How to Develop a Business Disaster Recovery Plan
The reality of a disaster striking your business’ data and network is greater than it has ever been because of the complexity of our Information systems and the malware outbreaks over the last two years (think WannaCry and other Ransomware). Creating a Business Disaster Recovery Plan can be a daunting task because of the wide variety of disaster types, the impact a disaster can have and the many ways to manage the disaster. To get you started planning, here are seven areas to consider or learn how to plan for disaster recovery with our free guide.
1: Identify Potential Types of Disaster
This can be a pretty big list. Gather all the possible disasters, big and small and make a list. Here are some to get you started:
- System hardware failure
- Internet connection down
- Loss of power
- Disgruntled employee
- Data corrupted or encrypted
- Natural disasters: Flood, tornado, lightning strike, hurricane, earthquake
- Avian flu epidemic
- Act of terrorism
Each of these can have subsets of “mini” disasters or other consequences.
2: Assess the Probability of the Disaster
Now that you have the complete disaster list, do a risk assessment of how probable the disaster is going to happen, it may look something like this: (1 is least likely; 5 is most likely)The point is to try to get a good risk analysis of the disasters, which leads us to the next point.
3: Rate the Impact of a Disaster
Consider the effect the disaster has on the business. If we take our examples it would look like this:
(1 is minimal or no impact to business functions; 5 is high impact to business functions)Between the probability and the impact of the disaster, we now have a way to gauge the risk of a disaster to our organization.
4: Determine Recovery Tolerance
This is a two-part risk management question:
- Recovery Time Objective (RTO): How long can your business-critical functions be down? OR How much money per hour do you lose by being down?
- Recovery Point Objective (RPO): How much rework are you willing to do?
Here's an Example: Your healthcare organization processes patient records for small dental offices. Someone on your staff opens an attachment in an email at 5:00 pm from a friend and it encrypts the patient records database, so your business stops. How long will it take to discover the problem, assess it, discuss options, pay the bitcoin ransom, or recover the database from backup, remount the database in the application, and be back in business? The length of time it takes to do this is the Recovery Time. If you choose not to pay the ransom and recover from backup, and your backup was from last night at 8:00 pm, the time between the last backup (8 pm the night before) and the time the disaster struck (5 pm today) is the Recovery Point, in this case, a loss of a day of processing records.
Want to find out what your potential costs are during downtimes? We created a Disaster Downtime Cost Calculator that can help you determine your RTO and RPO.
5: Identify Impact on Assets
This is a list of the people, customers, vendors, applications, data and systems impacted by the disaster. Here are some examples to get you going:
- Cloud application vendor
- Internet provider
- Client databases
- Employees can’t get to work
- On-Premise applications
Different disasters affect different assets; plan for each disaster and think about what asset is being compromised, and how to recover from the compromise.
6: Build a Disaster Recovery Team
Decide who will be involved in building the plan. Who will test the plan? Who will execute the plan? Who will keep the plan up-to-date when changes to vendors, employees, and applications occur? Teams to consider could look like this:
- Planning Team: Creates the plan; typically involves a person from each department
- Test Team: Tests the various disaster scenarios and does a gap analysis
- Emergency Response Team: Leads and executes the plans
- Management Team: Keeps the document and procedures up-to-date
In smaller organizations, typically the Planning and Management team are one and the same, and the Test Team and Emergency Response Team are the same.
7: Create Documents
This one is to give you an idea of what you need in the Disaster Plan Addendums, it is NOT a complete list by any stretch of the imagination!
- All mission critical applications
- All systems and networks supporting those applications
- All ancillary applications supporting those applications
- Employees and their roles
- Emergency agencies and contact information
- Vendor contact information
- Insurance coverages, account and contact information
- Teams from above and contact information
- How to communicate to employees, their families, the customers, and the media
- Legal team contact information
Many organizations go out of business when a disaster strikes and if they would have had a plan in place, no matter how much of a budget they have to do it, it would have saved them.
Want to know exactly what a detailed disaster recovery plan should entail? Download the Disaster Recovery Guide for free! Learn about the challenges, needs, strategies, and more to help keep your business running smoothly and to help avoid potential IT disasters.
Mike is the Director of Operations for Loffler's IT Solutions Group. He has been in the IT field since 1993 and was previously an owner of a successful IT solution provider for 12 years. Mike has managed both security and managed service teams and consulted on IT management for both large and SMB organizations. Little known fact: While in college, Mike was the lead singer for a garage band called Mojo and the Kingsnakes. This is now known as “Classic Rock."