A Disaster Recovery (DR) Plan is a document that outlines how an organization can get back to full operations following an unplanned incident, this includes things like hurricanes, earthquakes, fires or an unexpected cyber-attack. Having an unexpected disturbance can have a huge impact on smaller companies, 40-60% of small businesses that lose access to operational systems without a DR plan go out of business. 93% of companies without disaster recovery who suffered a major data disaster were out of business within one year. Despite their numbers, 75% of small businesses have no disaster recovery plan objective in place, which makes them extremely vulnerable. Proper planning is essential to ensuring the longevity of your business, and it doesn’t need to be something extremely complex for it to be effective. Simply having a good data backup and a documented method of recovering from that backup would allow 90% of companies to recover from ransomware attacks. Here I offer some tips on how to develop a good disaster recovery plan:
Create a team specifically to design the plan
If you don’t have a disaster recovery plan you want to assign individuals to a team and make that team responsible for the document’s creation and upkeep. This way you have someone to hold accountable and it avoids confusions.
Identify Your Necessary Assets
This means making a list of the assets your business needs to remain in operation. This includes a list of physical assets like buildings, machines, equipment or even company data. But it can also mean things like intellectual property or key employees. The defining factor here is anything that your company can’t operate without, even for a short period of time.
Identify Potential Disasters for each asset
For each asset you want to identify the potential risks to it, this could include earthquakes, fires, hurricanes, political unrest, cyberattacks etc. You want to make this as comprehensive as possible and consider the specifics of your business such as your industry, location, competitors etc. While this can be exhaustive, you want to have a tailored plan for at least the top five disasters (ranked by likelihood) for each asset you have.
Create a plan to protect your assets in each Scenario
Now that you have a list of assets and potential disasters, you need to come up with solutions for each of these potential scenarios. This can be done in many ways but a simply way is to create a table.
Make a plan for your employees
Firstly, you need to identify leaders that will be extensively trained on what to do and how to help other employees follow the plan properly. During certain types of disasters the people that worked on the plan might not be able to communicate with everyone for various reasons so its important to have people trained that will be able to carry out the plan in your absence. Then you want to come up with plans for relocating your employees if need be and allowing as many of them as possible to continue working to keep the business going. The easiest way to do this is to allow your employees to work from home, this would allow anyone to continue working unless there is a nationwide or citywide disaster.
Create a communication plan
You need to come up with multiple ways of communicating during an emergency. Its not uncommon for communication to fail during a natural disaster and you want to have multiple methods of communication so that if one fails, you are still able to contact your employees and let them know what’s going on. Additionally, its important to regularly update your contact information and backup contact information so that you know the best way to contact your employees. Typically, its best to have a system were people can update their information themselves and simply give them reminders every 6 months or so to update any information that has changed. You may also want to have print offs of important contact information since email and other electronics might not be available.
Find an alternative business location
Its important to have alternative business sites in case your main building or work space is not available. You can do this is in different ways, some are more expensive but are faster to start using while others are cheaper but will require more work to become operational in the event of an emergency. For a small business this may not be an entire building, it might just be an office space where the key people in your business can go to and continue to work and keep the business up and running until you figure out a long term solution.
A good way to make sure this isn’t a waste of money throughout the months that you are not dealing with a disaster is to use this space for things like training, client meetings or special events. Additionally, you may want to setup your employees to work from home as much as possible, this is evident with the COVID 19 situation. Companies that already had work from home as an option for employees were able to adjust much easier than those that didn’t.
Continuously Test your Plan
The only way to ensure that you plan will work in a real-world situation is to test it. You want to ensure that:
You can protect all your critical assets
You have multiple means of communicating with employees
You know what actions your employees should take
You have assigned and trained people to carry out the plan
Your alternative locations are prepped and functional
In order to be confident on these points it’s best to carry out simulations to make sure that everyone knows what they need to do. You can perform these with varying degrees of realism, some may be tabletop exercises where you simply walkthrough a theoretical scenario with your key employees and discuss how the plan would go. You could also do full scale simulations, where you go to your hot site and switch over operations to see if it can sustain business operations with no problems. Simulations, like fire drills should be done regularly to ensure everyone knows what to do, even new employees and to ensure that you follow any industry regulations. As problems are found during these drills, the DR plan should be updated to prevent that from happening again.
Other Tips
Define your Tolerance Levels
You want to know what your company’s tolerance is for downtime and data loss. This means knowing things like your Maximum Tolerable Downtime (MTD), Recovery Point Objective (RPO) and Recovery Time Objective (RTO). This should be done for each critical asset that you identify during your DR planning and then based on this, you will know what needs to prioritized and what a successful disaster recovery scenario will be.
Check your SLA
Ensure that if you have outsourced any technology or important processes that your service level agreement defines their level of service in the event of an emergency (and be sure to have a good understanding of what defines an emergency). You want to have a defined timeframe that they will start working on a resolution and even a defined time on getting your systems back up. You also want the contract to outline what happens if they are unable to fulfill those promises.
Have a plan to deal with Media
If the disaster is something that was experienced by just your company, you want to have a plan for engaging with media. Know who is authorized to give statements and have them briefed on what to say and what not to say. Ask all your other employees to refrain from talking to the media, at least until you can get a handle on the situation.
Ensure Sensitive Information is handled properly
Be sure to handle sensitive information with the proper protection even during a crisis. Sensitive information includes things such as a company secrets, consumer’s personal information etc. You want to have the right authentication methods in place so only people that have a need to know will be given access to that information.
Common types of disasters you can plan for:
Application failure
Communication failure
Data center disaster
Building disaster
Campus disaster
Citywide disaster
Regional disaster
National disaster
Multinational disaster
Cloud infrastructure failure
Recap
A disaster recovery plan is all about how a business can recover from a state of emergency and continue its business operations. It begins with identifying your companies critical assets, then identifying the types of disasters that will likely affect those assets and then come up with a plan to restore business operations in the event of those disasters. An effective disaster recovery plan includes contingencies for communicating with employees, moving operations to a backup site and ultimately restoring company services within the Recovery point objective (RPO) and recovery time objective (RTO). By doing so you ensure your company will recover from a disaster before the damage is severe enough to cause your business to close permanently.