We must have heard this many times that “Our Business is Down”, when IT Systems are not working we don’t say that IT Systems are down but we say business is down, this is because today’s Businesses largely depend on Information Technology, which consists of Infrastructure and Architecture. Therefore, disruption for even few minutes will lead to financial losses, not only financial loss for one time, but you might lose the confidence of customers and partners for the life time.
For businesses it is important to continue, even if there is any disruption. For executives of businesses, it is important for them to understand that disaster can occur any time which will cause the damage to business, however to minimize the damage and to continue business during disruption it is important to have a plan available.
Disaster Recovery Plan helps organizations to take actions before disaster, during the disaster and after the disaster. Once plan is prepared, it is important to implement the plan and test the plan to ensure that whatever is mentioned can be achieved.
Disaster Recovery Plan is not the Off-site backup schedule. It is much more than that. It involves all the critical operations of businesses and the resources that are required to run those operations and finally how to continue the operations in event of disaster by safeguarding the resources and having a plan to run the operations with alternative resources immediately.
Disaster is highly uncertain. As we do the Insurance for uncertainty, we must also have the disaster recovery plan for the uncertainty. Insurance might cover the loss that might occur due to the disaster, but Disaster Recovery Plan will help to run the business again.
There are various other reasons to have the Disaster Recovery Plan.
In case you want to get the Disaster Recovery Plan written professionally, you can click here.
Disaster Recovery Plan -Objectives
- Protect and secure the Organization’s information Assets
- Safeguard company’s operations or business processes
- Ensure reliability of IT Systesm
- Prepare for the Disaster
- Minimize the disruption
- Minimize business downtime during disaster.
Critical Success Factors of DRP Process
Like any other IT Project, there are critical success factors, which must be considered during planning process.
Top Management Support
It is important for executives of the company to understand the importance of this plan. Business Continuity is their concern, therefore they must be involved during DRP process and they must support this plan. Which also means that they must show their commitment to allocate resources (financial and personnel).
DRP Steering Committee
Once top management shows shows commitment, now it is time to make a team who will prepare the Disaster Recovery Plan. Logically speaking, business Managers and IT Managers together should make this plan. IT Department shouldn’t make this plan in isolation. They must discuss this with Business Managers, this will help to understand the scope of plan.
Business Impact Analysis
Once steering committee is formed, now it is time to do the risk assessment. Where various scenarios can be discuss and its protentional damage can be assessed. It is important to list all type of disasters that can occur, i.e; Natural Calamity, Accidents, Technology Failures, Cyber Attack or other threats including pandemic considering Covid-19.
Each aspect should be analyzed. Probability and Impact should be obtained for all type of possible threats.
It is also important to consider the human element here. Human can cause the huge damage (internal or external).
Evaluation of Business
Every business has various operations, people, software, services, documents, policies and so on. Therefore it is Important to evaluation all the aspects of the businesses. When steering committee is formed, it may or may not contain the personnel from each department. Therefore, discussion should be done with each department head to evaluate or assess following aspects or their department.
- Key Staff members.
- Software and Applications specific to their department.
- Standard Operation Procedures and Policies.
- Computer Generated Documents.
- Physical Documents / Files / Folders
This will help to understand what is important to business and what is not, because disaster can impact all of the above or more aspects which are mentioned.
It is always good the mentioned all of above in table format when preparing the plan and mention the level of criticality. As some aspects of above can stop the business totally which means it is most critical.
Once business is evaluated, all the departments are assessed. Now we can determine the strategies for recovery, as DRP is mainly related to the Information Technology or Technology as mentioned in the beginning, therefore evaluation of IT Systems is also important. That include the following;
- IT Infrastructure
- Data Center
- Servers and other Hardware
- Operating System
- End user Devices
- IT Architecture
- ERP System – for Core Business Processes
- Enterprises System
- Data and Databases
- Automation Systems
- Data Processing System
- Application Software
- Business Intelligence System and MIS
First of all it is important to understand list the IT Infrastructure and Architecture components, which will be based on the criticality. Considering the critical systems and how much downtime business can afford, recovery strategy can be designed accordingly. There are various options as the following;
- DR Site : Traditional or Cloud
- DR Site Type – (Hot, Warm or Cold)
- DR Site on Public Cloud
- Reciprocal – Having agreement with other companies to use their site as DR for you and your for them.
- Local Service Providers
- Global DR Providers
- From above and many other, mixed approach can also be used, it all depends on nature of business.
When any of above option is chosen where external party is involved it is important to have an agreement with them, where cost, duration and detailed procedure must be mentioned. Other than this periodical testing of the DR should be done to ensure that external vendor can provide what has been agreed.
The contracts with vendors should include all the aspects including failure to provide the services, loss of business opportunity, including the response time, the technology and so on.
A demonstration must be asked prior to the implementation.
We have already seen in recovery strategy, where we might have taken some information of IT infrastructure and architecture and while evaluating business we have seen other aspects, but it is important to now go in deep and collect all the aspects the mainly include;
- IT Assets Inventory (Servers, PC, and all other components)
- Contact Directory – Critical Numbers including Emergency, Vendors and Staff.
- Physical Documents Details Including Insurance Policies
- Backup Strategy – Schedule and retention details.
- Backup Locations
- Office Equipment Inventory
Above list is just an example, we can collect as much data as possible. For the sake of data collection, we can also make physical or digital forms to speedup the data collection process.
Disaster Recovery Plan Components
The purpose of all the gathered information and documents is to finally write the Disaster Recovery Plan. Then the plan has to be approved by the Top Management. Therefore, well organized Plan has to be written. To make sure that that content is well organized, table of content must be formed. Which will help to avoid any redundancy that might be in plan, it will also help to organized the detailed procedure.
If company has already implemented Quality Management System then a standard format is advised. But DRP should become its own standard because multiple people will collaborate in writing the procedure, therefore standardization is important.
The plan must include all the aspects including procedures before the disaster, during the disaster and after the disaster. Therefore, the outline should be structured accordingly.
Disaster Recovery Team
The plan should also include the responsibility of team members from each department or functional area. The team must be identified related to physical or cloud facility, data backups, service and data restore and other important aspects.
An organization structure must be prepare that will immediately become in action once the disaster occurs. Therefor the organization chart must also be part of the DRP which will functional once the plan is activated.
Teams have certain set of responsibilities and the task to perform under supervision of team Manager. If manager is not available substitute must also be mentioned. In fact backup team member should must be there.
Management Pre Approval
Plan will have components that must be organized as mentioned above. Management team must prioritize the procedure finally an approval has to be taken.
Test the plan
Now once the Disaster Recovery Plan is developed, it is time to test it, to ensure the effectiveness. We are not preparing the plan for the sake of documentation, but for the reason that we will execute it in the event of disaster. To ensure its effectiveness, we must activate the plan for the purpose of testing.
Testing will help to understand the deficiencies and gaps. An outcome of the this test has to be documented and as a result we will do a gap analysis which will be resolved before the next test or the actual disaster. This might include upgrade of hardware, training of staff or any aspect.
Formal Approval of Plan
Once DRP is developed and tested now the final approval has to be taken from the Top Management.
How to Write a Disaster Recovery Plan
Now you know what should be considered before writing the Disaster Recovery Plan. It must be noted that Disaster Recovery Plan should have simple English and there should be no vague words so that everyone understands. There is no standard template for any Disaster Recovery Plan. Every Business is different and every business runs differently. However I am Sharing a basic template that can be used to start writing your own disaster recovery plan.
Disaster Recovery Plan Template
When you type the DRP you must ensure that whoever is implementing it he should be able to understand. Use short and direct and simple sentences. Use section and subsections to navigate. Don’t mix multiple ideas, use active voice , and finally don’t use jargons.
Below structure will be useful to write your plan;
It should be an executive summary, which should mention the why we have this plan. This must include one sentesnse about the following;
- Why we should have plan For example business relies on Information Technology infrastructure and services therefore the plan is made to ensure that in case of disaster business can continue.
- Critical System of the Business
- Location of Data Center and DR Site
- Who is custodian of this Plan
- How often the plan is executed to test.
- Where the hard copy is available.
Which Critical Systems will be recovered when this plan is activated. This could include all the crucial systems that company or organization has. This can also cover any IT related disaster and its response details. Whether hot-site, warm-site, cold-site or any other service is taken that must be mentioned in this section.
List all the assumptions, which might tell when an incident has to be considered as disaster and what appropriate priority has to be given. What has to be safeguarded during disaster should also be mentioned. What is expected from the execution of this plan should me listed.
Companies might use some acronyms or terms, which might look vague or unknown. Therefore in this section all the terms should be defined that might be used during disaster. For example DR Site which must be defined as Disaster Recovery Site Located at x location.
5. Team Members & Contact Information
In this section all the teams should be mentioned separately and there contact information. The team manager and this team. The list should tell who is the person, what will be his/her role and his/her location then include contact number and email. And whatever latest means of communication we have including WhatsApp etc. It is recommended to use Positions instead as people might enter or leave the company. However if names are used then Plan must be updated once any employee leaves or enters.
6. Disaster preparedness
To ensure that all the critical hardware, software and data can be returned to the normal state. This section must include address the backup and storage policies as well as documentation related to hardware configuration, applications, operation systems, support packages and operating procedures.
Subsections of each Hardware type, Software type , Application type and so on must be created in this section. An example is mentioned in recovery strategy.
This section must also include the location of all the users manuals for hardware, application, software etc.
7. Disaster Recovery Process and Procedure
In the event of disaster there can be various responses depending upon the severity of disaster. Depending upon the size of the disaster emergency response procedure must be defined. This section might include sub section as the follwoing;
- Emergency Response
- Incident Command Team there routine and responsibilities
- Disaster Recovery Team based on the components mentioned in section 6 each type of recovery should have procedure defined and that section, and who will executive that has to be defined in this section.
- Procedure for recovering, restoring and rebuilding the
- People Recovery Procedure
8. Network & Telecom Recovery Guidelines
Depending upon the type of disaster, Network and Telecom might get disrupted, for example earthquake might effect the local telecom company also. In case of earthquake building and facility might be protected with earthquake magnitude but fiber connection outside the building or v-sat on tope of building might get effected. So recovery procedure for such components must be defined.
Writing a Comprehensive Disaster Recovery Plan
Above template and plan was totally related to the data processing systems or enterprise systems, which are the IT systems. However, disaster recovery is a concern of the entire organization. To develop a comprehensive and effective plan, all functional divisions should be involved, where critical needs has to be identified. Let us see how this can be done;
Identify Critical Needs
To determine the critical needs of the organization, each department should document all the functions performed within that department. An analysis over a period of two weeks to one month can indicate the principle functions performed inside and outside the department, and assist in identifying the necessary data requirements for the department to conduct its daily operations satisfactorily. Some of the diagnostic questions that can be asked include:
- Without the systems, how long Company or Department can work?
- What are the most critical functions, processes, and assets?
- What staffing, equipment, forms and supplies would be necessary to perform the high priority tasks?
- How would the critical equipment, forms and supplies be replaced in a disaster situation?
- Does any of the above information require long lead times for replacement?
- What reference manuals and operating procedure manuals are used in the department? How would these be replaced in the event of a disaster?
- Should any forms, supplies, equipment, procedure manuals or reference manuals from the department be stored in an off-site location?
- Identify the storage and security of original documents. How would this information be replaced in the event of a disaster? Should any of this information be in a more protected location?
- What are the current microcomputer backup procedures? Have the backups been restored? Should any critical backup copies be stored off-site?
- What would the temporary operating procedures be in the event of a disaster?
- How would other departments be affected by an interruption in the department?
- What effect would a disaster at the main computer have on the department?
- What outside services/vendors are relied on for normal operation?
- Would a disaster in the department jeopardize any legal requirements for reporting?
- Are job descriptions available and current for the department?
- Are department personnel cross-trained?
- 1Who would be responsible for maintaining the department’s contingency plan?
- Are there other concerns related to planning for disaster recovery?
The critical needs can be obtained in a consistent manner by using a User Department Questionnaire. As illustrated, the questionnaire focuses on documenting critical activities in each department and identifying related minimum requirements for staff, equipment, forms, supplies, documentation, facilities and other resources.
Once the critical needs have been documented, management can set priorities within departments for the overall recovery of the organization. Activities of each department could be given priorities in the following manner
- Essential activities – A disruption in service exceeding one day would jeopardize seriously the operation of the organization.
- Recommended activities – a disruption of service exceeding one week would jeopardize seriously the operation of the organization.
- Nonessential activities – This information would be convenient to have but would not detract seriously from the operating capabilities if it were missing.
For how Long we should keep records?
A systematic approach to records management is an important part of a comprehensive disaster recovery plan. Additional benefits include:
- Reduced storage costs.
- Expedited customer service.
- Federal and state regulatory compliance.
Records are not only retained as proof of financial transactions, but also to verify compliance with legal and regulatory requirements. In addition, businesses must satisfy retention requirements as an organization and employer. These records are used for independent examination and verification of sound business practices. Federal and State requirements for records retention must be analyzed by each organization individually. Each organization should have its legal counsel approve its own retention schedule.
As well as retaining records, the organization should be aware of the specific record salvage techniques and procedures to follow for different types of media. Potential types of media include:
Other Techniques to Gather Data
Other information that can be compiled by using preformatted data gathering forms include:
- Equipment Inventory to document all critical equipment required by the organization. If the recovery lead time is longer than acceptable, a backup alternative should be considered.
- Master vendor List to identify vendors that provide critical goods and services.
- Office Supply Inventory to record the critical office supply inventory to facilitate replacement. If an item has a longer lead time than is acceptable, a larger quantity should be stored off-site.
- Forms Inventory Listing to document all forms used by the organization to facilitate replacement. This list should include computer forms and non-computer forms.
- Documentation Inventory Listing to record inventory of critical documentation manuals and materials. It is important to determine whether backup copies of the critical documentation are available. They may be stored on disk, obtained from branch offices, available from outside sources, vendors and other sources.
- Critical Telephone Numbers to list critical telephone numbers, contact names, and specific services for organizations and vendors important in the recovery process.
- Notification Checklist to document responsibilities for notifying personnel, vendors and other parties. Each team should be assigned specific parties to contact.
- Master Call List to document employee telephone numbers.
- Backup Position Listing to identify backup employees for each critical position within the organization. Certain key personnel may not be available in a disaster situation; therefore, backups for each critical position should be identified.
- Specifications for Off-Site Location to document the desired/required specifications of a possible alternative site for each existing location.
- Off-Site Storage Location Inventory to document all materials stored off-site.
- Hardware and Software Inventory Listing to document the inventory of hardware and software.
- Telephone Inventory Listing to document existing telephone systems used by the organization.
- Insurance Policies Listing to document insurance policies in force.
- Communications Inventory Listing to document all components of the communications network.
There are several PC-based disaster recovery planning systems that can be used to facilitate the data gathering process and to develop the plan. Typically, these systems emphasize either a database application or a word processing application. The most comprehensive systems use a combination of integrated applications.
Some PC-based systems include a sample plan that can be tailored to the unique requirements of each organization. Other materials can include instructions which address the disaster recovery related issues that the organization must consider during the planning process such as disaster prevention, insurance analysis, record retention and backup strategies. Specialized consulting may also be available with the system to provide on-site installation, training and consulting on various disaster recovery planning issues.
The benefits of using a PC-based system for developing a disaster recovery plan include:
- A systematic approach to the planning process.
- Pre-designed methodologies.
- An effective method for maintenance.
- A significant reduction in time and effort in the planning and development process.
- A proven technique.
Recently, other PC-based tools have been developed to assist with the process, including disaster recovery planning tutorial systems and software to facilitate the testing process.
If we look at the statistics of data recovery in gernal, we can find that;
- Only 15% of midrange data centers would be able to recover more than 30% of their applications in any time frame.
- Just 3.8% could recover their applications within the same day.
- Only 2.5% could recover within four hours
Disaster recovery plan for an organization
If you are looking for disaster recovery plan for an organization. I am professional with Industry experience for past 25 years. I write and audit plans professionally. You can contact me here.