The OGO Blog

How Often to Review and Test Disaster Recovery Plans

You’ve heard the saying, “Practice makes perfect”? This is especially true when it comes to reviewing your business continuity plan (BCP). In fact, it’s even more important for testing your BCP and disaster recovery (DR) plans!

The BCP’s unique blend of people, processes, and technologies creates myriad opportunities for things to go wrong. Outside of “live incidents,” how else are you going to find single points of failure, outdated procedures, and/or wrong phone numbers?

So, how often should you review your BCP and DR plans? And how often should you test them?

Good, Better, Best

Simply put, the frequency with which you review and test your BCP and DR plans depends.

But on what?

It depends on how good you want to be!

Think about it this way. We’re constantly reminded that it takes about 10,000 hours of practice to become an expert at something. But, truth be told, 10,000 hours is just the tip of the iceberg when it comes to true mastery.

So, although perfection in anything is essentially unattainable, you can still get really, really good at something. And if you’re serious about protecting your business and providing uninterrupted service to your membership (especially during a crisis), you should be constantly poking holes in your plan to see where and how it can be improved.

Ask yourself:

Have you or your team put in 10,000 hours of BCP and DR practice? (Probably not.) And if you haven’t, do you feel that there’s room for improvement? (Probably yes.)


The frequency of your review, tests, and exercises may vary depending on which part of the plan you’re working on. Disaster recovery (DR/IT) tests often involve the coordination of efforts between multiple vendor platforms and complex technology configurations. The results are generally pass/fail, and it’s recommended to be performed annually.

Your BCP as a whole however, requires a bit more exercise due to its complexity. Those credit unions with a “living document” approach to BCP find ways to “exercise” their organizational level plans as much as possible throughout the year.

For example, your credit union may perform call tree exercises, fire and evacuation drills, tabletops, walkthroughs, and isolated system recoveries (testing of backups, restoration of files). These “mini” exercises help keep the plan current and increase ownership and awareness levels throughout the organization.

Exercises using scenarios based on your credit union’s risk profile yield even greater insight to the effectiveness of your plan.

In a sense, you should review and test your BCP and DR plans constantly, even if you only do a bit at a time.

How Much is Enough?

So, how much exercising is enough? The answer is: when your initial reaction to an incident is instinctive and effective. It should be reflexive, like when you’ve developed muscle memory.

Remember Chelsey Sullenberger, the US Air pilot who safely landed a jet in the Hudson River? By the time “Sully” made that infamous landing, he had logged more than 20,000 hours of flight time and spent countless years pursuing safety measures based on simulated experiences in flight.

Call it “testing,” “exercising,” or simply “deliberate practice…” The more you do it, the greater chance you’ll have of a successful recovery.

We’re happy to discuss your credit union’s BCP and DR needs. See our business continuity planning page here.

Do you have questions about how to create a proper test environment? Do you wonder what the best way to get your staff ready for a disaster is?

“Probably” Is the Enemy of BCP

3 Tips to Maintain Business Continuity Plans

Fill out the short form below and an OGO expert will contact you shortly: