How can you test a business continuity plan?

Fund managers and other regulated firms are expected to maintain business continuity plans that work in practice. With regulations such as the Digital Operational Resilience Act (DORA) raising expectations, testing and improving these plans are becoming essential for demonstrating operational resilience.

Michelle von der Fehr, Director at GOT YOUR BACK, who helps investment firms test their business continuity plans, responds to some recurring questions.

Why has business continuity testing become so important for Nordic financial firms?

The importance of business continuity testing has grown as the expectations of regulators and investors have evolved. Today, it is not sufficient to simply maintain detailed continuity plans, firms must demonstrate that their teams and management can execute them reliably under pressure.

Nordic financial firms are facing a rise in cyber threats, growing operational complexity, increased reliance on third-party providers, and expanding regulatory expectations. Regular testing is an efficient way to assess readiness, validate decision-making processes and ensure that teams and management can operate confidently during a disruption.

Testing also reveals vulnerabilities that remain hidden in day-to-day operations, for example unclear escalation routes, outdated or missing documentation, or gaps in roles and responsibilities. By surfacing these issues early, firms can strengthen resilience before a real incident occurs.

How does GOT YOUR BACK support clients with this?

We design and facilitate discussion based tabletop exercises that simulate realistic incidents, from targeted cyberattacks to critical service provider outages. These controlled sessions, let management and key teams practice responses in a safe environment.

Clients particularly value the opportunity to stress-test communication and decision-making. Challenges that appear simple in a written plan often become far more complex when played out in a scenario, especially when multiple teams must respond quickly and work together under pressure.

What are the main benefits of tabletop exercises?

A well-designed tabletop exercise helps organisations uncover both strengths and blind spots. It gives teams a clearer understanding of their roles, strengthens situational awareness and exposes gaps in communication, processes or escalation routines.

These exercises also add practical value by identifying flaws before they become real-world failures, clarifying roles and responsibilities during a crisis, and strengthening coordination between internal teams and critical external partners. At the same time, they provide a cost-effective way to reduce the likelihood and impact of incident related losses.

Could you tell us more about your approach to designing these sessions?

We start by understanding the organisation, business model, critical processes and key dependencies. Scenarios are tailored to reflect the client’s reality.

During the session, we guide participants through the unfolding situation step by step. The format is interactive and adaptive. Participant decisions influence how the situation develops. Afterwards, we deliver an executive report with findings, practical recommendations, and suggested next steps.

What types of formats do you offer?

Formats vary based on maturity and objectives. Some firms prefer short, focused one-hour sessions for senior teams. Others choose half-day or full-day workshops involving IT, legal, communications and operations.

The essential point is that each exercise is relevant, realistic and actionable.

How do these exercises align with DORA?

DORA Articles 24 and 25 require firms to maintain a structured digital operational resilience testing programme. Scenario-based testing, including tabletop exercises, is a core component.

By running these exercises, firms can demonstrate that they have validated their continuity and crisis procedures, that their teams understand them, and that they are actively improving their readiness. It gives supervisors and investors clear evidence that resilience is not just theoretical.

For more information about GOT YOUR BACK's compliance services, please contact Mark Smyth: