Denmark is not prepared for IT disasters and attacks. The state auditors have chosen 13 out of the approx. 4,200 public IT systems and looked at their recovery plans and procedures. A few were fairly well prepared, most were not, and one system was completely unprepared for anything to go wrong.
None of the recovery plans were adequately tested, and five systems had not tested their recovery plan at all in the last three years. For outsourced systems, half of the contracts did not require testing the recovery plan (!).
But at least the Danish state has an office that examines these things and issues a report. Who is responsible for evaluating the disaster recovery plans for critical systems in your organization? You cannot leave that to the individual system owners.