How to Maintain and Test a Business Continuity and Disaster Recovery Plan

AUGUST 25TH, 2020

Proactively planning for how to respond to a disaster and get your business operations back online is key to building business resiliency. And in today’s tempestuous business environment, resiliency is everything.

A comprehensive, thoroughly tested business continuity and disaster recovery plan is one of the best ways to protect your organization from data and revenue loss during an outage, cyberattack, or natural disaster. 

Though they are technically two separate plans, business continuity and disaster recovery work symbiotically to create a robust safety net for your business operations, systems, and data.


A business continuity plan defines the business’s critical processes and gives detailed instructions for your organization to follow in order to continue operating during an emergency. This plan must identify and include all time-sensitive and mission-critical business functions and processes, as well as company assets, human resources, business partners, and stakeholders. 

Your disaster recovery plan should focus on getting the IT infrastructure back up and running after an unplanned disruption or natural disaster. This is just one step in business continuity—albeit a crucial one—which is why businesses need to ensure they have both plans ready, waiting, and tested before a crisis hits.

Four Steps for Maintaining and Testing Your Business Continuity and Disaster Recovery Plan

Business continuity and disaster recovery are not set-and-forget initiatives. Business objectives and processes change frequently, employees move into and out of roles, and technology is in a constant state of flux. So once you have your initial business continuity and disaster recovery plans established, integrated, and fully tested, you move into maintenance mode. During this phase, your focus becomes anticipating and adapting to changes and ensuring your continuity and recovery plan stays up to date and functional.

Here are the four main steps to future-proofing your crisis response efforts so you can be confident your business continuity plan will work when it needs to.

1. Plan for change management. 

Many organizations are experiencing an unprecedented level of change these days. To ensure continuity in the event of a crisis, it is important to monitor changes in the organization and its external environment, including people, processes, and resources. Have a documented process in place to control changes or revisions to the plan, and be sure to update the plan regularly.

2. Conduct testing.

When was the last time you fully tested your business continuity plan from end to end? If it’s been a while, stop reading and put it on the calendar now. The middle of a 100-year flood is no time to discover your backups are corrupt. 

Regularly scheduled testing will help prevent massive data loss and get your business operations up and functioning quickly after an emergency. A full, end-to-end test of your plan will be time consuming, so for expediency’s sake, schedule different types of testing at repeating intervals:

  • Checklist test (bi-annually): This is a high-level check to ensure objectives are still being met by the current plan. Correct the plan as needed and recirculate it to all stakeholders.
  • Walkthrough test (annually): Sit down with all stakeholders, leadership, and your business continuity response team to look for gaps and out-of-date information. This should be a business-driven (not IT-driven) review to address changes to business objectives and priorities, not the technology.
  • Comprehensive test (every other year): This review should include a reassessment of risks, a new impact assessment, and an updated recovery plan.
  • Full interruption test (every 2-3 years): Simulate a real disaster and walk through your business continuity plan from start to finish so you are confident that operations can be quickly restored after an unplanned disruption, cyberattack, or natural disaster.

Just to keep things interesting, conduct periodic, unannounced “emergency” tests to help you observe the plan in action and test employees to make sure they know how to respond to a real crisis.

3. Require training.

Your business continuity plan is only helpful if your employees know how to implement it. When you initially create your plan, it’s important to form a business continuity team that will own the process and educate others.

During maintenance, your business continuity team will select a set of training methods, then create an ongoing schedule of business continuity awareness and training activities. These sessions will address any gaps in business continuity and disaster response knowledge so the organization can take unified, appropriate action to respond to threats as needed.

4. Perform an audit.

The final step in effectively maintaining your business continuity and disaster recovery plan is to invest in a third-party, impartial review of the plan.

This audit will determine whether the plan is in compliance with the organization’s internal policies and whether it meets external regulations and standards. It will also identify gaps and weaknesses in any of the maintenance steps. 

When the audit is complete, update the business continuity plan with any needed changes identified by the audit.

These four steps can help you maintain and test your business continuity plan so your organization recovers quickly after a disaster, technology failure, or cyberattack. 

For optimal protection, consider investing in a business continuity solution that provides a cohesive data security, protection, and retention strategy. A comprehensive continuity and disaster recovery solution can streamline your business continuity processes and provide additional data and cybersecurity features for greater peace of mind.

If you don’t have an up-to-date business continuity plan or world events have prompted you to reassess your current plan, download Arcserve’s How to Build a Disaster Recovery Plan to learn how to protect your business-critical systems and data in an emergency.