Thanks to their reliance on easy tests and false assumptions, many organizations think they are better at IT disaster recovery than they really are. Companies that truly want to be able to recover their IT apps and systems need to implement three key controls and strengthen a critical relationship.
Related: Learning to Talk to Your IT/DR Colleagues
In short
The more things change, the more they stay the same.
When I worked in IT in the 1980s, the odds that a company could accurately recover its IT systems and applications after an outage were about 50/50, even at organizations with solid IT/DR programs. Since then, organizations’ ability to recover from technology events has improved dramatically.
Another striking change is that the IT computing environments of today—with their blend of on-prem resources and cloud-based systems—have reached a level of complexity unheard of in previous decades.
However, even in the face of all this change, one thing has remained the same: many organizations greatly overestimate their ability to recover their IT systems.
It happens pretty much every day, in every industry: after suffering a tech outage or data loss, an otherwise well-run company is shocked to discover that, contrary to its leaders’ expectations, it cannot easily or fully recover.
The gap between perceived and actual IT/DR capability typically results from a few common habits and practices.
Many organizations design IT/DR tests to succeed rather than to reveal weaknesses. Organizations often assume that because individual components work, full recovery will work. And hybrid environments spanning on-premises systems, cloud platforms, networks, and third-party services introduce a complexity that many organizations struggle to penetrate.
In addition, changes to IT environments are frequently not accounted for in recovery plans, and IT staff are often reluctant to look for and flag gaps out of concerns over workload and possible criticism.
If the causes of the IT/DR gap are well understood, so are the remedies. Here are three controls organizations can implement to help them improve their IT/DR capabilities.
In contemporary IT environments, change is constant. Organizations need a disciplined change control process to ensure their recovery planning and documentation stay aligned with the technical environments. Every meaningful change to the environment should trigger a review of its impact on recovery. Anytime a system, application, or dependency changes, the related recovery documentation, procedures, and alternate computing environments must change with it. Without this linkage, recovery capabilities drift out of sync with reality and lose their efficacy.
Even with good change control, recovery plans require ongoing attention. Personnel change, processes evolve, and small gaps accumulate over time. Organizations need a regular maintenance schedule to review and refresh their IT/DR plans. This means verifying that contact lists are accurate, procedures reflect the current environment, and assumptions remain valid.
Testing is not about providing reassurance that current arrangements are adequate. It is about uncovering where they fall short, to enable them to be fixed before they come under real-world pressure. This means avoiding overly scripted exercises and creating scenarios that reflect real-world conditions, including time pressure, incomplete information, system interdependencies, and current program capability.
These three controls provide the structure organizations need to move from assumed capability to demonstrated readiness.
Business continuity teams have an important role to play in helping organizations develop realistic IT/DR capabilities. Two things in particular can make a major difference:
Many BC offices take a casual or pie-in-the-sky attitude to setting recovery objectives. However, unrealistic recovery time objectives (RTOs) and recovery point objectives (RPOs) are almost guaranteed to alienate the IT department. BC offices that want a positive relationship with their IT colleagues should be very rigorous in conducting their business impact analyses (BIAs). They should arrive at well-supported, realistic recovery objectives and have these formally approved by management. This will provide a sound foundation for their later discussions with IT.
The relationship between the BC office and IT is both critical and delicate. IT teams today operate under intense pressure. They are managing complex environments, cybersecurity threats, and unrelenting performance demands. As a result, they often perceive discussions about recovery gaps as personal or accusatory. BC professionals need to approach these conversations carefully, framing them as an effort to improve the organization’s resilience rather than an opportunity to point fingers.
BC offices that propose realistic recovery objectives and strive for a positive relationship with their IT colleagues can make a significant contribution toward helping their organizations narrow the gap between their imagined and true recovery capability.
The insights above come from grappling with the IT/DR gap at ground level.
MHA Consulting has extensive experience helping organizations evaluate and improve their real-world IT disaster recovery capabilities. We work across industries to identify recovery gaps, strengthen recovery processes, and ensure capabilities align with actual business requirements rather than assumptions.
Our approach begins with understanding the client’s environment, including infrastructure, networks, applications, backup systems, and recovery architecture. We compare these capabilities with the stated recovery objectives to determine whether those objectives are realistically achievable.
MHA brings third-party objectivity, the ability to talk to IT teams in their own language, and a focus on realistic testing rather than overly scripted exercises. By systematically identifying gaps in capability and understanding their operational impact, we help organizations build practical roadmaps to strengthen recovery performance over time.
The confidence many organizations have in their ability to recover their IT systems is frequently unjustified. At many companies, a dangerous gap exists between assumed and actual recovery capability.
To close this gap, organizations should implement strong change control, disciplined plan maintenance, and realistic testing programs. BC teams can help by developing credible recovery objectives and building productive, trust-based relationships with IT.
MHA Consulting has extensive experience helping organizations evaluate their true recovery capabilities and identify the gaps that could undermine them during a real-world outage. Contact MHA to learn how we can help your organization validate its true recovery capabilities, strengthen testing practices, and build recovery programs grounded in reality rather than assumptions.
No. Many organizations overestimate their IT disaster recovery capabilities because they rely on assumptions, outdated plans, and overly easy tests that are designed to succeed rather than expose weaknesses.
These gaps usually arise from a combination of factors, including unrealistic testing, outdated recovery documentation, poor change control, and the growing complexity of modern IT environments. Organizations also tend to assume that because individual systems or backups work, full enterprise recovery will work as well. In some cases, IT staff may also hesitate to identify or escalate recovery gaps due to workload pressures or concerns about criticism.
Organizations can significantly strengthen their IT/DR capabilities by implementing three key controls: 1) A strong change control process that keeps recovery plans aligned with changes in the IT environment. 2) A regular maintenance and review schedule to ensure recovery documentation stays accurate and current. 3) Rigorous, realistic testing designed to expose weaknesses rather than endorse existing arrangements.
BC practitioners can help by developing realistic, well-supported recovery objectives through rigorous business impact analyses (BIAs) and by building productive working relationships with IT teams.