Disaster Recovery Journal Winter 2025

If you are not testing, then you don’t have a plan; you have a hope Other than organizational hierarchy, the other likely reason many have less confidence in their organization’s ability to persist during a crisis might have to do with the lack of testing and or the lackluster results when testing does occur. Looking at IT disaster recovery as one core area to be tested, the survey revealed a stark contrast between how the minority of high priority platforms are tested and the remaining majority of “normal” platforms. For those IT platforms that support high priority business processes, 1/3 of orgs test biannually to ensure their recoverability, half of orgs test annually, leaving barely 1/10 that test recovering their high priority capabilities either ad hoc or not at all. Alternatively, an alarming one out of three orgs do not test the recoverability of their “normal” IT platforms for recoverability even once per year. All these statistics reveal testing isn’t happening as often as it should. Even more troubling, the adjacent question in the survey reveals 32% of the respondents aren’t even aware as to whether large scale recovery tests happen at all. Remember, the survey respondents were directly responsible for either BC, DR, CM, or cyber, but were unaware if a large-scale recoverability test had occurred within their organizations. Candidly, if the professionals closest to resilience initiatives aren’t aware of a large-scale test, then that test likely hasn’t happened in one-third of the organizations. With every IT disruption discussion often coming back to the ever-present threat of ransomware and cyber villains, the survey specifically tested how often a cyber-recovery was tested; with the average being once every 10 months. Consider how much of your business processes and IT frameworks change within one year and now imagine your ransomware recovery plan hasn’t been updated within the same timeframe.

Figure 2 – Testing recoverability of “high priority” and “normal” IT workloads may not be happening as often as you hope.

Figure 3 – Most plans are tested annually.

Do your business expectations align with the technical realities? With the growing recognition for the importance of resilience across both business processes and IT platforms, one would hope the various personas would start to align on realistic expectations for resilience. Unfortunately, the 2025 survey results continue to reveal a significant gap between the organization’s business expectations of how quickly IT systems need to resume some functionality

HOMEWORK: Ask your IT teams: 2. How frequently do we test the

recoverability of our “high priority” IT workloads the organization relies on for our key business processes? 3. How frequently do we do a large-scale recovery test to remediate from a natural disaster? Or a ransomware encryption breach? 4. What were the results of those tests? (this one is the most important dig into)

18 DISASTER RECOVERY JOURNAL | WINTER 2025