Your Step-by-Step Guide to Developing a Disaster Recovery Plan
September 7, 2016
As data becomes one of the most valuable and important assets a company holds, there is a tendency among businesses to establish nothing but data backups and call it a disaster recovery plan. They believe that if something goes wrong they can simply restore the data and get on with it.
Unfortunately, this is only one small aspect of a disaster recovery plan. According to FEMA’s statistics, about 40 percent of businesses struck by disaster never reopen afterwards. Of those, another 25 percent is defunct within another year following the disaster. The single most potent tool for reopening those doors and carrying on with business is a sound, proven disaster recovery plan. Here’s how to develop one that you and your business can rely on.
Develop a Risk Assessment
What potential disasters is your business most at risk for experiencing? If any one of those disasters strikes, what would the impact be? A risk assessment answers these questions so that you can assure your disaster recovery plan adequately addresses the risks your business actually faces. There are typically four risks every business faces in relation to the company’s ability to function. A risk assessment is designed to mitigate risks that can cause any of these scenarios:
• A loss of the business’ facilities (or access to the facilities)
• A loss of business data
• A loss of the IT department’s services
• A loss of essential skills to run IT and/or the business itself
Determine what scenarios might cause any one or more of these situations, and these are the risks you need to prepare a disaster recovery plan to address.
Managing People During a Disaster: Roles & Responsibilities
Most businesses make the mistake of jumping right to the technology part of a disaster recovery plan, forgetting that technology is nothing without the people to run it and somewhere for it to run. So, the first part of your disaster recovery should focus on the people.
The most efficient and failsafe way to create a plan that works in practice is to assign roles, and then to designate specific responsibilities within those roles. While you’re doing this, don’t forget that some disasters may render people unable to be there. Establish backup personnel for each function.
By addressing recovery needs based on designated roles, you don’t have to know the specific details of every potential disaster. For example, a tornado or hurricane might cause any level of damage, from a simple power outage to total devastation. When you’ve assigned general roles people can easily adapt the plan for any situation, so long as they know what they are responsible for getting back to operational status.
While developing your plan, keep in mind that a significant recovery process is long and grueling. There may be lots of emotions (fear, fatigue, frustration) and the teams need things like refreshments and a place to rest. Put as high a priority on these things as you do on data recovery and communications. People who are well cared for will truly amaze you with their ability to step up and overcome even the greatest of obstacles.
Managing Facilities During a Disaster
Great people need a good place to work to help you recover, so every disaster recovery plan should include a viable method for restoring facilities to operational status, as well as an alternate place to relocate to in case primary facilities are rendered useless. One means for doing this is to contract with a disaster recovery site provider.
If you choose this option, be sure you understand what you’re investing in. A hot disaster recovery site is one already equipped with computers, communications, etc. Essentially, your workers would simply walk into these facilities, power up, and resume business operations. A cold site is just the space; you must provide the equipment when and if needed. Naturally, a hot site is much costlier. Alternately, you can DIY your recovery site. Any facilities you own or can get quick access to will work, so long as it is equipped with the basic essentials like power service.
When planning, just remember that a widespread disaster in your area is going to cause an immediate and urgent need for everything — equipment, undamaged living and working spaces, and supplies. It’s an excellent idea to have generators and fuel stowed away in the event that you can’t get these things immediately following a widespread disaster, plus any other essentials that are likely to be difficult or impossible to come by in such a situation.
Managing Technology During a Disaster
As you draw up your disaster recovery plan, don’t think in terms of immediately fully restoring all your systems to their pre-disaster state. To do so is essentially setting up your recovery teams for failure. Outline the essentials, the nice-to-haves, and the maybe-laters. This method puts the least stress on your recovery team, while putting them in the best position to succeed. Essentials include everything that you have to have to function as a business. If you’re using mostly cloud-based applications and systems, this part of the process might merely be a matter of setting up some computers, running some networking cables, and logging into your cloud service providers.
Most businesses, however, are still using onsite data centers. In this case, your ability to recover is going to be based on how well you’ve backed up and how wisely you’ve stored your backups. Businesses that have only onsite backup copies quickly realize that the disaster that struck their main systems has also rendered their backups unusable. These businesses are usually among the 40 percent that never reopen. Offsite or cloud-based backups are your only hedge against this scenario.
Your disaster recovery plan should include a timeline for completing each phase of the recovery. The phase for restoring mission-critical operations needs to be as short as possible, allowing more time and an easier pace for restoring nice-to-have and maybe-later technologies.
Also, make it abundantly clear what functionality belongs in each phase of the restoration process. What you don’t want are situations like the marketing manager or human resources manager pressuring your recovery team to restore systems out of order. Eventually, everyone will be restored. But your business’ ability to serve the immediate needs of your customers and to not turn away any customers in the meantime is the first priority. The rest has to come after essential revenue streams are secured.
Disaster Recovery Documentation
When all is said and done, the success or failure of your disaster recovery plan hinges as much on documentation as anything else. Draft documentation that can be easily and quickly followed, even if workers are in shock, tired, and afraid. Along with the roles and responsibilities, include contact information for your hardware and software vendors and a copy of your current IT asset management list. You’ll also need things like account numbers, passwords, access codes, etc. Like all aspects of your disaster recovery plan, it is essential to keep copies of your documentation offsite, for the same reasons that you need offsite copies of your backups. A cloud service is ideal for keeping documentation safe from any disaster that befalls your business.
The documentation should also specify the threshold at which a disaster recovery plan is initiated. Ordinary, everyday issues should be handled by your incident response plan. Disaster recovery is something to break out only when the data breach, data center outage, natural disaster, etc. is significant enough to warrant a recovery process. Detail when the disaster recovery plans are to be triggered, and make sure your incident response plan is capable of handling any event below that threshold.
Testing & Updating a Disaster Recovery Plan
Testing a disaster recovery plan is often done so horribly wrong that many experts are recommending you not even bother with it. In most cases, testing the plan is a planned, rehearsed exercise that does no more than prove your team can follow a script. Unfortunately, real-life disasters don’t come with scripts. These situations come at inconvenient times, with little or no warning, and almost never look and act like expected. If you’re going to test your DR plan (and you should), make sure the test is worth the time and effort spent on it.
Finally, it’s common for businesses to create a plan, run through it a time or two with their teams, and stow it away for a decade ‘until it’s needed’. By then, all of your systems have been replaced, key personnel have come and gone, and your disaster recovery plan is wholly inadequate to help you restore systems and operations. It has to be reviewed. Generally speaking, anytime you need to update your asset management system, your payroll system, or any vendor contracts, it’s also time to update the disaster recovery plan to reflect those changes.
Disaster recovery isn’t just about hurricanes and earthquakes and fires and floods. While those situations make fabulous fodder for the evening news and hit Hollywood flicks, the most common disasters faced by IT teams in real life are server failures, data breaches, and other ‘dramas’ that don’t draw the news crews but do draw downtime, revenue loss, and customer angst. Whether you’re preparing for Armageddon or just the inevitable hacker, a managed service provider can help you with the disaster recovery plan you need. Contact us to request a quote today.
Subscribe now and stay up to date with News, Tips, Events, Cybersecurity, Cloud and Data Compliance.