Xcelus Blog — Compliance Leadership

Cybersecurity Runs Tabletop Exercises. Why Doesn’t Compliance?

By the Xcelus Editorial Team

Editor’s Note

The opening scenario below is the basis for one of our Executive Decision Lab™ kits, The Invisible Insider — a 90-minute facilitated session designed for public company leadership teams who want to practice these conversations before an incident forces them.

Imagine your organization discovers that a vendor employee accessed confidential FDA approval information and shared it with a family member who purchased stock before the public announcement.

The information was material.

The trading activity has already occurred.

The media is calling.

Outside counsel is asking questions.

The board wants answers.

Would your leadership team know what to do next?

Most organizations spend significant time preparing for cybersecurity incidents. They conduct tabletop exercises, incident simulations, and response drills. Teams gather in a room, review realistic scenarios, discuss response options, identify weaknesses, and improve coordination before a real crisis occurs.

The logic is simple: people perform better under pressure when they have practiced beforehand.

Yet many compliance programs take a very different approach. Employees complete annual training. Managers review policies. Leaders receive updates from Compliance and Legal. But few organizations ever sit down and ask:

“What would we actually do if this happened here?”

Knowing the Policy Isn’t the Same as Making the Decision

Compliance training plays an important role. Employees need to understand company policies, legal requirements, and reporting expectations.

However, real-world compliance failures rarely begin because someone forgot a policy definition. They occur when people face difficult decisions under pressure.

A manager is trying to meet a quarterly target. An employee discovers a potential conflict of interest involving a high-performing executive. A vendor gains access to sensitive information. A team uploads confidential data to a public AI platform to meet a deadline.

The challenge is not remembering a policy. The challenge is making the right decision when competing priorities, uncertainty, and business pressures are involved.

Cybersecurity leaders recognized this years ago. That is why they practice incidents. Compliance leaders should consider doing the same.

Cybersecurity’s “Practice Before It Happens” Mindset

When organizations conduct a ransomware tabletop exercise, they are not testing whether employees can define ransomware. They are testing:

Who owns the response?

How quickly can leadership make decisions?

What information is available?

Which controls work?

Which assumptions prove false?

What gaps exist?

The exercise often reveals issues that would never appear in a policy review or training course. The same principle applies to compliance risks.

A realistic scenario can quickly uncover questions such as:

Who owns third-party risk?

What would trigger board notification?

How would leadership learn about the issue?

Are escalation processes clear?

Do contracts address the risk?

Are reporting obligations understood?

These discussions often expose governance gaps long before regulators, auditors, or investigators discover them.

Five Compliance Risks Worth Practicing

Many organizations already have policies covering these risks. The question is whether leadership teams have ever discussed how they would respond if one occurred tomorrow.

Risk 01

Third-Party Risk

A vendor employee gains access to material non-public information and shares it with a family member.

Who is responsible? What contractual obligations apply? How would the organization respond?

Related: The Invisible Insider Decision Lab · Vendor MNPI training scenario

Risk 02

AI Governance

Employees use a public AI tool to analyze confidential company data.

What data was exposed? Who should be notified? What controls failed?

Related: Hidden Risks of AI Shortcuts (Ep. 4) · Shadow AI training scenario

Risk 03

Financial Integrity

A business leader pressures employees to “do whatever it takes” to achieve quarterly targets.

Where is the line between performance pressure and misconduct? Who should intervene?

Related: When “Whatever It Takes” Triggers Fraud (Ep. 1)

Risk 04

Speak-Up Culture

An employee reports misconduct involving a senior executive.

Would leadership receive the report? Would employees trust the process? Could retaliation be identified?

Related: One Casual Question Sinks Investigations (Ep. 2)

Risk 05

Data Privacy

Sensitive customer information is exposed through a cloud configuration error.

Who owns the response? What reporting obligations exist? What decisions must be made within the first 24 hours?

Related: Why Bosses Cannot Authorize Data Privacy Risks (Ep. 8) · Cloud misconfiguration training scenario

From Training to Decision Practice

Training helps people recognize risks. Decision practice helps leaders prepare for them.

The goal is not to replace training. It is to add another layer of preparedness.

Pilots use simulators. Cybersecurity teams run tabletop exercises. Emergency responders conduct drills. All are based on the same principle: people make better decisions when they have practiced before the real event occurs.

Compliance leaders face increasingly complex risks involving third parties, artificial intelligence, data privacy, financial integrity, and organizational culture. Many of these issues require coordinated decisions across Legal, Compliance, Risk, IT, Procurement, HR, and business leadership.

At Xcelus, we call this format the Executive Decision Lab™ — a 90-minute facilitated session in which a leadership team works through a developing compliance crisis in real time, using role cards, scripted injections, and a written commitment captured before the room leaves.

Those conversations are often most valuable before an incident occurs.

The Question Every Leadership Team Should Ask

If a significant compliance incident occurred tomorrow, would your leadership team be seeing the situation for the first time?  Or would they already have practiced the conversation?

The answer may determine how effectively the organization responds when the stakes are highest.

Built for Exactly This Question

Practice the Conversation Before the Incident Forces It

The Xcelus Executive Decision Lab™ is a 90-minute facilitated executive session built around the exact compliance risks discussed in this article. Three Labs are available now — vendor insider trading, vendor securities risk, and data privacy authorization — with more in development.

Explore the Decision Labs →
Talk to Xcelus

© 2005–2026 Xcelus LLC. All rights reserved. Executive Decision Lab™ is a trademark of Xcelus LLC.

Your Content Goes Here