Insights

Testing DR Before You Need It | SUMāTO

Written by Andrés Lozada | Jul 9, 2026 6:51:11 PM

The first time I asked to run a real disaster recovery test at SUMāTO, someone on the team told me, in all honesty: "We have the plan documented, but we've never run it end to end." That sentence cost me sleep. A DR plan that lives in a PDF and is never executed isn't a plan: it's a hypothesis. And discovering that your hypothesis was false in the middle of a data center outage, with the clock running and customers calling, is the most expensive possible way to learn. In November 2018, after several exercises, I hold a clear conviction: DR isn't measured by what's written, but by what's been tested.

In short: A disaster recovery plan that's never tested is organized fiction. A DR test verifies that you can actually recover systems and data within the committed timeframes, and it turns assumptions into evidence. Without periodic tests, you don't have a plan: you have a documented hope.

Why is a DR plan without tests fiction?

A DR plan describes a future you hope will unfold: restore the backup, bring up the alternate site, redirect traffic, validate data integrity and get back to operating. Each of those steps contains assumptions that sound reasonable on paper and break down in practice.

The assumptions I've seen fail most often are these:

  • The backup exists, but doesn't restore. The backup job finished "successfully" every night, but no one had tried to read that backup back. A backup that doesn't restore isn't a backup.
  • The documentation is outdated. The procedure mentioned a server that no longer exists, an IP that changed or a person who left the organization months ago.
  • Credentials or permissions are missing. In the crisis, the person who was supposed to execute didn't have the access, and the person who had the access was unreachable.
  • Hidden dependencies. The critical system came up, but it depended on a secondary service no one had included in the recovery scope.

None of these problems appear when you read the document. They only appear when you execute. That's why I insist: the test isn't a compliance formality, it's the only moment when your plan stops being a belief and becomes a capability. If you want to understand how to structure a plan that can genuinely be tested, it's best to start from a disaster recovery plan that's well defined in scope and responsibilities.

What exactly is a DR test?

A DR test is a controlled exercise in which you simulate the loss of one or more components and verify that the team, the procedures and the technology manage to recover them within the agreed objectives. It isn't a theoretical "what would we do if" drill: it's executing, measuring and leaving evidence.

A serious test answers three concrete questions:

  • Do we recover in time? That is, do we meet the RTO, the maximum acceptable time the system can be down?
  • Do we recover without losing more data than acceptable? That is, do we meet the RPO, the maximum amount of information we can afford to lose, measured in time?
  • Is the recovered information intact and usable? It isn't enough for the system to "turn on"; the data must be consistent and operations must be able to continue on top of it.

If a test doesn't measure against those objectives, it isn't a DR test: it's a demonstration to feel good. The difference is the honesty of the acceptance criteria defined before you begin.

What types of DR test are there?

Not all tests carry the same cost or the same risk. The healthy approach is to step up gradually in realism as the team gains confidence. These are the types we use, from least to most demanding:

  • Tabletop review. The team sits down and walks through the plan step by step against a hypothetical scenario. It's useful for spotting gaps in the documentation and the roles. It's cheap and doesn't touch production.
  • Isolated restore test. You take a backup and restore it in a separate environment to confirm the data comes back complete and readable. It's the test that uncovers the most silent failures.
  • Partial test (walkthrough). You execute the recovery of a subset of systems on alternate infrastructure, without affecting real operations.
  • Full failover. You switch real operations to the recovery site or environment and operate from there. It's the most revealing test and also the riskiest, which is why it requires preparation, an agreed window and a fallback plan.

My practical recommendation is never to jump straight to full failover. Start with the cheap options, fix whatever comes up, and raise the level once each rung is already clean.

How often should you test?

There's no universal magic number, and I'm wary of anyone who promises one. The right frequency depends on how critical the system is and how much it changes. That said, there are principles I do stand by:

  • Test critical systems regularly, not once a year "for the audit." A system that defines operations deserves frequent exercises.
  • Test after every significant change. A migration, a new integration or a change of provider invalidates the previous plan's assumptions.
  • Test when the people change. If the people who would execute the recovery are no longer the same, your real capability changed even if the document stayed the same.

The idea is for testing to stop being an extraordinary event and become a routine. A mature organization can't remember when its last test was because it runs them constantly. Continuous replication between environments makes these exercises far less traumatic; at SUMāTO we handle that layer with SyncDR to keep data ready to recover without large downtime windows.

What evidence should a test leave behind?

A test that leaves no trace is an anecdote. For the exercise to serve continuous improvement and any audit, it must produce concrete evidence. What I always ask for when we close a test is:

  • Real measured times: how long each phase of the recovery took, against the committed objective.
  • Findings and failures: what didn't work, which assumption broke and which step of the procedure was wrong.
  • Corrective actions with owner and date: every failure detected becomes a task with an owner, not a loose note.
  • Decision on the next level: if the test passed cleanly, when we step up to the next type of exercise.

This evidence is what closes the continuous improvement loop: test, find the failure, fix it and test again to confirm the fix worked. A finding without later verification is just good intentions.

How much does it cost to discover the failures in mid-crisis?

The cost of testing is known, bounded and plannable: a few hours of the team's time, a coordinated window, a test environment. The cost of not testing is unknown until the disaster strikes, and then it's paid all at once and at the worst price.

When you discover that the backup won't restore while the system is down, you no longer have any margin. Operations are halted, the pressure is at its peak, decisions are made on the fly and every additional minute erodes your customers' trust. What in a test would have been a finding fixed calmly becomes, in the crisis, an open wound. I've learned to see it this way: the DR test is the cheapest insurance there is, because it turns catastrophic surprises into manageable maintenance tasks.

Frequently asked questions

Isn't having backups enough?
No. A backup only proves that data was copied, not that the data can be recovered and used. The only way to know a backup is good is to restore it and validate its integrity. Until you restore it, you have a copy without a guarantee.

Does a DR test affect operations?
It depends on the type. Tabletop reviews and restores in an isolated environment don't touch production. A full failover does switch real operations, which is why it's done with an agreed window, prior preparation and a clear fallback plan. That's why we recommend stepping up gradually.

What happens if the test fails?
It means the test served its purpose. A failed test isn't a failure: it's exactly the finding you wanted to uncover in a controlled environment and not in the middle of a crisis. Every failure becomes a corrective action with an owner, and then you test again to confirm the fix.

How often should we test our DR?
There's no single number. Test your critical systems regularly, and always after significant changes in technology, processes or people. The goal is for testing to stop being an annual event and become a routine.

The first step

If, reading this, you can't remember the last time your organization restored a backup end to end, that's precisely where to start. You don't need a full failover tomorrow; you need a first honest test that tells you how real your plan is today.

At SUMāTO we support that exercise with a recovery-capability diagnostic: we review your plan, define time and data objectives, and design a testing calendar that steps up in level without putting your operations at risk. Let's talk about your disaster recovery and turn your plan from fiction into a proven capability.