Expect the unexpected: How to create a disaster recovery plan
Tornado. Fire. A malicious cyberattack. What will your organization do if and when the unexpected happens? If you have completed planning for disaster recovery, when is the last time you revisited it? The COVID-19 pandemic, for many, was a test of disaster preparedness and a reminder that planning for the worst can help your company do its best. Disaster recovery is the planning and documentation done in advance to help your organization survive and recover in case of a catastrophe. The disruption could be a natural disaster, accidental data loss, or an attempt to disrupt your network, among others. These interruptions can lead to revenue losses, damage to your brand and reputation, and potentially, the loss of customers. The longer your recovery time, the greater the impact on your organization. A comprehensive disaster recovery plan should allow you to expand your recovery capability and improve your resilience. Having a plan enables you to focus, prioritize assets, and determine the best approach to recover normal operations. Why do you need a disaster recovery plan? Every organization must be prepared to weather worst-case scenario events. You might already have a business continuity plan, but it’s worthwhile to note that this is not the same as a disaster recovery plan. Business continuity focuses on keeping your business operational during a disaster, while disaster recovery focuses on restoring data access and IT infrastructure after a disaster. Ensuring that you have an effective disaster recovery plan can reduce the magnitude of damage to your organization and keep the business running. With carefully planning, you can document your organization’s key assets and create a plan to recover them. Key steps to creating a disaster recovery plan The following list can help you document and think through your organization’s approach to a disaster situation. Once you compile the information, store the document in a safe, accessible location off-site. If you have an existing disaster recovery plan, have you updated it recently? When disaster strikes, having an outdated plan can leave you scrambling. It’s important to view your disaster recovery plan as a constant work in progress. 1. Define your key assets For many organizations, your most important digital assets include enterprise resource planning (ERP) system, product, and marketing plans. Prioritize your assets into three categories: business-critical, important, and non-critical. Categorizing your assets is important to help your organization best understand needs during recovery from a disaster. The focus should be on recovering the most vital systems first. 2. Decide on a recovery window Based on your asset prioritization, determine the duration of your Maximum Tolerable Downtime (MTD). Business unit owners should identify the Recovery Time Objective (RTO); this is usually one segment of the MTD. Business-critical assets are the most immediate focus during a recovery effort. Your recovery window should identify the MTD (in hours) that your business can thrive without having access to the most important information. 3. Define a recovery solution There are many options available for backing up your data, from tape backups to disk backup and cloud storage. In case of a disaster, your organization would need to utilize remote storage so that your data is safe and accessible, even if the primary location is destroyed. In addition, all recovery plans and system build notes should be kept offsite. 4. Draft a disaster recovery plan A disaster recovery document is not a fixed document. It should be flexible to ensure asset retrieval regardless of the disaster. Your plan should contain enough detail so that someone having technical understanding but no knowledge of your enterprise structure can understand. 5. Test the plan Testing your disaster recovery plan is a critical part of preparation and the only way to ensure viability. There are different stages of testing: Paper test: Individuals read and annotate recovery plans Walkthrough test: Groups walk through plans to identify issues and changes Simulation: Groups go through a simulated disaster to identify whether emergency response plans are adequate Parallel test: Recovery systems are set up and tested to determine if they can perform actual business transactions to support key processes, primary systems still carry the full production workload Cutover test: Recovery systems are set up to assume full production workload, temporarily disconnecting primary systems 6. Schedule edits and follow up regularly Operations and data change constantly. It isn’t enough to rely on a single test of your disaster recovery plan to ensure success when a disaster occurs. Document restoration and testing procedures and run the tests on a regular basis. The frequency of your testing may vary, but at least every 12 months. The frequency of your testing depends on your evaluation of the rate of change in your systems. 7. Maintain your plan Technology and business-critical applications change. Disaster Recovery Plans should be reviewed quarterly at a minimum to make improvements and changes to ensure critical business system recovery. Next steps for your disaster recovery efforts Work with your organization’s process owners to gather the details needed to make a complete disaster recovery plan. You might find it worthwhile to partner with a consultant like Fusion Alliance to guide you through the process and incorporate this plan into your wider technology strategy, thinking through business processes and needs. For more information about disaster recovery planning and our services, drop us a line. We would love to talk about your organization’s needs.