It seems counter-intuitive, but in some areas of business management, planning for the worst is actually planning for your brightest possible future. This is no truer than with disaster recovery (DR). DR covers the processes and technology deployed to recover IT and connectivity following a “disaster”, starting with a meticulous and robustly tested plan. When disaster inevitably strikes, an effective plan could mean the difference between an hour of downtime and your business closing its doors. To help you get started with creating, checking or refreshing your DR plan, read this ten step template about how to create a disaster recovery plan.
- Secure board buy-in
Making a business case for disaster recovery is relatively straightforward. What, with the consequences being temporarily stalled operations, financial and data loss and expensive remedial action. This message speaks to every board member but, by no means guarantees unobstructed DR spend or delivery of your plan in its preferred form.
DR planning and the subsequent process and technology implementations require significant resources and involvement from colleagues across the business. Putting forward a solid rationale for business continuity benefits will ensure that senior decision makers are fully bought in to your proposal and will allocate appropriate budget.
- Assign project managers
You may have the necessary resource, experience and skill to develop and test a DR plan in-house. However, the vast majority of companies turn to a third-party specialising in DR to either run their planning project, or heavily supplement their internal teams. Whichever route you decide, assigning a project manager and individuals responsible for delivering specific aspects of the project will ensure progress keeps on track.
An ideal project management team will be a balance of strategic business, operational and IT roles. Operations Managers or Directors, IT Managers and colleagues dealing with data processing should be key members.
- Establish threat sources and their impact
This next step of DR planning will see the development of a risk assessment and a business impact analysis (BIA). This process will identify likely sources of threat to business continuity, judge the likelihood of them occurring and predict the damage they can cause. Although every major threat should be accounted for, many organisations triage their resources into the most likely and devasting disasters.
Threat sources typically include:
- Severe weather such as flooding or storms
- Natural disasters
- Theft or vandalism
- Electrical or gas failure, especially if you have machinery
- Internet or IT connectivity outage
- Hardware or software failure
- Data loss
- Cyberattack, including ransomware and viruses
- Strike or attendance issues
Next, perform your business impact analysis for every site, if you have more than one. You will need to analyse the process, policies and equipment dependent on IT, plus the applications that operations depend on and where (and how) business-critical or sensitive data is stored. When undertaking this exercise, you should have one key thought in your mind: how long can we operate without IT?
- Evaluate operational priorities
Disaster recovery must work in stages, prioritising restoration of processes and technology that enable business-critical operations to resume. As such, your project management team must analyse each department within your operation and prioritise the effects of threat sources on them. Your evaluation will determine how DR investment and resource is triaged and the order of your DR process.
- Work with real data
Precision and timelines will make or break a DR plan. Therefore, before documenting your plan, you must gather real data on how departments operate and the steps they say are essential to fully restoring operations. It is extremely helpful to speak with a key member of staff from each department and work together to plan for a worst-case scenario – always starting backwards!
A disaster can have knock-on effects beyond your four walls, such as a customer data breach or a broken supply agreement, so reviewing insurance policies (especially cyber insurance) should be factored into a DR plan. For example, most cyber insurance brokers will not pay out in the event of a cyberattack unless specific cybersecurity and DR technologies are in place.
- Document your DR plan
At this point you should have collated sufficient data and laid out a clear enough strategy to document your DR plan. You need a plan for each key threat your business faces, and within this address the immediate steps that must happen (i.e. identifying and diffusing the threat, securing sites, ensuring that staff are safe and reverting to your failover system) before any IT recovery and data restoration begins.
You also need to document the equipment, technology and third parties involved in your DR plan, should further work be required.
- Develop a testing criterion
What does successful disaster recovery look like for your business? What determines a “pass” for your DR test? Answering these two questions is fundamental to the successful delivering of a DR plan.
Take the next step to create a disaster recovery plan and develop a robust criterion to assess whether your testing makes the grade. Your most important indicator will be if your business actually recovers but should also account for recovery time objective (how quickly you recovered), recovery point objective (the maximum time that data can be lost) and how much data is recovered.
- Implement DR technologies
Disaster Recovery typically involves a bespoke set of control measures designed to mitigate threats to business IT. DR control measures are typically classified as:
Preventive measures – Prevent the threat from occurring
Detective measures –Detect and discover the threat
Corrective measures – Fix the threat if it does occur
Depending on your business’ operational and data storage requirements, DR implementations usually fall within one of four categories: on-premise, remote data centre, virtualisation/cloud-based or Disaster Recovery as a Service (DRaas). You can read more about DR technologies here.
- Test the plan
A DR plan is simply a document if it isn’t tested. This will allow you to ascertain if technology functions as intended to meet the testing criterion. You will also understand where your plan isn’t fit for purpose, identify any unforeseen problems and use findings to adjust your plan.
We’ve heard shocking accounts of DR plans becoming outdated before they were even put to the test, resulting in significant data loss and inoperability. Don’t be like these unfortunate companies!
- Obtain approval and assign responsible owners
Once confident with its effectiveness, submit your plan to the decision makers you secured approval from at stage 1. When signed off, we recommend assigning responsible owners for various functions to ensure that everybody will jump into action should disaster strike.
It is also a great idea to share your plan with all key members of staff. If something does go wrong, they will understand the business risks connected to IT infrastructure and allow you to simultaneously manage their expectations and raise awareness of continuity threats.