How to Create a Disaster Recovery Plan

In the hybrid IT environment that the business world is today, it's challenging for your business to bounce back smoothly and in good time when disasters strike if you don't have a solid disaster recovery plan in place. From natural calamities like floods and earthquakes to man-made problems like power outages and cyber attacks, there is no shortage of disasters that could cause catastrophic disruptions in your business. One great way to keep disasters in check and minimize their effect is to have a recovery plan. But what exactly are disaster recovery plans, and why are they beneficial? How do you even create one? Let's find out! A disaster recovery plan is a structured document that describes how a company, business, or organization can quickly and smoothly resume operations following an unexpected disaster. Also called DR Plan or DRP, a disaster recovery plan is an integral part of the Business Continuity Plan or BCP. It is the only part of a BCP that deals with business aspects that rely on a functioning Information Technology infrastructure. A DR Plan helps a business recover quickly from data loss and restore system functionality within the shortest time possible. A DRP is a step-by-step plan, preceded by risk analysis (RA) and business impact analysis (BIA), that maps out potential risks the business faces and what impact these would have if they occurred. Since it deals more with IT-related aspects, a disaster recovery plan is commonly referred to as IT DRP. The document focuses on strategies that prioritize data protection and recovery objectives to minimize the damages cyber breaches cause to a business. The various types of disasters a business needs a DR Plan for include:

• Communication failures
• Datacenter disasters
• Business premises disasters like fires, bomb threats, flooding, or building collapses
• Application failures
• Citywide, regional, national, or multinational disasters, depending on how big and widespread the business is.

When designing a DRP, a business must consider and define two main aspects: the recovery point objective (RPO) and recovery time objective (RTO). The RPO is the point in time to which a business must return when recovering its data or application. It shows that you are willing to lose that much data in a disaster. For example, you might want to lose only 30 minutes of data, meaning you have to do a data backup every 30 minutes. The RTO is the projected amount of time a business application or operation can remain offline without causing an unagreeable impact on the business. RTOs are measured in seconds, minutes, or hours. For instance, you can set the agreeable downtime to 6 hours after a disaster, meaning you must have recovered within 6 hours. Otherwise, you risk suffering unacceptable impacts on the continuity of your business. When setting the DRP, your business must consider the following aspects:

• Data at risk
• Your budget
• Available resources (physical items and human resources)
• Technologies the business uses
• Suppliers of required utilities
• Insurance coverage
• The stand of the management on risks
• Compliance requirements to be met

Disaster recovery plans have other contents besides the RTO and RPO, such as remote data backups, accountability charts, and DRP testing. A remote data backup is an auxiliary offsite backup for the most important data. It is a secondary measure for enhanced data protection and recovery. The accountability chart shows who is responsible for what activity in the recovery plan. DRP testing involves frequently testing the recovery plan to see if your business can meet the RPO and RTO if an actual disaster happens.

A disaster recovery planning is essential because of the following reasons:

• Minimizing interruptions to normal business operations
• Minimizing the economic impact of unexpected interruptions
• Ensuring a business meets compliance requirements by bodies like FINRA and HIPAA
• Improving customer retention
• Ensuring smooth and rapid restoration of services and operations
• Training your personnel with necessary emergency procedures
• Limiting the extent of disruption and damages caused
• Minimizing reputational loss
  

Most businesses do not have a solid DRP because they believe they are not at risk. The truth is that every other business is at risk of IT interruptions as long as it relies on IT and devices like desktops, mobile, and laptops. Creating a DR Plan might be a challenge, but it doesn't have to be if you know what you need to do in a disaster. Below are some pointers to guide you in making a draft disaster recovery plan.

Every employee should have a role to play in the disaster recovery plan. However, your in-house IT personnel should be on the frontline in ensuring everything runs smoothly and that you can quickly bounce back from a disaster that adversely affects your IT systems. Employees who aren't in IT operations can perform simple duties in the plan, like reporting noted cyber threats to their superiors or someone in the IT team. Everyone in the business should know what to do during an emergency occurs. Your plan should indicate the exact person that should execute what activity in the plan. For example, you should know beforehand who will deal with the data recovery process or notifying key stakeholders. It's not enough to note down who will be responsible for what exact action when a security breach or Internet crash occurs. There is every need to add alternatives if someone won't be available to execute their part. Who will replace them? Can they perform the task equally well? Another thing to consider is who will be responsible for executing the entire DR Plan. It could be the head of the internal IT team or an external partner, such as disaster recovery as a service (Draas) company.

When a disaster strikes, you must have a list of stakeholders to call to help with various aspects of the recovery plan. The list should feature internal and external players like lawyers, public relations experts, human resources (HR), IT personnel, and insurance services. The last thing you want to do in an emergency is to trip over cables in your office or ruin every paper on your desk trying to find contacts to call to help you contain the threat. You'll want to be composed when you make the calls to ensure you give clear explanations of the situation and instructions on what you want to be done. For ease of making calls, have the numbers of the contact persons against their names.

Your DRP should include a detailed outline of how you expect to proceed with business operations following a disaster. Most of the time, this is about determining how you will keep operating despite what you might have lost. Can you find a way around the lost data? Can you recover the data? If recovery isn't possible, how will you operate without it? Answering such questions helps you identify gaps in your IT system that you must fill to cushion your business better against unplanned disasters.

Communication from you to your customers is key when a disaster scenario occurs, even when they aren't the ones that notice it first. In an ideal situation, you don't want your customers to be the first ones to notice the problem and communicate it to you. Good disaster recovery planning calls for being proactive, such that you are always on your toes and ready for anything. When you use a Draas agency like Digital Fire, you can expect us to be proactive, catching risks before they happen and preventing them from happening.

A tabletop exercise is a discussion-style session where disaster recovery team members have an informal meeting to deliberate on each person's role in an emergency and their expected response in such a situation. If you are designing the recovery plan alone, you can hold this exercise in your head and try to take turns acting as the different players in the execution. The best way to do a tabletop exercise is to have everyone involved taking part in it. Completing the exercise alone won't be enough. You might want to simulate an emergency to see how every person plays their part.

After you have done all the above steps, you can make notes and file them together into a draft post disaster recovery plan that you can fine-tune with time.

If you can't make your own DR Plan from scratch, you can alternatively use a formal template derived from the web. The downside to a disaster recovery plan template is that it might not be as useful to you because it isn't authentic. It might not apply to your business, meaning it won't help you in a real situation. If you can't make a disaster recovery plan of your own, you can always reach out to an IT agency like Digital Fire to help you make one that best aligns with your business.