While businesses hope they will never be faced with disasters, it is important to formulate a plan to prepare for the worst. Every company should have a documented disaster recovery plan (DRP), which is a process or procedure to recover its IT infrastructure in the event of a disaster.
When creating DRPs, it is important for companies not to overlook essential business continuity aspects that go along with them. Let’s take a look at the relationship between disaster recovery and business continuity, and walk through the essential elements to include in a DRP.
The Key to a Successful Disaster Recovery Plan: Business Continuity
Business continuity refers to any plans, processes or other activities designed to ensure a company’s critical business processes will continue to operate or return to operation quickly in the event of a disaster. While a disaster recovery plan is typically limited to a company’s IT infrastructure, a business continuity plan covers overall business processes as a whole. It focuses on areas such as communications (with employees, customers, vendors, insurance agencies or other third parties), business functions, and, most importantly, the human elements of the business.
If a regional disaster such as a hurricane or a snowstorm strikes your area and causes damage to your facility, getting your IT systems up and running again is important. But equally important is having the manpower in place to complete your business processes. Getting your business applications working quickly is great, but not if your employees aren’t there to use them. This is why business continuity is so important when it comes to disaster recovery plans.
Disaster Recovery Plan Basics
1. Recovery Time Objectives (RTO)
A comprehensive disaster recovery plan first needs to include an inventory of your IT systems. Conduct a risk analysis of your systems and determine how quickly each system must be restored in order to avoid significant consequences. This is known as recovery time objective (RTO).
2. Classification of Your Systems
Classify these systems into different categories based on their RTO and importance to your business processes. A typical classification list is:
- Business Critical Systems: pieces of your IT infrastructure that are essential to your core business processes and must be recovered within hours
- Important Systems: while not necessarily critical, your business will suffer significantly if these systems are not running within a day or two at most
- Less Critical Systems: these are parts of your infrastructure that, while important, your business can briefly survive without them
The number of categories will differ based on the size and complexity of your IT infrastructure.
3. Recovery Point Objective (RPO)
When conducting your risk analysis, you also need to establish the recovery point objective (RPO) of your systems. This is the maximum period of time where data can be lost from the systems. Essentially, recovery point objective answers the question “When my system is restored how old can that data be?”
4. Backups and Hosting
Your backups and any other components for your DRP will be designed to meet your RTO and RPO. Evaluate where your company’s business critical data and your backups are hosted. Depending on your business’s needs, backup and hosting options include:
- A secondary data center
- Alternate workspace
- Off-site storage of backup media
- Taking advantage of cloud based services
Another key component of a disaster recovery plan is an impact analysis. Develop a list of the potential problems or disasters that could occur and determine:
- The likelihood of each one occurring
- The potential impact of each event
For DRPs, disasters—both natural and man-made—are typically divided into three main categories:
- An isolated disaster such as a fire or flood or system crash that causes you to lose access to your building or a key business system
- A regional event such as a hurricane or major snowstorm that impacts more than just your building
- A human event such as a pandemic that does not necessarily affect the physical IT infrastructure but will prevent employees from working in your building
Each of these disasters should be planned for accordingly. Always keep your recovery time objective and recovery point objective in mind to determine what actions need to be taken in the event of each of these disaster types.
Test and Test Again
Once your disaster recovery plan is in place, make sure to test it thoroughly. Remember that you have to plan for the worst, so you should not be going through the disaster recovery process for the first time when a disaster actually happens. Be sure to test everything: systems, processes and people.
In addition to testing your systems to make sure you meet your recovery time objective and recovery point objective when you failover (move to your backup systems), also be sure test for when you failback (return to your primary systems).
This is where business continuity becomes important. You can test and monitor your IT systems and backups to ensure proper functionality, but what about the human element of your business? If an individual critical to running your business processes is unable to work due to a disaster, is the person charged with replacing him or her able to adequately do so? You must test this to find out.
Communication is Key
One of the most important and often overlooked business continuity elements to consider in your disaster recovery plan is communication. Does your disaster recovery plan determine a response team who will know how and when to begin enacting the plan? Who is in charge of the plan and who will communicate it to the employees? Establishing a clear communication chain is important so all parties involved in the plan can do their part to complete the key processes.
It is also important for business owners and executive staff to be fully aware of the DRP. If important decisions need to be made quickly, the key decision-makers must be easily reachable. For example, if a business critical piece of hardware fails, the person in charge of the plan will need an answer right away to determine if he or she has the authority to purchase a replacement. A strong communication plan is essential to disaster preparedness.
What are your biggest challenges when planning for disaster recovery? Have you ever had to use your DRP while faced with a disaster? If so, what were your experiences like? We’d love to hear from you in the comments below.