Your Disaster Recovery Checklist for Surefire Success
September 13, 2016
Floods in Louisiana. Wildfires in California. An earthquake in Italy. Disasters can strike anytime, anywhere, and without warning. When they do, they can devastate not only the people who are affected, but businesses as well.
According to the Federal Emergency Management Agency (FEMA), forty percent of businesses never reopen their doors after a disaster. And the U. S. Small Business Administration reports that more than ninety percent of businesses directly impacted by a disaster fail within the ensuing two years.
If you want to give your business its best chance to survive a natural or man-made catastrophe, you need to put in place a Disaster Recovery/Business Continuity (DR/BC) plan that provides a blueprint for management, employees, and other stakeholders to follow in getting your organization back up and running as soon as possible.
Here is a checklist you can follow to ensure that your plan covers all necessary bases.
1. Conduct a Business Impact Analysis
Your company’s business continuity management in the aftermath of a disaster, starts with a Business Impact Analysis (BIA) conducted long before the emergency occurs. A BIA will help you identify your company’s critical systems, processes, and data that must be preserved and reestablished in the event of a disaster. Your BIA should address questions such as the following:
Who has to be able to communicate with whom? What data must be available, and which employees must have access to that data, if business functions are to be successfully restarted? What processes must be gotten back online before operations can resume: email? call center? toll-free lines for customers?
Does the company have crucial or unique hardware for which duplicates must be maintained at some off-site location outside the potential disaster zone? What data must be backed up (again, outside the potential disaster area) on a monthly, weekly, daily, or perhaps continuous basis?
The answers to these questions, and others that may apply to your specific situation will highlight the issues your disaster recovery plan must address.
2. Assess Your Risks
What are the types of events that could most severely impact the operations of your company? For example, are you located in a flood zone, or in an area where tornadoes or hurricanes are a frequent occurrence, or where earthquakes can be expected? A DR plan can’t cover every possible contingency, but you’ll certainly want to address those that are most probable in your area.
Some potential threats are independent of location. Events such as unauthorized intrusions into your information systems, loss of electrical power to your facility, and theft or sabotage by a disgruntled employee can happen wherever you are, and must be accounted for in your DR plan.
3. Lay out the organization and membership of your Disaster Recovery Team
Your plan should establish a DR response team with clearly defined membership and lines of authority. Which departments or functions within the company must be operational in the immediate aftermath of a disaster? Which employees (by job description) would be crucial to getting operations going again? Who is designated to lead the DR team, and what happens if that person is not available? How much authority does that leader have to make decisions and speak for the company during the emergency? Who has authority to declare an emergency and put the DR plan into operation?
4. Identify outside organizations whose help will be required to implement the plan
Community organizations such as police, firefighters, and EMTs may provide valuable input as you develop your DR plan. And by having your DR team establish relationships with them ahead of time, coordination during an emergency will be much more effective.
Are there vendors whose products or services will be required to get your business operational again after an emergency? Getting their input into your DR planning may pay dividends during your recovery.
One particular type of vendor may be of great assistance, especially to small and medium-sized businesses (SMBs), in developing and implementing a feasible DR plan. For most SMBs, a full-blown DR effort along the lines of what a large corporation might do is simply not financially possible. For example, many large entities maintain their own offsite backup facilities to ensure that required hardware and software are available in the wake of a disaster. This is far beyond the means of most SMBs.
Disaster recovery services vendors, on the other hand, can provide those capabilities at a fraction of the cost of dedicated facilities. If you choose to employ a DR vendor, you should work with them to determine how the various responsibilities addressed in your DR plan will be divided between the vendor and your in-house DR team.
5. Develop your communications plan
Your DR plan should specify how company communications will be carried out during and in the aftermath of an emergency. How will employees be contacted, and who is responsible for doing so? How will this be done if phone service is out?
Who will be the Point of Contact (POC) for dealing with the various partner organizations (police, fire, phone company, DR services vendor, etc.) who will be involved in the recovery process? Who is authorized to speak to the media and government agencies on behalf of the company during the emergency, and what types of information should they provide?
A list of people and agencies to contact should be provided at the front of the plan, not scattered throughout its body.
6. Specify data backup and recovery procedures
Data protection must be a high priority in your company’s disaster preparedness. Critical business data, as well as any specialized software applications that cannot be purchased off the shelf, should be backed up to secure, remote facilities on a regular basis. The methods and frequency of backups should be specified in the plan.
Be sure not to overlook accessory apps such as Excel or Word macros that employees may have developed and now depend on, but which your IT department may not even be aware of.
If your company computer networks are down, how will employees gain access to needed data? What provision will you make for the quick restoration of network availability?
For most SMBs, the most cost effective means of providing secure backup for their data and applications is the use of cloud-based backup services.
7. Identify crucial paper documents and provide for secure copies
Many businesses have critical documents that exist only on paper, such as contracts, insurance policies, and historical files that have never been scanned. Your DR plan must make provision for storing copies of such documents in a secure off-site location in case a disaster causes the loss of the originals.
8. Plan for post-emergency alternative work locations
If your offices are not accessible after the emergency, will you expect to use short-term rented office space in which your team can resume operations? Or, will employees be encouraged to work from home? Do your operations require installation of computers or other types of equipment that must be accommodated in your temporary space? These issues should be addressed in the DR plan.
9. Lay out step-by-step procedures for the Disaster Recovery Team to follow
During and immediately after a disaster, confusion usually reigns. Having a pre-planned step-by-step procedure can be a life saver in such situations. Your DR plan should specify what needs to be done, by whom, and in what sequence. Obviously, events often won’t adhere to the scenarios envisioned in your plan, but having a written procedure can provide a level of stability in the midst of a chaotic situation.
10. Specify how the Disaster Recovery plan will be tested and updated
An element of DR planning that is often neglected, especially by budget-constrained smaller companies, is the testing and updating of the DR plan. An untested DR plan may contain critical flaws that remain undetected until an emergency exposes them. At that point, of course, it’s too late. An untested plan is an unreliable plan. Your DR plan should specify a test procedure that will be carried out at regular intervals.
Over time your organization will change. Business processes are added or modified. New software and hardware solutions are employed. The lines of authority and communication within the enterprise may evolve. All this must be reflected in the DR plan. Otherwise, the plan that was perfect for your organization five years ago, may utterly fail you today. That means the DR plan must be updated on a regular basis. Provisions for such updates should be part of the plan itself.
A good Disaster Recovery Plan gives your business its best chance of survival in the wake of a disaster. Here at TOSS C3 we would be happy to help you develop a plan that meets your requirements. Please contact us.
Subscribe now and stay up to date with News, Tips, Events, Cybersecurity, Cloud and Data Compliance.