Business continuity testing is often treated as a scheduled obligation: an exercise is run, results are documented, and the organisation moves on. While this may satisfy internal expectations, it rarely gives management a clear, evidence-based view of how the organisation would perform during a serious and prolonged disruption. The difference between “we tested” and “we are resilient” is whether testing genuinely challenges assumptions, tests decision-making under pressure, and produces demonstrable improvements over time.
This shift is increasingly important in Malta’s regulated environment. In recent supervisory messaging, the Malta Financial Services Authority (MFSA) highlighted gaps in continuity and recovery testing, particularly where annual testing is incomplete or where firms report no meaningful lessons learned from exercises, raising questions about the quality and outcomes of testing.
Why this matters now
Organisations are operating in environments characterised by operational complexity, technology dependence, reliance on ICT outsourcing arrangements, and heightened regulatory scrutiny. Expectations are also rising under the Digital Operational Resilience Act (DORA). Under DORA, financial entities are expected to put in place, maintain and periodically test appropriate ICT business continuity plans, notably including arrangements supporting critical or important functions outsourced to ICT third-party service providers.
DORA’s detailed requirements further reinforce the “realism and outcomes” standard. When testing ICT business continuity plans, firms are expected to test using scenarios that simulate potential disruptions, including an adequate set of severe but plausible scenarios, and to challenge the assumptions underpinning plans, including governance and crisis communications. In addition, DORA requires that, at least yearly, appropriate tests are conducted on ICT systems and applications supporting critical or important functions (for entities other than microenterprises).
In short: testing that lacks depth or realism can create a false sense of assurance. By contrast, well-designed testing helps organisations identify vulnerabilities early, understand trade-offs, and make informed decisions about where remediation or investment is most needed—before a real disruption forces those decisions in worse conditions.
What effective testing looks like in practice
Effective business continuity testing is outcome-focused. It is designed to test how the organisation actually operates, rather than how it is intended to operate on paper. In practice, effective testing typically includes:
- Severe but plausible scenarios aligned to the organisation’s risk profile, designed to challenge assumptions rather than confirm them.
- End-to-end services, including people, processes, technology, data, and key third-party dependencies, especially where critical services rely on outsourced ICT.
- Governance, escalation and communication, not just technical recovery steps, so that decision-making and crisis communications are tested under pressure.
- Management response and prioritisation, particularly where difficult trade-offs are required and where multiple constraints occur at the same time.
A useful way to think about this is: a test is only valuable if it tells management what would break first, how decisions would be made under pressure, and whether critical services can be sustained when people, systems and third parties are constrained concurrently.
A practical example of a severe-but-plausible scenario is the simultaneous unavailability of a key outsourced ICT service, staff absence in a critical function, and an immovable regulatory reporting deadline. These are the kinds of conditions that quickly reveal whether continuity arrangements are robust in practice, or simply well-documented.
What good testing delivers (the management outcomes)
High-value testing produces management insight that goes beyond a “pass/fail” narrative. It should enable leadership to answer, with evidence:
- Which critical services can be sustained, degraded, or must be paused—and on what timeline.
- Whether recovery objectives and dependencies are realistic, including what is actually achievable with third parties under stress.
- Whether governance, decision rights, escalation paths, and communications work in practice, not just in a policy document.
- What the organisation learned, what changed as a result, and how improvement is being tracked to closure.
This is particularly relevant where supervisors have emphasised that testing should generate lessons learned and improvements, rather than simply reporting “success” without meaningful outcomes.
Common challenges we see
Across organisations, similar challenges continue to limit the value of business continuity testing. Scenarios may be reused year after year and become predictable. Exercises can be overly scripted, and outcomes are sometimes known in advance, which reduces the diagnostic value of the test. Testing may also focus narrowly on IT recovery in isolation, with less attention paid to coordination across functions, operational workarounds, and dependencies on third-party providers, despite regulatory expectations that outsourced critical functions are explicitly considered in continuity testing.
Another frequent issue is the reporting style. Results are often presented as “successful” without sufficient evidence or challenge, and the same issues reappear across testing cycles. Over time, this makes it difficult for organisations to demonstrate measurable improvement or to clearly articulate their resilience position to regulators, boards, and other stakeholders—especially where supervisors have publicly signalled concerns about the quality and outcomes of continuity testing.
How we help organisations get more value from testing
BDO supports organisations in strengthening business continuity testing so that it becomes a practical management tool rather than a compliance exercise. Our approach is proportionate, risk-led, and tailored to how the organisation actually operates.
Support can include:
- Supporting Business Impact Analysis (BIAs) to identify critical services, assets, and processes, together with key threats, vulnerabilities, and dependencies.
Reviewing and, where required, developing / enhancing business continuity policies and plans so they are aligned with the operating model and can be executed effectively in practice.
Designing realistic, challenging scenarios aligned to the organisation’s risk profile and key dependencies.
- Facilitating or observing exercises to provide independent insight and constructive challenge.
- Helping management interpret outcomes and identify targeted, high-impact improvements
- Supporting the integration of lessons learned into governance and operational resilience arrangements so that improvement can be demonstrated over time.
The objective is not simply to test more often, but to test better, improving the quality and usefulness of exercises so management can build confidence in the organisation’s ability to respond effectively to disruption and engage more confidently with stakeholders and regulators.
A practical next step
If you would like to assess whether your current testing approach is generating real assurance, or simply confirming documentation exists, BDO Malta can provide a short, board-ready Business Continuity Testing Health Check focused on scenario realism, decision-making, third-party dependencies, and evidence of improvement.
This article was written by Jan Bernice Salvador, IT Auditor, within the Technology Advisory