Natural disasters such as earthquakes, tornadoes, and hurricanes happen. So do man-made ones such as fire or data loss. Even though you can’t predict if and when a disaster will strike, you can prepare for one. A disaster recovery plan and business continuity plan can help keep your business going and mitigate any loss that a disaster might bring.
Types of Disasters
Disaster is a relative term because disasters can occur in varying degrees. They generally fall into two categories, natural and man-made.
A natural disaster is a major adverse event resulting from the earth's natural hazards. These include floods, tsunamis, tornadoes, hurricanes/cyclones, volcanic eruptions, earthquakes, heat waves, and landslides. Some of these such as hurricanes and earthquakes only affect certain areas of the country. But they can inflict billions of dollars in damage to a region, literally overnight.
Man-made disasters are the result of technological or human hazards. These include fires, bombings, industrial accidents power outages, cyber attacks, and nuclear reactor malfunction.
What Is a Disaster Recovery Plan?
A disaster recovery plan (DRP) is a documented process or procedures to recover and protect your business’ IT infrastructure when a disaster occurs. The document includes actions that must be taken before, during and after a disaster. These disasters could be natural, environmental or man-made. Any event that would cause IT operations to cease for an extended period of time would be classified as a disaster. Sometimes people refer to a DRP as a called a Business Continuity Plan or BCP.
While there are differences, some companies merge them together into one document. A business continuity plan is a written strategy to help business owners and employees prepare events that operations. A disaster recovery plan describes how to resume business operations quickly after a disruption and applies to the business’ IT infrastructure and applications.
The objective of a disaster recovery plan is to minimize downtime and data loss. THis also means keeping the disruption of operations to a minimum ensuring a certain amount of organizational stability.
Types of Plans
When you are writing your disaster recovery plan, keep in mind there is no wrong way to approach it, and every plan is unique to the business.
There are however three strategies that are commonly found in disaster recovery plans:
- 1Preventive measures
- 2Detective measures
- 3Corrective measures
They are just as they sound. Preventive measures seek to prevent a disaster from occurring. This means identifying and reducing risks. Examples of preventative measures include backing data up off-site, installing generators and using surge protectors.
Detective measures ones that look for any problems within the IT infrastructure. These measures can be installing and testing fire alarms, monitoring cyber attacks, and training employees about information security.
Corrective measures restore a system an event occurs. These may include securing proper insurance policies or having debriefing sessions to identify what steps can be taken to prevent the event from happening.
Why Is It important?
Disasters can strike anywhere, regardless of what business you have. From data security breaches to natural disasters, there must be a plan in place if you want to resume day-to-day operations as quickly as possible. The news is filled with reports on widespread data breaches that can affect millions of customers.
Even though this kind of disaster is not physically damaging to your business, it can hurt your reputation. A loss in the public’s trust equals loss of customers and money. Then there are the storms, fires, and floods that cause billions of dollars of damages in their wake. Hurricane Sandy (October 2012) caused $65 billion in damage. Most organizations cannot afford unplanned and extended downtime. The National Small Business Association reported that a year after Hurricane Sandy, 83 percent of organizations still lacked a plan.
Yet 53 percent of business can only absorb less than an hour of downtime before revenue loss occurs. So the bottom line is: Not having a plan will hurt your bottom line.
Disaster Recovery Plan for Beginners
A disaster recovery plan must answer at least three basic questions:
There are many items that are required in IT disaster recovery plans, but these items will make your plan a solid reference to have during a disaster.
An ideal disaster recovery plan has:
- 1A contingency planning policy statement. This is a policy that allows for your business to have and develop a disaster recovery plan
- 2A business impact analysis this inventories and prioritizes elements of your IT infrastructure
- 3Identify preventive measures. What is and what can your business do to reduce the impact of disruptions
- 4Recovery strategies. These are steps needed for systems to be recovered quickly
- 5IT contingency plan. Details and procedures for system restoration
- 6Plan testing, training, and exercising. Testing the plan identifies the weakness in the plan. Training prepares employees helping with the recovery
- 7Plan maintenance. The plan is a living document should be updated regularly and reflect system changes
Steps for Developing a Plan
First, the plan developers and those involved with internal technology, applications, and network administration should meet and define the scope of the plan. Keep company leaders and IT leaders informed of what is decided. Then get all relevant network infrastructure documents. Then gather existing IT and network disaster recovery plans.
If you have no such document do the following:
- 1Identify IT infrastructure threats
- 2Identify weaknesses in the system
- 3Review previous outages and disruptions and actions taken
- 4Identify critical IT assets
- 5Determine the maximum outage time if these assets fail
- 6Identify current operational procedures during an outage
- 7Find out when these procedures were last tested
- 8Prepare the People
After all that is done, you can move on to the next step which is determining your emergency response team for critical IT infrastructure disruptions. Assess the level of training this team would need in dealing with a critical outage.
Assess your vendor emergency response abilities. Have these been used in the past and how much is the company is paying for them? What the current contract states and if there are any vulnerable areas that need to be addressed.
Take all of this information and create a gap analysis report that identifies what is currently done versus what should be done. Include recommendations on how to reach the desired level of preparedness and the estimated cost associated with achieving it. Have management review the report and agree on recommended actions. Update the existing disaster recovery plan any changes.
Testing the plan means documenting test parameters, objectives, measurement criteria, test methodology, task plan charts, and timelines. The Disaster Recovery Plan is tested to make sure your business can continue critical business processes if a disaster occurs. Recovery procedures must be do-able and accurate.
Testing the plan also trains the people responsible for carrying out the Disaster Recovery Plan. The testing does not need to yield flawless results; it needs to assure that the problems encountered are fixable. Best practices dictate that plans be tested and evaluated at least once a year.
The tests should provide your business with information such as:
- The feasibility and compatibility of backup facilities and procedures
- Areas in the plan that need changes.
- The ability of the organization to recover.
- Motivation for keeping the plan accurate and updated
Part of the training is educating employees about where to store their files so that all files are included in the data backup. Training should also include how cyber attackers can trick people into letting them access IT networks. Employees should also be involved in disaster recovery efforts. Make sure all employees know who to contact in an emergency and give them tasks to do to stay productive during the recovery.
Updating Your Plan
It’s important to keep your disaster recovery plan updated because outdated plans are useless.
Words of Caution
No process, especially if it’s a new one being introduced to your business is without its pitfalls. Be prepared for these pain points:
Management may be apathetic to the drills and testing involved with a disaster recovery plan. Worse yet. CEOs can fail to make disaster planning a priority.
This is a huge contributor to a plan’s failure.
Forgetting the Big Picture
A disaster recovery plan that doesn’t consider the ripple effect of the disaster on business operations outside of IT. For example, a corporate office lost to a disaster can mean hundreds or thousands of people are teleworking. This can overload a company's VPN and tax IT support staff.
Securing data can and should be a priority in disaster recovery. Not only do you need secure ways to transmit data you need to document every step taken during a recovery period securely. Highly regulated industries, government agencies, etc. are accountable even in disasters.
Every day, businesses have to contend with disasters. Those businesses that have developed, maintained and tested their contingency plans will recover from even the worst disaster. Still almost half of the companies are complacent, assuming that the power will stay on, the telephone system continues to operate, everything will be business as usual.
This is a dangerous view to take. Even if your business has zero for a disaster recovery plan, you can start one today. It doesn’t have to be volumes of procedures and overly complicated. It just has to be accurate.