Preparing for an Active Shooter Event:

A Tabletop Exercise

By Ted Brown

If your organization has never fired anyone, has never laid anyone off, has only single employees that have never been married or divorced, and have no significant others in their lives, then you don’t have to worry about Work Place Violence (WPV) or an Active Shooter. If your organization does NOT fit this profile, then you need to prepare for an Active Shooter. Management needs to understand that they are personally liable for not providing for the safety and security of their staff (OSHA 1910-34139). Several executives have been convicted under that statute and are serving time in jail.

Management needs to educate their staff regarding how to act during an active shooter incident. An employee needs to know:

  • How to identify themselves as not being a threat to the law enforcement personnel (e.g. cell phones can look like a weapon during the "fog of combat", backpacks can be suspected of containing weapons, etc.)
  • Their purses, brief cases, tablets, etc. can be confiscated by law enforcement
  • During the clearing phase employees or visitors may need to stand in line for an hour or more depending on how many people are involved and how many law enforcement officers are checking people.

Most organizations are unprepared. How do you prepare? Start by creating an “All Hazards” Business Continuity Plan, and an Incident Command Team (ICT) and Plan (ICP). The first is to manage the business for any eventuality, including a Work Place Violence event, when your business may be shut down as an active crime scene. The latter is to manage the incident. Both plans need to be tested, for an untested plan is worse than no plan at all; because it causes Senior Leadership to believe “We’re ready” when they actually are not. And the best way to test both plans is with Tabletop Exercises.

Rules for Successful Tabletop Exercises

Do not start with a workplace violence tabletop: Pick any other scenario to exercise the plans. Regardless of the maturity of the BCP and ICP, most organizations are ill prepared for a Work Place Violence event. Test the plans, publish After Action Reports (AAR), complete the AAR plan improvements. Then conduct a WPV Tabletop.

It takes two, a facilitator and a note taker: Many times we have conducted Tabletop Exercises with organizations that had previously done them with just a leader and no scribe. This approach results in missing or incomplete After Action Reports.

Make it realistic and include news film footage, quotes, and articles such as:

  • "The Term 'Active Shooter' is a perfect description for what happens in these increasingly familiar incidents. One or more people begin shooting everyone in sight, either for a specific purpose or simply at random. As to be expected, when a new rash of crimes comes into being, law enforcement begins adapting and gearing up to meet the challenges the incidents present." Source: Lt. Dan Marcou, Retired, 32 years with the La Crosse, Wisconsin Police Department.
  • Baltimore — "A man who became distraught as he was being briefed on his mother's condition by a surgeon at Johns Hopkins Hospital pulled a gun and shot and wounded the doctor Thursday, then killed his mother and himself in her room at the world-famous medical center, police said. The gunman, 50-year-old Paul Warren Pardus, had been listening to the surgeon around midday when he became emotionally distraught and reacted, and was overwhelmed by the news of his mother's condition." Source: Police Commissioner Frederick H. Bealefeld III.
  • The Associated Press: "Pennsylvania man shoots, kills ex-wife as she plays organ at church service. The deranged elementary school teacher shot his ex-wife and then returned moments later to shoot her again and make sure she was dead, police said."

The initial exercise should be conducted without law enforcement to get people familiar with the concepts and identify areas for improvement. Thereafter try to engage law enforcement in the exercises. Try to establish a liaison relationship with the local police and fire departments.

Some key principles

  • Participants can’t say “Probably” – Remember, the purpose of the Tabletop is to test and improve the BCP or ICP. When someone says “probably,” that means they’re speculating and not executing the plan.
  • Ask participants: “Where is it written?” – Like the "probably" issue above, this question is to verify what’s being said is what’s written in the plan.
  • Participants shouldn’t say: "We did that a few moments ago." Remember we’re operating against a timeline. In real life you can’t go back.
  • When the facilitator asks “Who”, thThere are no wrong answers! Don’t discourage participation.e answer must be specific. Specify names and functions or responsibilities.
  • Best practices change, so annually review the corporate procedures against the current best practices and update as appropriate.

Objectives and Scope of Tabletop Exercises

  • Discuss communication paths and capabilities. In a disaster, the most important thing is communication. In a disaster, the first thing to break is communication.
  • Ensure the functionality of the Business Continuity Plan or Incident Command Plan. Do they work?
  • Verify the essential functions, critical processes, and dependencies are identified. They should have been identified in the BIA and documented in the plans.
  • Identify how each critical process will continue. Will work-arounds be required? Do they exist?
  • Verify team members understand their roles and tasks. It’s a good idea to conduct Tabletops with just the back-up personnel, after thoroughly testing the plans with the primary team members.
  • Document gaps and shortfalls, but DON’T FIX them. This is a very important role for the facilitator. It’s human nature to want to immediately fix a problem once identified. Resist this temptation. Document the problem for inclusion in the After Action Report.
  • Match expectations to human behavior. Will people actually do what the plan says they are supposed to do? Many ICPs assume that employees will assemble outside so that a headcount can be taken. With an active shooter, isn’t that the last thing we want? But the ICT and ICP must have a way of identifying who got out and who’s still inside. That’s the first thing the police will want to know when they arrive.

Quality After Action Reports

  • They require a separate “scribe.” It’s impossible to both facilitate and take notes.
  • The facilitator and scribe must review the notes immediately following the exercise.
  • The AAR must contain specific action items, individual named owners and completion due dates.
  • The AAR must be in at least two forms: a spreadsheet with the Action item, owner and due date and an Executive Summary document.
  • The AAR should be presented in at least two different meetings: To the Tabletop participants and to Senior Leadership. For the ICT, there may be some overlap. But a key concept and frequent finding is that the CEO or most senior elected official should not be the Incident Commander. They should manage the organization’s business, not the incident.

Some sample notes from actual WPV Tabletops

1. Would lock down – won’t work when lose power – doors would automatically unlock: Investigate alternatives.
2. Unclear what external property manager would do: Meet with property manager to understand their role.
3. Building has no PA; how would employees be alerted: develop an emergency notification capability.
4. No panic button at reception: investigate installing a button or two (one internal; one for the police.)
5. Off-line discussion with HR on policy for employee with restraining order: Develop and document policy and procedure.
6. Make sure the ICP has a decision to communicate with customers or not based on the event and the communications: update ICP.
7. Reinforce WPV plan; need floor plans; revisit panic button: provide floor plans to ICT and first responders.
8. Critical – employee relations – how do we communicate out to employees: determine how to communicate to employees and vice versa.
9. What do we expect from Security (outsourced – not employees), and do they have the capability: Meet with external physical security organization.
10. What about cars in the garage? How to sweep? : Develop and document procedures.


Every organization needs Business Continuity plans and Incident Command Teams and Plans. These plans must be tested at least once a year. The lowest risk, highest return way to test these plans is Tabletop Exercises which require two facilitators. The CEO should not be the Incident Commander. Employee, customer, and stake holder communications are key and will be the first thing to break. Most external security organizations are not armed and will not intercede with an Active Shooter. Educate! Educate! Educate! Test! Test! Test!

About the Author:

Edward (Ted) B. Brown III CBCP, CBCV, MBCI is President & CEO of KETCHConsulting, a BCP, COOP, DR and Crisis Management Consulting firm. Ted is a member of the Contingency Planning & Management Hall of Fame, a member of the BCI USA Board where he serves as Education Chair. A graduate of Penn State, he is a member of the Penn State Board of Trustees, serving on the Audit and Risk Committee and is the founder of the Risk Subcommittee. He has taught more classes on conducting Tabletop Exercises at the Disaster Recovery Journal, Continuity Insights, and Continuity Planning & Management Conferences than any other person in the industry. He can be reached at or 484-919-2966.