Disasters happen. They impact individuals and businesses and may include natural disasters like hurricanes and earthquakes, local disasters like citywide power outages, and localized disasters like human error, hardware failure, fires, and burst pipes — just to name a few. Each type of disaster poses unique challenges and risks to your organization and its data. A Disaster Recovery Plan, or DRP, is how businesses can prepare for disasters in order to mitigate damage and quickly move from disaster to recovery.
A disaster recovery plan should be architected to address disasters which have the potential to affect your business in a single location or across your entire business. Whether your company is prepared to withstand heavy snows, seasonal storm damage, or even cyber attacks, every DRP starts and ends with a checklist. When disaster strikes, the red folder comes out and recovery becomes a straightforward matter of completing the DRP checklist from beginning to end.
After creating a disaster recovery checklist, you can handle any potential business disaster using the same method. Let’s dive into the nine points of a strong disaster recovery plan checklist.
After creating a disaster recovery checklist, you can handle any potential business disaster using the same method.
The Three Example Model
In this checklist, we’ll use three running examples to highlight how disaster recovery planning can be used to prepare for three different types of incidents.
- Heavy storms and a power outage (natural disaster)
- A burst pipe floods the building (site disaster)
- Ransomware lock-out cybersecurity attack (cyber attack)
Each disaster poses unique risks to the business that can be prepared for, mitigated, and quickly handled with a DRP in place.
1. Define DRP Goals
The first step is to define your DRP goals. When disaster strikes, what does your recovery plan need to achieve? What does successful recovery look like in the given eventuality?
Your first goal should always be safety. First of your employees and customers, then of your data. While we write this as a data-recovery company, the number one most important thing to preserve is human life and safety.
Common DRP goals also naturally include minimizing the risk posed by each type of disaster, the ability to resume business operations as quickly as possible, and maintaining industry compliance. Depending on the nature of your business, you may also need to consider how a disaster might impact the concerns of your investors and company owners.
For most businesses, DRP goals include:
- Protecting employees and impacted customers from harm
- Protecting data from exposure or destruction
- Maintaining industry compliance standards, even in extreme circumstances
- Restoring operations as quickly as possible
- Restoring building damage
- Protecting the interests of investors
The Running Examples
You will likely also define specific DRP goals that may be unique to the situation. Our running examples give a good perspective on how your DRP goals may change from one disaster scenario to the next.
1. Preparing for heavy storms, your DRP goals will first be:
- Enable employees to get home safe
- Protect business infrastructure from power cycle damage
- Restore operations with or without utility-provided power
2. If the building floods from a burst pipe, your DRP goals will be:
- Protect equipment from water damage
- Stop the flow of water immediately
- Restore operations in an alternate location
- Complete water damage restoration and plumbing repairs as quickly as possible
3. If the company is locked-out in a ransomware attack, your DRP goals will be:
- Prevent data theft and exposure blackmail
- Wipe impacted system(s) or procure clean systems to purge malware and backdoors
- Restore access to locked files
- Resume operations
2. Conduct a Business Impact Analysis to Evaluate Possible Disasters
The next step is to determine the types of disasters that can impact your business, and the potential impacts they may have. Convene a team to determine the different disaster scenarios within the realm of possibility and build a DRP “red folder” for each one. Then complete a business impact and risk assessment analysis for each disaster to determine both the type of impact and extent of impact each disaster would cause.
To use the United States as an example, in northern regions, heavy snows are a risk. Out West, earthquakes and wildfires are a serious consideration. In most of the country extreme weather events are estimated to increase by 37% between 2022 and 2025, with tornadoes becoming more common outside of “tornado alley” and hurricane landfall frequency increasing.
Seasonal weather events are occurring more regularly and with less predictability. Some regions have heavy rains that can become floods, while desert regions are more prone to flash floods when rains do occur.
Densely populated regions and regions with intense weather are more likely to see widespread power outages, and any business location might be subject to either internet outages or cyber attacks. All of that needs to be understood and accounted for (either by risk mitigation, displacement or acceptance) in your DRP.
3. Set Your RTO (Recovery Time Objective) and RPO (Recovery Point Objective)
In every disaster recovery plan, there are two important factors that will help guide your recovery standards. These are your RTO (recovery time objective) and RPO (recovery point objective). Each stands as a measure of your recovery tolerance and the success of a DRP implementation.
What is RTO?
Your recovery time objective, or RTO, defines how quickly you need to transition from disaster to fully-recovered. Using our running examples, this might include how quickly you can get the lights back on and repair storm damage to the building. In a flood situation, your RTO would count down to the completion of water damage restoration, equipment/data recovery, and plumbing repairs so that business-as-usual returns to the facility. In a cybersecurity attack, RTO is the time from the ransomware lockout to when your files are restored and the team is back to work.
Interestingly, RTO is not the same as your time to business continuity. A strong business continuity plan may have your team working from home on cloud servers before the office is fully repaired and normal business operations are restored.
What is RPO?
RPO is the point at which your recovery standards are met. In terms of data restoration, this would be the age of your most recent backup or “recovery point.” In terms of building repairs, however, this might mean that you are able to reopen the offices, even if some damage is still being repaired in other parts of the building.
RTO and RPO help you to define the success standards of a recovery plan and also identify the transition from emergency recovery to operational recovery – allowing for a difference between the two.
4. Confirm Roles and Responsibilities
Next, identify and document the key roles and responsibilities in the event of a disaster. This defines both the people ready to implement the DRP and the essential teams they are facilitating when the goal is to resume operations.
In any disaster, you have two teams of mission-critical personnel. One team to help get back online as quickly as possible to maintain your business continuity. The other team are those who are essential to implementing your DRP to begin the post-disaster recovery process immediately.
Create a list of essential team members and their roles in each type of disaster you are planning for.
Important note with regard to criticality: there may be sensitivities around the labeling of “critical” vs. “non-critical” personnel. This label is not a reflection on their importance to continued success of the business but rather to continued continuity in the short-term until “normalcy” is re-established.
Then identify the key responsibilities that each critical person holds. On one end, you will need a team of highly capable facilitators who will be on the phone with recovery services like repair teams and local services to handle the physical realities of disaster recovery. These are the people calling for water damage restoration services, arranging for the restoration of data from backups, and booking the snow plow.
On the other end, you may need to get your remote-ready teams back operating using cloud servers, restore customer service availability to reassure customers about a temporary outage, or have a team ready to run operations from a temporary location to avoid an interruption of services.
5. Outline Critical Equipment, Business Processes and Data
Define the critical elements of your business that must be closely protected and quickly restored after a disaster occurs. Determine the critical equipment, business processes, and secure data that you need to get operations back online, and just how vital the restoration of each of these key elements may be. Be ruthless in this process. There are almost certainly systems that everyone loves and relies upon which should not be on this list. Your chat emojis are not more important than payroll.
Examine the potential impacts when your critical equipment, processes, or data is unavailable, and the increasing impact as these elements remain unavailable over time. This could mean lost revenue from business opportunities, lost clients who require uninterrupted service, loss of customer trust, or even massive loss of product inventory due to interrupted manufacturing processes or transport disruptions. Determine and catalog the location of sensitive data and the impact of potential data loss or exposure.
This analysis allows you to prioritize critical restorations as essential vs semi-essential, and establish the correct order of urgency when implementing your restoration goals.
6. Create Procedures and Recovery Processes
Now, with your disasters, essential people, and critical restoration priorities in place, you are ready to start building your DRP.
The primary goals of any DRP are prevention and mitigation. Because most modern businesses run primarily on computer systems and data, system backups are an essential first step. Regular backups allow you to meet defined RPOs and protect against data loss when a site-disaster impacts your local servers or endpoints. Cloud-based operations also make it possible to quickly restore operations in a temporary office location or through team members working remotely using the 3-2-1 backup redundancy method.
By establishing and documenting your recovery process you will build resiliency against damage caused by disasters. Let’s go back to our examples.
Storm Damage with Power Outage
- Storm windows and building maintenance prevent extensive location damage
- Surge-protected outlets and power strips prevent equipment damage from an unreliable grid
- UPS (uninterruptible power sources) can prevent power flickers for short outages, while a backup generator can provide quick recovery from long power outages
- Data backups ensure that very little is lost if your servers go offline in a power outage
Burst Pipe and Flooding Damage
- Plumbing maintenance and replacing old plumbing can reduce risk
- Keeping equipment on raised platforms minimizes damage if the floors flood
- Storing essential data on remote servers protects from local fire and flood damage from any source
- Having a reliable restoration team on-call ensures your office is restored as quickly as possible
- Data backups ensure that very little is lost due to water damage
- Advanced cybersecurity and live monitoring reduces the risk and maintains compliance
- Having both your data and full system settings backed up allows for a full recovery after a malware infection
- End-to-end encryption can protect you from data-exposure blackmail
- Cybersecurity insurance covers any costs incurred by a hacker or malware attack
7. Establish Disaster Recovery Sites (Physical and Virtual)
What happens if a disaster renders your usual work location unavailable? One of the essential elements of disaster recovery planning is assuming that disasters can be intense enough to put your usual office or workspace out of commission for a few days, weeks, or even months. Whether you are dealing with massive local storms, on-site flood or fire damage or a global pandemic, your team will need an alternate place to work that meets your needs.
This is why the next step is to establish your disaster recovery sites. If you plan to set up an alternate office, get in touch with local commercial building owners that have space you can rent temporarily while your home office is being restored. We advise having more than one alternate disaster recovery site, just in case your first pick is also affected by a local disaster or becomes unavailable. If your region is prone to extreme weather and evacuation conditions, have a string of disaster recovery sites planned progressively further away from the potential epicenter.
You can also plan virtual disaster recovery sites. For example, if you plan to transition your teams to work remotely while the office is down, make sure that meeting and collaboration platforms are already in place. Ensure secure and compliant access to cloud-stored company data and ensure everyone is prepared to handle this type of transition smoothly.
8. Produce a Communication Plan
When disaster strikes, who makes the calls to get the recovery plan in motion? How do you reach out to teams to let them know the new procedures, and how will you communicate the situation to your clients, customers and other external stakeholders? Answering these questions will build your communication plan.
A communication plan accounts for both internal and external communications addressed to employees, customers, vendors, business partners, and anyone else who may be impacted by your company’s disaster-impacted availability and your recovery process.
9. Test Your Plan
Finally, it’s time to put each DRP through its paces. Before you rely on a disaster recovery plan in a moment of crisis, you want to know that it can be implemented successfully as written. Do this for your tech stack, personnel, organization, and operations.
Test your data and system backup restoration process to ensure your most recent backups are in good condition and, if you had to rebuild everything, that your backups can effectively get your business back online within your defined RTO.
Run response drills with the teams you have chosen for emergency building response. Make sure your snow plow service knows how to get to your property and where the curbs are before several feet of masking snowfall. Switch off the power over a weekend (right after a backup) to ensure that your power supplies, surge protectors, and/or backup generator are operating as intended.
If you need to establish emergency operational procedures, run your teams through the necessary drills. If you plan to rely on temporary remote work, create events that allow you to test remote operations with employees working at home or from a temporary office location.
Then test and update your plan periodically in order to account for changes that might occur to your tech stack, personnel, organization, or operations since the original DRP was built.
10. Accept the Unexpected
Ok, we realize that we said this was a 9 point checklist but this one is very important and doesn’t ~really~ require an action.
An important part of creating a DRP is to accept that you cannot control everything! No plan is perfect. Things will happen and your plan is a good and agreed upon starting point. Trying to control for every single eventuality not only isn’t possible but also isn’t financially responsible. For instance, BCDR plans were tasked with accommodating for a global pandemic beginning in early 2020. Most were able to adapt though very few were designed specifically for that eventuality. A good plan lays out a strong framework and then can be applied to a variety of circumstances. The tools we outlined here are an excellent starting point.
Prepare with CrashPlan
Building a comprehensive disaster recovery plan for your business begins with completing an analysis-driven checklist. Determine your risks, assess how to mitigate them, and decide upon the best path to facilitate a recovery from any disaster that could reasonably occur based on your location, operations, and business model.
CrashPlan is uniquely positioned to help you prepare your business for remote work and hybrid disaster recovery solutions through cloud resources and expert backup management. Explore a free trial or contact us today.