A disaster recovery plan, often part of a larger business continuity plan, is critical for all businesses that largely depend on technology and automated processes. A disruption from a man-made or natural disaster can create not only financial loss, but can threaten the very existence of the business. Businesses must depend on their leadership to recognize the potential for such disasters and to create a written and well publicized disaster recovery plan to minimize disruptions of critical business functions and enhance the capability of the business to recover operations quickly and successfully.
The disaster recovery plan must be a comprehensive statement of consistent and rehearsed actions to be taken before, during and after a disaster. Disaster recovery planning involves much more than simple off-site data storage or frequent server backups. The written, comprehensive disaster recovery plan must address all the critical operations and functions of the business. The plan should also include documented and tested procedures, which, if followed, will ensure the ongoing viability of critical resources and continuity of operations.
The potential of a business disaster is based on many factors including tornados, building fires, snow, flooding to the rarer, yet more severe and often longer lasting disruptions that can occur in transport, strikes, terrorist attacks, sabotage or even severe loss of staff due to illness like a pandemic flu.
Disaster plans have been likened to a form of business liability insurance: it provides a certain level of comfort in knowing that if a major catastrophe occurs, it will not result in financial disaster. Insurance alone is not adequate because it may not compensate for the incalculable loss of business during the interruption or the business that never returns. Thus, organizations should include in their disaster recovery plans contingencies for how they will cope with the sudden and/or unexpected loss of key personnel, as well as how to recover their data, infrastructure and assets.
Preparation of a disaster recovery plan is generally considered a ten-step process:
1. Obtaining Top Management Commitment – Management is responsible for coordinating the disaster recovery plan and ensuring its effectiveness within the organization.
2. Establishing a Planning Committee – A planning committee is appointed to oversee the development and implementation of the plan.
3. Performing a Risk Assessment – The planning committee prepares a risk analysis that includes a range of possible disasters, including natural, technical and human threats.
4. Establishing Priorities for Processing and Operations – Determining the critical needs of each department within the organization is evaluated in order to prioritize them.
5. Establish Recovery Strategies – During this phase, the most practical alternatives for processing in case of a disaster are researched and evaluated. All aspects of the organization are considered.
6. Collecting Data – In this phase, data collection takes place. Among the recommended data gathering materials and documentation often included are, critical telephone numbers list, master call list, master vendor list, inventories insurance policies, workgroup and data center computer hardware, and software, off-site storage location equipment, telephones, etc.
7. Organizing and Documenting a Written Plan – Write an outline of the plan’s contents is prepared to guide the development of the detailed procedures. Top management reviews and approves the proposed plan.
8. Developing Testing Criteria and Procedures – Disaster recovery plan be thoroughly tested and evaluated on a regular basis (at least annually).
9. Testing the Plan – After testing procedures have been completed, test exercises should be performed.
10. Management Plan Approval – Once the disaster recovery plan has been written and tested, the plan is then submitted to management for approval.
Disaster recovery plans should be well practiced so all staff is familiar with the specific actions they will need to take should a potential disaster occur. Disaster recovery plans should be looked at as living documents adaptable and routinely updated.
The preparation of disaster recovery plans often gives management the chance to gain a better understanding of the inner workings of their business and ultimately helps an organization identify ways to strengthen any business weaknesses. Often one of the biggest benefits of a disaster recovery plan is the awareness that management gains regarding the details of his/her business and not necessarily the streamlining of how to handle disaster as an organization.
The choice of whether a business has or does not have a disaster recovery plan is up to management. Many businesses have lulled themselves into a false sense of security that a disaster can’t happen to them. When the inevitable small or large disaster does strike a viable disaster recovery plan can make the critical difference between businesses that can successfully manage crises with minimal cost and effort and maximum speed, and those that are left picking up the pieces for untold lengths of time and with huge costs that businesses are forced to pay out of desperation.
For more information on disaster planning, please contact INTEGRITY Security Consulting & Investigations.
Steve Alpert | Senior Consultant