Run a DR exercise — test your whole critical-asset estate, and auto-open remediation for what fails

Testing one recovery plan tells you whether that process recovers. But a real disaster doesn’t politely fail one system at a time — it takes out a datacenter, and you find out all at once whether your identity provider, your payment gateway, your database, and your network all come back. A DR exercise is how you rehearse that: a coordinated test across every critical asset, with a tester assigned to each, and — this is the part that matters — automatic remediation for whatever fails.

ISO 22301 §8.5 and NIST SP 800-34 §3.5 expect you to exercise recovery and act on the gaps; SOC 2 A1.3 wants the evidence. Most teams run the exercise, fill a spreadsheet with “issues found,” and lose it by Q3. Talarity closes that loop automatically: every failed asset test opens a tracked remediation work-item, and every serious failure opens a scored risk in your register — linked back to the asset and the exercise. This guide runs one end to end.

Who’s involved

Business continuity owner — scopes and launches the exercise, sets the thresholds, reads the results.
Asset custodians / testers — each tests the asset they own and records the outcome (internal staff, or an external vendor contact).
Auditor — opens the completed exercise, reads the per-asset outcomes, and follows the auto-opened risks into the register.

Step 1 — The DR Exercises register

Open Business Continuity & DR (/app/grc/bcdr) → the DR Exercises tab. Each coordinated exercise shows its status, how many assets are in scope and tested, the pass / partial / fail tally, and how many risks it opened.

The DR Exercises register — each coordinated exercise by status, asset count, pass/partial/fail, and the risks it opened.

Step 2 — Create the exercise, and set the two dials

Click + New Exercise. Name it and pick a window, then set the two controls that make the automation work for your risk appetite:

Auto-create risk threshold — how severe a failure has to be before it opens a risk, not just a remediation to-do. Set it to High, and a low-severity hiccup still gets a tracked remediation item, but only High/Critical failures escalate to a scored risk.
Require custodian sign-off — whether each asset’s custodian must approve the recorded result before it counts.

Creating an exercise — name it, then set the two dials: how severe a failure must be to open a risk, and whether each asset's custodian must sign off.

Step 3 — Scope your assets and assign testers

Now choose what’s in scope — by criticality, by location (site / datacenter), and even by vendor for third-party DR. Resolve the scope and Talarity builds an assignment grid: every in-scope asset, its criticality, its custodian, and a suggested tester (defaulting to the custodian). Reassign any of them — to another internal user, or to an external vendor contact by email.

Scope by criticality (and location or vendor), resolve, and assign a tester to each asset — defaulting to the asset's custodian.

Save & Launch fans out a recovery-test task to every tester — a checklist asking for the outcome, the actual RTO/RPO, and any issues. Internal testers get it in their work queue; external vendors get a one-time secure link.

Step 4 — Read the board

As testers submit, the exercise board fills in. Every asset shows who tested it, its criticality, the outcome, and the actual RTO/RPO it achieved. The counts line at the top is your headline: 8 subjects · 6 passed · 1 partial · 1 failed · 2 risks · 2 remediation items.

The board — every asset's criticality, outcome, and actual RTO/RPO, plus a Findings section: each failed or partial test opened a tracked remediation, and the serious ones opened a risk.

Look at the Findings section. The Payment gateway and Payroll tests didn’t just get marked “failed” and forgotten — each one opened a remediation work-item automatically, and because they cleared the severity threshold, each also opened a risk. That’s the difference between an exercise that produces a report and one that produces work that gets done.

Step 5 — The failures are now managed risks

Those auto-opened risks aren’t exercise-local labels — they’re first-class entries in your Risk Register, scored and ready to triage like any other risk. Here they are, filtered to Operational:

The risk register — the failures are now first-class, scored risks (the Critical Payment-gateway asset scored higher than the Payroll one), managed like any other.

Notice the scores: the failure on the Critical payment-gateway asset opened a higher-impact risk (15 / High) than the one on the payroll system (12 / Medium). That’s deliberate — Talarity scales the risk’s impact by the asset’s criticality, so the same kind of failure on a more critical asset carries more weight. An auditor can now trace a clean line: this exercise → this failed asset → this remediation work-item → this scored risk.

What you walk away with

A coordinated recovery test across your whole critical-asset estate, not one plan at a time.
A per-asset record — who tested it, the outcome, the actual RTO/RPO — and a signed DR exercise report for evidence.
Automatic remediation: every failure becomes a tracked work-item, and every serious one a scored risk, linked back to the asset and the exercise.
A risk register that reflects reality — your untested assumptions, turned into managed risks the moment they’re disproven.

Open the DR Exercises tab and scope a small exercise — three or four of your most critical assets. Launch it, record one honest failure, and watch the remediation and the risk open themselves. That closed loop is the whole reason to rehearse before the real thing.