Disaster Recovery Journal Spring 2025

ago. Operational resilience mandates came into being as a recognition that resilience practices had stalled, and firms were not maintaining critical/important customer services that depend on IT assets, espe cially in interconnected industries, such as financial services. IT changes quickly, and resilience practices must match this pace. Most Organizations Conduct Simple Tests Only Once Per Year Unfortunately, the testing situation is largely unchanged since 2008. For all test types, most organizations only test once per year with plan walk-throughs and tabletop exercises, and as tests become more extensive, test frequency declines – 41% of respondents said they never performed a full simulation (see Figure 3). Simulations not only test the incident actions, roles, responsibilities, and inter actions between teams but also allow for timing of various plan steps. Timing gives a sense of whether recovery tar gets are realistic and where to pinpoint improvements to the plan. However, test ing requires intentional time and dedicated resources across the organization as well as the inclusion of critical third parties to pinpoint bottlenecks, missing compo nents, and communication and connection failures. Most Tests Do Not Consider DEI When performing tests, all voices must be heard to identify gaps, create actions, and improve planning. Unfortunately, 53% of respondents did not consider

diversity, equity, and inclusion (DEI) when testing/exercising a plan, and another 14% didn’t know whether they did (see Figure 4). Despite some firms pulling back on DEI investments, the business case for inclusive experiences remains strong, as diverse teams bring a wider set of perspectives, orientations, and experi ences to the organization. Using all perspectives and orientations within an organization will help unlock knowledge about how the organization runs, communication pathways, and essential work arounds the firm can implement or improve. A Lack of Service Maps Is Common Operational resilience mandates require critical/important ser vice mapping down to the IT components. These maps are also critical to pivot to individual circumstances of an incident. In the past, organizations relied on the configuration management data base to provide the mapping, but it was static and incomplete, and IT organizations struggled to include unapproved changes.

Now, there is an acceptance IT changes happen – and that IT must track them. Unfortunately, there is still a lack of confidence in real-time completeness of data, especially for components like ephemeral microservices. Technology has improved, especially around AIOps; however, use of maps is still underwhelming. Some 16% of respondents said they used service mappings to determine and track impact on customers as well as create res toration plans for tests/exercises. Only 15% of respondents used To create a complete BC program – and even reach for operational resilience and business resilience program goals – resilience pros must use a wealth of tools and technologies. Unsurprisingly, threat intelligence feeds (41%) – which DORA requires to feed threat-led penetration testing – and BC continu ity management platforms (40%) – which resilience pros use to service maps when assessing testing performance. Adoption of Key Technologies Remains Low

12 DISASTER RECOVERY JOURNAL | SPRING 2025