Why drills matter
Drills verify that the business continuity plan (BCP) works in practice: people know their roles, contacts are current, backups are available and target recovery times (RTO) are achievable. Regular testing is a mandatory requirement of ISO 22301.
Types of drills
- Tabletop. The team works through a failure scenario "at the table" by role. Cheap and fast, it surfaces most gaps in the plan.
- Simulations. A close-to-real incident: alerting, decisions in real time.
- Technical tests. Actual recovery of IT systems from backups (part of the DRP).
- Full-scale exercises. Testing the whole chain — from detection to recovery.
How to run one: step by step
- Choose a scenario (for example, ransomware or loss of office).
- Define the goal and participants, assign an observer.
- Run the drill, noting where the team stumbles.
- Collect findings: what did not work, which contacts/resources were missing.
- Update the plan and assign owners for the fixes.
Tip: start with a tabletop drill on one scenario every six months. It is inexpensive and delivers the most value early on.
See how resilient your business really is
13 questions, 5 minutes, free — results on screen and by email.
FAQ
Which type of drill should I start with?
Tabletop — the team works through a scenario at the table. It is inexpensive and surfaces most gaps in the plan.
How often should drills be run?
Basically once or twice a year on one scenario, with more frequent technical recovery tests for critical systems. The key is regularity.
Evgeny Telenkov
Chief Risk Officer · PhD in Economics · "Best Risk Manager of Russia 2020"
20 years in risk management. Led risk management at Beeline, Nornickel, Rosneft and EY. Built business continuity plans for Nornickel, Rostec, NSD and DIA. Trained 300+ risk and BCM specialists.