Prior to the pandemic, organizations hadn’t done enough to prepare for significant disruption – including testing their plans.
Now that the pandemic has been over for a few years, it’s worth asking, are organizations faring better? New data suggests the state of resilience testing still needs improvement.
Read on to find out why.
The state of resilience testing needs improvement
Well, resilience testing appears to have stalled, at least according to data compiled by Forrester Consulting and summarized in The State of Resilience, 2025. Organizations are operating much in the same way that they were prior to the pandemic, mostly testing their preparations yearly – if that.
In fact, a staggering 41% of respondents said that they never performed a full simulation, while 35% performed a full simulation once per year.
Indeed, yearly resilience testing turned out to be the norm. Almost 60% of responding organizations did annual plan walk-throughs, while only 18% did them twice a year.
The ratio held for tabletop exercises and plan simulations, too. Fifty-six percent and 49% of respondents did yearly tabletop exercises and plan simulations (respectively,) while only 20% and 11% did those exercises twice per year.
Forrester Consulting also cottoned on to another worrying phenomenon; an increase in testing complexity led to a decrease in texting frequency.
Measures to enhance resilience testing
As crises increase in kind and complexity, these resilience testing numbers won’t cut it – at all. What can organizations do, instead, to enhance the quality of their resilience testing programs?
One place to start is with a gap analysis. Why’s that necessary? Well, it’s been shown that pre-testing analysis effectively signals the role of exercises and testing in managing business risks. The practical import in performing a gap analysis, therefore, is that it helps stakeholders (including senior leaders) understand that conducting exercises and testing is needed to manage risks.
What questions might organizations ask to get started with this planning stage of the testing process? Common questions include:
- Does the exercises and testing plan address requirements for exercises and testing?
- Can this plan promote consensus with interested parties?
- Does the plan offer an opportunity to reach and interact with its target group(s) and potentially address their interests?
- Does this plan provide an opportunity to address multiple issues in depth?
- Does this plan focus on key issues?
- Does the plan provide information tailored to the target group(s)?
- Is this plan practical and relatively easy to implement?
- Does the plan provide for information transfer at relatively low cost?
- Is this plan easy to update?
- Is the effectiveness of this plan measurable?
- Is this plan a good vehicle for education?
- Is this plan creating a constructive and supportive atmosphere?
- Is this plan an effective way to get publicity or increase public awareness?
- Does the plan conform to the organization's constraints?
Indeed, this approach enables organizations to move away from generic exercises to a more customized testing program better suited to managing their specific business risks.
From that vantage, the gap analysis not only helps make the case for a best-practice resilience testing program, but it also indicates what kind of exercise (out of the many available options) that that program should be deploying.
What types of exercises are out there? We lay them all out in our Guide to ISO 22398 for Crisis Management Testing, check it out to learn more.
Source: Amy DeMartine, Forrester Consulting: The State Of Resilience, 2025. January 2025.
.svg)
.svg)
.svg)