Ninety Minutes Inside the Decisions Your Leadership Team Has Not Yet Had to Make

Quick Answer

What is an Executive Decision Lab, and how is it different from a compliance training course or an IT tabletop exercise?

An Executive Decision Lab is a 90-minute scenario-based discussion built specifically for compliance leadership — CCOs, General Counsel, Chief Risk Officers, and executive teams. Unlike IT tabletop exercises that simulate external threats, Decision Labs surface internal authority gaps and structural risk categories that only become visible when an incident forces them into view. Unlike standard compliance training that teaches the rules, Decision Labs puts leaders in the chair and asks: What would your team actually do in the next ninety minutes if this happened?

Each Lab is licensed to your organization, run by your internal facilitator, and produces written executive commitments that carry forward into board engagement, audit committee briefings, and 30-day follow-up.

This Is

A facilitated case discussion — ninety minutes inside a developing organizational crisis with senior leadership in the chair.

A leadership-level conversation about authority, contracts, regulatory thresholds, and the structural risk categories that surface only when an incident forces them.

A commitment-producing session — leaders leave with written next steps, named owners, and a 30-day check-in already scheduled.

This Is Not

Security awareness training. Your phishing tabletops cover external threats. This is internal.

Compliance training. Participants are not being taught the rules — they are being asked what they would do under pressure.

A security incident simulation. The format is a structured case discussion. No keyboards, no live systems, no red teams.

The Invisible Insider →

When a routine vendor session becomes a securities investigation.

A vendor employee’s 43-minute window between viewing FDA approval data on a client system and his sister’s stock purchase triggers a federal investigation. The Lab places the CCO, General Counsel, CISO, and CEO in the same room to work through disclosure timing, vendor relationship review, and the regulatory engagement decisions that follow when the dots are connected internally before the SEC connects them externally.

Category: Vendor MNPI · Misappropriation Theory · SEC engagement

Explore this Lab →

The MSA You Didn’t Read →

When an eighteen-page contract becomes a federal securities investigation.

The 2:30 PM call comes in from a publicly traded client’s General Counsel — and the leadership team learns that the standard NDA clause in the standard MSA quietly committed the entire workforce to federal securities law obligations no one had read carefully. The Lab is the companion to The Invisible Insider, viewed from the vendor side. The CEO, COO, General Counsel, and HR lead work through the audit, training gap, and disclosure decisions that determine whether an employee’s act becomes a one-off incident or a company-defining one.

Category: Vendor MSA exposure · Training gap audit · Client cooperation

Explore this Lab →

The Authorization Email →

When a risk acceptance decision crosses a regulatory line.

A VP sends a written authorization to accept two IT security findings under deadline pressure — not realizing one of them is a GDPR notification trigger, he does not have the authority to defer. The Lab places business leadership and the Data Protection Officer in the same room to work through what business authority can and cannot legally authorize, the 72-hour clock that started when the email was sent, and the board-level question of how the organization governs the boundary between business risk and regulatory risk.

Category: Business authority vs regulatory authority · GDPR 72-hour clock · DPO escalation

Explore this Lab →

Facilitator Guide

Complete session script with phased narration, discussion prompts, expected responses, and debrief guidance.

Executive Slide Deck

A professionally designed presentation that guides participants through the exercise. Sequenced to match the facilitator guide.

Executive Role Cards

Printable, one per leadership role, with background information, primary concerns, and predictable blind spots for that seat.

Scenario Injection Cards

Time-stamped facts that land at scripted moments to introduce new developments and increase complexity.

After-Action Review

Structured discussion framework for capturing commitments live in the room — owners, deadlines, dependencies.

Executive Summary Template

A ready-to-use one-page memo for the board, audit committee, or ownership.

30-Day Follow-Up Template

A structured accountability tool to track commitments and progress between the session and the next leadership review.

The decisions belong to senior leadership.

Disclosure timing. Regulatory engagement. Contract review. Board communication. Organizational posture. The scenario must put real authority on the table — not “what should the employee have done.”

The risk category is structurally invisible until an incident occurs.

Vendor-side misappropriation. Business authority versus regulatory authority. The boundary between a deferrable program risk and a 72-hour notification clock. If your leadership team already discusses this category regularly, you do not need a Lab.

The pressure comes from inside the organization.

The leader who sent the email he should not have sent. The employee who saw something he should not have seen. The VP who accepted a risk he did not have the authority to accept. External-threat scenarios belong to the security tabletop format.

The decisions are genuinely contested.

Business instinct and legal instinct point in opposite directions. Reasonable executives disagree. The right answer is itself something the room must work through. If the facilitator can predict every response before the session begins, the scenario is too thin.

The consequences play out across quarters, not days.

The commitments captured in the room need a real organizational arc to live within — board engagement, audit committee briefings, 30-day check-ins, and ongoing remediation work over the following 12 to 18 months.

Pricing

Contact Xcelus for pricing.

Single Lab kits and three-Lab bundles available, each licensed to your organization with unlimited internal use. Light industry customization is included; deeper customization is available as a separate engagement.

Request pricing →

How It Works

Contact Xcelus to confirm scope and pricing. Receive all seven deliverables digitally within 24 hours of agreement. Schedule the session for whenever your leadership team is available. Most organizations run their first Lab within 30 days.

Who runs the session — your team or ours?

You do. The kit is licensed to your organization and designed to be facilitated by your CCO, General Counsel, or designated executive. Keeping facilitation internal keeps the conversation honest and the commitments accountable to the room. External facilitators tend to produce performative engagement; internal facilitators produce real decisions.

How is this different from a security tabletop?

Security tabletops cover external threats — phishing, ransomware, and social engineering. The Decision Lab covers internal authority gaps — the moments when leaders within the organization make decisions they did not realize they lacked the authority to make. Different category, different format, different audience. If you already run quarterly IT tabletops, the Decision Lab complements them rather than replacing them.

How is this different from a Case Study Review from LRN or Navex?

Case Study Reviews from larger compliance vendors are typically generic, drawn from enforcement actions, and require the CCO to provide the structure, the discussion prompts, and the facilitation logic from scratch. Decision Labs ship as complete facilitator kits with scenario-specific role cards, time-stamped injection cards, after-action capture templates, and a 30-day follow-up structure. The scenarios themselves are original — built around recognizable institutional pressure patterns rather than retold enforcement actions.

Can we customize the scenarios for our industry?

Each Lab is designed to be vertical-recognizable without being vertical-specific. The Invisible Insider works for any public company. The MSA You Didn’t Read works for any service provider with publicly traded clients. The Authorization Email works for any GDPR-regulated organization. Light customization is built into the kit; deeper customization is available as a separate engagement.

What size organization is this for?

Most appropriate for organizations with formal C-suite leadership teams — typically 200+ employees. Labs have been designed for both public and non-public companies. The MSA You Didn’t Read in particular was built for non-public service providers whose clients are publicly traded.

Do we get to keep the materials?

Yes. The license is perpetual within your organization. Run the Lab as many times as you need to — with new executives, with the board, with regional leadership teams, with the audit committee. The 30-Day Follow-Up template is designed for ongoing use across multiple sessions.

How much does a Decision Lab cost?

Pricing is scoped to your organization and the Lab or Labs selected. Contact Xcelus to discuss single-Lab and bundle pricing. Every kit is licensed with unlimited internal use, and light industry customization is included.

How often should we run a Lab?

Most organizations run one Lab per quarter in the first year, then transition to running each Lab annually as part of the executive risk calendar. The three Labs available now address different risk categories and can run in sequence without overlap. New Labs are being added to the product line.

Insider Trading & Tipping Scenarios →

The microlearning scenarios behind Labs 01 and 02 — Alex, Susan, Rachel, and Marcus appear here first in the four-angle vendor scenario that the Labs are built on.

Compliance Conversations Ep. 11: The Invisible Insider →

The audio companion to Lab 01 and Lab 02. Walks through the misappropriation theory, the plumber analogy, and the 43-minute gap that connects vendor access to a federal investigation.

Decision-Ready Case Studies →

Executive case studies for CCO and board reading. The written counterpart to the Decision Lab format — same scenarios, different delivery mode.