Disaster recovery plans provide a detailed framework for organizations to rebuild their operations after natural disasters, cyberattacks, hardware failures, or unexpected financial challenges. They help disaster recovery teams to know exactly what steps to take when the unexpected threatens enterprise systems, offices, or people.
For businesses that heavily rely on their information technology infrastructure, disaster recovery plans are particularly critical—this includes any business that stores important customer information. It’s also important for CIOs and other decision-makers to thoroughly prepare before finalizing a disaster recovery plan, knowing the most likely disasters that threaten their organization and methods to mitigate them.
What is a disaster recovery plan?
A disaster recovery plan, or DRP, refers to the documentation and assigned roles that determine how an enterprise will handle disasters, including mitigating their effect and recovering from any resulting setbacks.
The term “disaster” is relative and can refer to any number of occurrences that disrupt operations. Weather events, like hurricanes or tornadoes, may prompt the activation of a DRP. Disasters can also be man-made, and they can stem from power outages caused by human error or even acts of cybercrime. The properly designed DRP will clearly identify what constitutes a disaster so the when and why for the plan’s activation are clear to executive leadership and the disaster response team alike.
Disaster recovery plans take time to create; they should consider all the major risks the business faces and take inventory of the technology and personnel available to handle risks.
Disaster recovery plans should be extremely specific, not only detailing each risk but also recording each step an organization should take after a disaster occurs. This specificity includes each employee knowing the role they play and what tasks they’re responsible for in the recovery process.
Disaster recovery plans should also record the ways in which a disaster would typically impact the organization. For example, if a tornado hits a data center in Iowa, what will this mean for the data on the servers in that center? Will they failover to a center in Utah, or are those servers not backed up yet? Knowing the details of each disaster’s impact will help businesses know exactly what steps they should take both before and after a disaster.
Types of disaster recovery plans
Disaster recovery plans vary in focus, which allows businesses to choose the DR approach that makes the most sense for their IT infrastructure and budget.
Data center DRPs
Data center DRPs should be comprehensive, covering risks posed to servers, backup systems, critical applications running in the center, databases, and the physical premises. A DRP for data centers prepares servers in different locations to take over when one server fails. It also prepares personnel with instructions to handle an outage or a disaster.
Hot site DRPs
A hot site disaster recovery plan stores real-time data, which can be rapidly recovered if the original copy of data goes down in another location. Hot site DRPs are ideal for enterprises with mission-critical applications and data; these include CRM platforms, databases, or high-traffic web pages. Businesses with limited DR budgets may struggle to run a hot site for extended periods of time.
Cold site DRPs
Cold site disaster recovery plans are focused on providing premises for enterprises to use a stand-in data center or office location if a disaster like the aforementioned tornado prevents normal operations on their current premises. Cold site DRPs aren’t ideal for rapid recovery because they take time to build—typically, the technology isn’t set up prior to a disaster. But there is a physical location available if the organization needs to provision servers, deploy applications, or simply set up a new office space after a disaster. Cold sites are lower-cost than hot sites because they aren’t constantly maintaining servers.
A DRP based on virtualization involves running backups on virtual machines; this allows businesses to back up not just data but their whole infrastructure. An entire computing environment can run on virtual machines, which means it can be moved to a server in another location if the original location has a natural disaster or outage.
Disaster recovery as a service is managed by a DRaaS vendor, a provider that handles all aspects of a DRP. DRaaS can be very valuable for enterprises that don’t have the resources or personnel to develop a full disaster recovery plan. Though it can particularly help small businesses, DRaaS doesn’t afford businesses as much control over their disaster planning. The vendor performs all of those functions, which can be a risk in itself.
Some disaster recovery plans are simply called backup plans — they’re more straightforward, but they aren’t comprehensive. Although backup is an important part of a disaster recovery strategy, it is an incomplete form of DR. To have a DRP that’s successful in the long-term future of your business, you’ll need to develop it further than just backups. Disaster recovery encompasses more than multiple copies of data; it also takes into consideration where those backups are stored, how quickly a business can recover them, and the potential cost of a longer recovery time.
Learn more about backup plans: What is a 3-2-1 Backup Strategy?
Disaster recovery plan considerations
When your business is implementing a disaster recovery plan for the first time, consider your business’s size and employee involvement, likely disasters and risks, key assets that must be protected, and regulatory standards.
Enterprise size and team involvement
If your business is large, you may have more individuals in the organization who can participate in a determined DR team. Adding steps to a DR plan depends somewhat on how many team members can carry them out. If you have a smaller business, the disaster recovery plan will need to be tailored to the number of people involved, and team members may be responsible for multiple points within the plan.
Physical and natural disasters
Some natural disasters and risks aren’t as likely to affect your business, depending on its geographical location. Focus a DR plan on the threats that you know the organization faces regularly, while still allowing for the less common ones. For example, most businesses should prepare for cybersecurity risks, but not all will face high chances of flooding in their geographical location. Consider what natural disasters and other physical risks are major in your company’s operating region, and if you have multiple offices or data centers, make sure that data is backed up regularly.
While some disasters aren’t likely to harm your business, all companies are at risk from threats like malware, viruses, social engineering, and stolen data. Create a detailed section of your plan that covers recovering from a cyber attack. This can include a procedure for handling a ransomware attack. Also, record in the plan each cybersecurity measure that your enterprise already uses to protect systems and networks.
Key assets to protect
Disaster impact can include losing technological assets, like employee devices, data center hardware, and critical applications. Ensure that your plan includes recovering from potential asset loss. If a server hosting key applications failed, what would your enterprise need to have in place to quickly compensate for the failure? In the case of data loss, a DRP should outline which stakeholders to notify. Additionally, some regulatory standards require companies to notify customers when their personal data is compromised; a DRP should outline a procedure for notifying customers when needed.
Also read: IT Risk Management Guide
Some industries may be bound by regulations, like the ability to report where and how customer data is stored. The Sarbanes-Oxley Act, for example, requires businesses to provide financial reports and gives timelines for them to provide those reports. DRPs should include data protection features in case a disaster hinders reporting or data storage operations.
What are the steps to create a disaster recovery plan?
First, identify all potential disasters that your company faces. The more comprehensive the list, the better. Increased awareness for stakeholders, especially those on the executive team, is important if the company is going to prioritize disaster recovery.
Determine which risks from the list are critical for the business to focus on, such as the most likely natural disasters in the organization’s region, current cybersecurity threats, and common employee risks.
Determine the enterprise’s vulnerabilities. Do your office locations lack locked doors and keycards? Have your data centers implemented next-generation firewalls or network segmentation? Do you have unsecured IoT devices? Is your office on a geographical fault line? Knowing each vulnerability helps your DR team plan more specifically.
Designate a team responsible for managing and updating the DRP. Then, assign specific roles and responsibilities to each team member. One employee on the executive level might be responsible for reporting all disasters to the rest of the executive team, and an IT employee might track all potentially malicious patterns on the network and add traffic anomalies to the DRP.
Document all DR processes thoroughly. Ensure that your company records each step of a disaster recovery plan so that employees can quickly take mitigation steps once an incident occurs. This saves potential downtime and minimizes the number of questions team members will need to ask. With clear documentation, employees are empowered to act confidently after a disaster happens.
Determine the business’s ideal recovery point objective (RPO) and recovery time objective (RTO). The RPO is the point in time (prior to the outage) in which systems and data must be restored for operations to resume in the event that a company’s system goes down. An RTO is the period of time after an outage in which the systems and data must be restored to the predetermined RPO. Planning for how much time and data a business is “allowed” to lose will help CIOs outline what’s needed in their DRP. That way, the company can make provisions for backup infrastructure, redundant power supply, backup data access, and continual backup.
Track and assess how the DRP works when the first disaster happens. Did the series of mitigation actions taken by employees make sense, or was it difficult to follow? Did recovery measures happen in the right order, or was a step missing? A business’s DRP is only as effective as the efforts taken to test the plan.
Decide how often your company will reevaluate your DRP. Ideally, DRPs should be reviewed at least annually to make sure that the plan is effective in restarting operations. But your company may want to review it more often. As more risks are identified, and if a disaster does occur, your DR team will be able to add to the plan as needed. If your enterprise has a significant shift or period of growth, your DR plan must be evaluated to potentially change with it.
Read next: Best Risk Management Software