When companies are unable to recover their key processes and systems during business continuity and IT disaster recovery exercises, they are usually surprised and embarrassed. Their most urgent question—“Why couldn’t we recover today?”—reveals a mindset that is actually the real source of their difficulties.

[Related: Kill the Zombies, or How to Get More From Your DR Exercises]

Why Companies Struggle in Their Recovery Exercises

I know of few places more uncomfortable than a roomful of executives, department heads, and BC staff after an exercise in which critical systems and processes were not recovered within the targeted time frames. At such gatherings, anxiety, confusion, and finger-pointing are seldom in short supply.

The most common question people ask at such times is, “Why did the exercise fail?” by which they mean, “Why couldn’t we recover?”

In my experience, the most common reasons for such an outcome are:

• Outdated or incomplete recovery plans

Plans don’t reflect the current IT environment, organizational structure, or business priorities. Common issues include missing recovery steps, untested assumptions, outdated contact lists, and undocumented dependencies.

• Dependency and resource gaps

Exercises reveal “hidden” dependencies—on vendors, specialized staff, facilities, or infrastructure—that were not accounted for. Critical resources (e.g., backup systems, alternate workspaces, recovery staff) are missing or unavailable when needed.

• Insufficient training and role clarity

Staff don’t know their roles, or recovery teams are unprepared to execute plans under pressure. Key people may be absent, or “single points of failure” (only one person knows how to do something) are exposed.

• Ineffective communication and coordination

During an exercise, information doesn’t flow properly between teams, management, vendors, and stakeholders. Misaligned priorities or conflicting decisions cause confusion, delays, or duplicate efforts.

• Technology failures or gaps in recovery capabilities

Backup systems don’t perform as expected (e.g., data corruption, insufficient capacity, or misconfigured failover). Recovery time objectives (RTOs) or recovery point objectives (RPOs) prove unrealistic in practice.

Information on these issues is readily available in the leading BC standards (FFIEC, ISO 22301, NFPA 1600, etc.).

Understanding them can help organizations troubleshoot immediate problems.

But in my view this approach to diagnosing exercise failures doesn’t go deep enough. It might be described as the “polite, BC-standards” view of why exercises flounder.

To see the real reasons so many BC exercises “fail,” by which I mean fail to achieve their purpose of identifying gaps that are then closed, improving the organization’s resilience, we’ll have to look behind the curtain.

The Hidden Reasons Exercises Fail

In my experience, the real reasons BC exercises and exercise programs fail include the following:

• They are never conducted at all

The number-one reason exercises fail is simple: they aren’t done. Too many organizations don’t bother to conduct exercises of any kind, trusting to luck to help them if and when they experience a real outage.

• They are conducted in a half-hearted way

When exercises are run, they are often carried out just to “check the box.” Teams stop short of fully testing recovery processes or participants only walk through parts of their plans. The result is a false sense of confidence, with little insight into whether recovery would truly succeed.

• They are staged to guarantee success

Some organizations over-prepare, limit what is tested, or simplify scenarios so a flattering outcome is assured. But if an exercise can only succeed under ideal, staged conditions, it is not testing readiness, it’s putting on a show.

• People are afraid of bad news

Executives and staff alike often shy away from surfacing unpleasant findings. Gaps are edited out of reports, negative results are downplayed, realists are isolated, and individuals distance themselves from weaknesses. This guarantees that vulnerabilities remain unaddressed.

• They lack clear success criteria

Without defined objectives—such as whether critical systems were recovered within the RTO, or whether teams worked through the process logically—organizations cannot measure whether they’ve succeeded or failed.

• Leadership ignores the truths revealed

Even when exercises expose real weaknesses, many organizations avoid acting on them. People may say they want to know the truth, but they are often more concerned about avoiding blame than about improving resilience.

These tendencies transform exercises from genuine learning opportunities into hollow rituals. The “failure” of a single exercise is rarely the problem. The deeper issue is whether the organization uses the exercise to expose and close gaps, building the resilience needed to withstand a real disruption.

The Real Failure Is Failing to Improve

There are two ways to define failure when it comes to BC and IT/DR exercises. 

There is the failure to recover the organization’s processes and systems in a timely manner. And there is the failure to learn and improve based on what an exercise reveals.

An exercise that is proudly labeled a success can be a strategic failure if any vulnerabilities it reveals are brushed off.

An exercise where the organization fails to recover a key process in time can be a success if people take the results to heart and make the changes needed to close the revealed gap.

True success in conducting BC and IT/DR exercises lies in conducting honest, rigorous tests and using the results to chart improvements. 

How to Run Exercises That Actually Improve Your Program

If the real failure is failing to improve, then the real question is: how do you run exercises that genuinely make your organization stronger? In my experience, five practices make the difference between hollow rituals and exercises that build resilience.

• Secure management support

Exercises require visible buy-in from leadership. Without it, participants may skip out, treat the exercise casually, or arrive unprepared. Management should set expectations, insist on rigor, and communicate that exercises matter as much as real-world events. 

• Define clear success criteria

Simple, measurable goals are key. You don’t need 20; three to five will do. Possible criteria could include: Did everyone show up? Did they bring their recovery plans? Did we recover critical systems within the target timeframe? Were the recovered systems or services actually functional? Did teams execute in a logical, organized manner or was it chaos? Share your criteria so everyone knows what success looks like.

• Use skilled facilitators

A strong facilitator keeps the group focused, ensures objectives are tested, and manages team dynamics under pressure. Without that guidance, even well-planned exercises drift off course. In performing this role, experience makes a big difference, so it can be worthwhile to bring in an outside expert. Effective facilitation makes the difference between confusion and clarity, and between wasted effort and actionable results.

• Document and report consistently

Exercises are fast-moving, and valuable observations can easily be lost. Consistent reporting—briefings during the exercise and structured documentation afterward—ensures that lessons are captured and not forgotten. Without this discipline, improvement opportunities slip through the cracks.

• Write honest after-action reports

The debrief should answer one question: if this had been a real event, could we have recovered? That requires honesty and objectivity. Identify what went well, what didn’t, and what needs to change. Glossing over problems to avoid uncomfortable conversations only guarantees those problems will resurface when it matters most.

When exercises are supported, structured, well-facilitated, and honestly reported, they stop being box-checking rituals and start becoming engines of resilience.

Using Exercises to Drive Improvements

When it comes to BC and IT/DR exercises, most organizations that are unable to recover their critical processes and systems take an overly narrow approach in diagnosing why.  Most such failures arise from shortcomings in culture, approach, and mindset. 

Along with the failure to conduct any tests at all, common issues with companies’ exercise programs include a half-hearted approach, too much preparation, fear of bad news, unclear criteria, and leadership inaction. Real success in BC testing comes from using the truths uncovered to drive program improvements. 

MHA’s consultants have extensive experience facilitating BC and IT/DR exercises. Contact us today to learn more how we can help you with any aspect of your testing program, from scenario design to facilitation to the writing and presentation of the after-action report.

Further Reading

• Beginner’s Guide to Recovery Exercises
• Overdoing It: People Who Overplan Their Mock Disaster Exercises
• Kill the Zombies, or How to Get More From Your DR Exercises
• Be a Mock Jock: All the Mock Disaster Exercise How-To Advice You Need
• Little Things Mean a Lot: The Value of Micro Mock Disaster Exercises