: Decisions made or postponed

Key points to observe

• Is the delegation chain known and tested?
• Do human backups have necessary info + access?
• Does someone make the decision?

Scenario 6 — Critical supplier compromise

Context

Your SaaS payroll vendor (used for 2,000 employees) suffered an intrusion. Personal data of your employees is potentially compromised. You are notified by the vendor 5 days after the facts.

Objectives

• Test supplier contractual clauses
• Validate DPO communication + CNIL notification
• Assess multi-party coordination (you, vendor, authorities)
• Test potential employee anger management

Key injections

• T0: Vendor email reporting breach
• T+2h: Confirmation data exposed
• T+4h: Decision to notify DPA under 72h
• T+8h: Union requests extraordinary meeting
• T+24h: Press inquires

Key points to observe

• Up-to-date data inventory at this vendor?
• GDPR notification started?
• Internal employee communication prepared?
• Vendor legal coordination?

Scenario 7 — Natural disaster + pandemic

Context

Major flood makes the headquarters inaccessible for 1 week. In parallel, a pandemic resurgence imposes 100% remote work. 40% of teams are affected by the virus.

Objectives

• Test continuity under dual constraint (premises + HR)
• Validate large-scale remote work capabilities
• Assess critical activity prioritization
• Test extended internal communication

Key injections

• T0: Weather alert + premises closure
• T+4h: Sustained flood confirmation
• T+24h: Many sick leave announcements
• T+48h: Full remote work failover
• T+72h: Critical supplier also impacted

Key points to observe

• VPN + MFA capacity for 2,000 users?
• Activity prioritization (MBCO) clear?
• Critical role replacement (delegation)?

Scenario 8 — R&D data leak

Context

A resigning employee is suspected of having downloaded 15 GB of R&D product plans before leaving, and allegedly sold them to a foreign competitor.

Objectives

• Test CISO + HR + legal coordination
• Validate post-employment processes (access revocation, monitoring)
• Assess legal response (complaint, injunction)
• Test internal communication (without panic)

Key injections

• T0: Historical DLP alert
• T+2h: Forensic analysis confirms massive download
• T+4h: Employee unreachable
• T+8h: Rumors of competitor product announcement
• T+24h: Decision to file criminal complaint

Key points to observe

• Effective and rapid access revocation procedure?
• Digital evidence preserved and usable?
• Controlled internal communication?

Scenario 9 — Prolonged B2B payment outage

Context

Your supplier payment system has been down for 36 hours (software bug after update). Critical suppliers threaten to cut deliveries. End of month and 3,000 wire transfers are late.

Objectives

• Test financial continuity
• Validate manual alternatives
• Assess supplier relationship management
• Test payment prioritization

Key injections

• T0: Bug identified
• T+12h: Patch fails
• T+24h: Suppliers contacted
• T+36h: Major supplier threatens interruption
• T+48h: Priority manual payment decision

Key points to observe

• Existing and documented manual process?
• Who has authority to sign emergency checks?
• Coherent supplier communication?

Scenario 10 — Double incident (cyber + physical)

Context

A cyber intrusion launches workstation encryption and a physical incident (server room water leak) triggered by an insider. The attacker's objective is to maximize damage.

Objectives

• Test simultaneous multi-incident management
• Validate cyber vs physical crisis prioritization
• Assess available human resources (saturation)
• Test multi-cell coordination

Key injections

• T0: SIEM alerts + water detector
• T+30min: Two cells activated in parallel
• T+1h: Evident decision fatigue
• T+2h: New injections on 3rd vector

Key points to observe

• Single or dual command?
• Resource allocation to both incidents?
• Team fatigue?
• Ability to maintain timeline?

Summary table

Recommended cadence

For a mature organization:

• 2 tabletops/year mandatory (1 cyber + 1 physical/HR)
• 1 full live exercise every 2 years
• Quarterly DRP technical tests on critical systems
• Integrated post-mortem in an improvement cycle

How ResiPlan structures your exercises

• Library of 40+ turnkey scenarios
• Customizable injection generator based on your systems
• Exercise workflow with timeline, roles, observers
• Structured post-mortem with integrated action plan
• Exercise maturity dashboard by critical activity
• Annual calendar with cadence tracking

Start a free trial to access the complete scenario library.

Conclusion

Exercises are the only way to verify a BCMS works. Without regular testing, plans become dead literature in folders. The 10 scenarios presented cover 80% of crisis situations your organization will encounter.

The real ROI of an exercise program is not in validation (every exercise reveals gaps), but in continuous improvement. Each exercise identifies 3-5 concrete improvement points that, cumulated, transform the organization's real resilience.

For deeper reading:

• Business Impact Analysis: practical guide
• ISO 22301 in 10 Steps
• RTO vs RPO: understanding and calibrating