What is a disaster recovery plan and why do you need one?
You can’t always prepare for unforeseen events in life (thanks, 2020 for making that abundantly clear!), but you can plan for them as a business. Putting a structured, documented disaster recovery plan (DRP) in place that protects your business from the impacts of major incidents will give you and your colleagues peace of mind and ensure that things run smoothly if something untoward were to happen.
Examples of ‘disasters’ that could impact your business include: natural disasters, cyberattacks, death of a senior employee, total loss of power, total loss of all communications, and hardware or software failures.
Ensuring business continuity and therefore minimising and mitigating disruption is the obvious priority when disaster occurs. If there is no plan in place, then service cannot continue, and the business may lose out to competitors while you get back on your feet. No one wants to lose money or their reputation in such a situation. Equally, putting in place a DRP has the added bonus of reducing your insurance premiums and any potential liability, as well as fulfilling regulatory requirements, especially as your business grows.
So, what exactly is a DRP?
A disaster recovery plan is a set of tools and procedures that an organisation can use to recover from the major disruption to its IT assets and to get the business back on its feet as soon as possible. Disaster recovery planning can involve a variety of approaches depending on the organisation’s existing assets and recovery goals.
How do you create one?
A DRP can be as simple as a single document, made readily available to all staff (on- or offline). All personnel should know their role within the plan, and you should allocate a Disaster Recovery Team (DRT) who will be ready to implement the plan when and if it is needed.
A DRP will look different for each business, because priorities differ – what’s important for one business might not be so for another. It will also need tweaking according to what incident is being dealt with. Here is the typical structure for such a plan:
1) Goals – what your organisation aims to achieve in a disaster. What is most important, and what needs to be done in what order? For example: getting back online, recovering data or looking after staff.
2) Specific objectives – determine your Recovery Time Objective (RTO), which is the maximum downtime allowed for each critical system, and the Recovery Point Objective (RPO), the maximum amount of acceptable data loss.
3) Staff – who is responsible for executing the DRP? This is your DRT. They will assess risks specific to each unforeseen event, tweak and roll out the DRP accordingly, according to the impact each could have on the business. Be sure to establish an agreed chain of command, in the event that something happens to a senior member of staff.
4) IT inventory – list your hardware and software assets, their criticality, and whether they are leased, owned or you use a specific service.
5) Backup procedures – how and where each data resource is backed up (on which devices and in which folders), and how to recover these from backup.
6) Other disaster recovery procedures – emergency response to limit damages, last-minute backups, mitigation and eradication (for cybersecurity threats).
7) Disaster recovery mirror site – a robust DR plan could include a disaster recovery site. This is an alternative data centre in a remote location with everything backed up to it. Operations can be switched over to the mirror site in the event of an emergency.
8) Restoration – procedures for recovering from complete systems loss to full operations. You don’t want to crack open that fireproof safe to find a note with “TBD” on it!