An untested recovery plan is a wish with a cover page. Operational resilience is not a binder you produce for the auditor - it is a posture you can measure, and it lives across three phases: prevent, absorb, recover.
An untested recovery plan is a wish with a cover page. Operational resilience is not a binder you produce for the auditor - it is a posture you can measure, and it lives across three phases: prevent, absorb, recover.
Most organisations can produce a business continuity plan. Far fewer can tell you, on any given day, how resilient they actually are. The plan sits in a folder, written against a snapshot of the business that has since moved on, its recovery times never tested, its dependencies guessed. It is an artefact, not a capability.
The fix is to stop treating resilience as a document to be filed and start treating it as a posture to be scored - one that moves as your controls, your dependencies and your tested plans change. That posture has three phases.
Prevention is everything you do upstream of a disruption to make it less likely. For supply-chain resilience that means the strength of your supplier assurance, the speed of your patching, the controls protecting the systems your services run on. A supplier with a failing security grade is a prevention problem before it is ever a recovery one.
Score prevention well and you spend less time in the other two phases - because fewer incidents reach you in the first place.
No prevention is perfect, so the next question is how much you can take before a service goes down. Absorption is about redundancy and concentration: if one cloud region, one pen-test firm or one payments processor sits behind a third of your critical services, your blast radius is enormous and your ability to absorb a hit is small.
This is where a dependency graph earns its place. A flat supplier list cannot show you that twelve of your services quietly depend on the same sub-processor. A graph can - and it lets you derive a concentration-aware risk score per service, so absorption stops being a guess.
Recovery is the only phase with a hard, measurable truth: when the incident happens, how long until the service is back, and did you meet the recovery-time objective you promised? Everything else is preparation; this is the exam.
And the only way to know the answer in advance is to test. Not a tabletop read-through once a year, but a graded ladder of exercises - tabletop, walkthrough, simulation, full failover - each capturing the achieved RTO against target. A plan that has survived a full failover is worth a hundred that have only ever been written down.
Blend the three phases and you get a single resilience-readiness number. Not a vanity metric: prevention drawn from live assurance and patching, absorption from dependency and concentration risk, recovery from how many critical services have an approved plan that has actually been exercised in the last twelve months.
Because it is calculated from live evidence, the number moves. Approve and test a plan for a critical service and it rises. Let an exercise lapse, or onboard a supplier into a concentrated dependency, and it falls. That is the difference between a posture and a binder.
The workflow that produces the score is unglamorous and exactly what you would expect: identify critical services, run a business impact analysis to set RTO, RPO and maximum tolerable disruption, map the dependencies, write an owned continuity plan, then test it and log what actually happened. Each step feeds the next, and the recover score feeds back into the lifecycle.
Do it once and you have a document. Do it continuously, scored, with tested recovery, and you have something you can stand behind when the regulator, the board or the incident asks the only question that matters: can you actually recover?
Occasional, practical notes on UK public-sector cyber risk and compliance. No spam, unsubscribe anytime.
A 30-minute walkthrough on your suppliers - the live platform, no slides.