Disaster Recovery Planning: Steps to Protecting Your Organization

MANAGEMENT

Disasters come in many shapes and sizes. Natural disasters are certainly cause for concern, but chances are that disruptions to your organization are more likely to involve application, communication or hardware failures. Properly planning for such unexpected events will not only help you respond effectively; it will also save you a significant amount of money.

What is a disaster recovery plan (DRP)?

The cost structure of potential downtime will dictate many of the specific components of the DRP and where emphasis needs to be placed. Typically, a reasonable DRP will include the following:

• formal documented sets of steps, lists and instructions needed to return to normal business operations
• instructions of a precautionary nature as well as prescribed reactions for recovery
• list of assets, key applications and data
• important details, such as locations and other relevant information
• contact information for all relevant personnel (both internal and external) and key third-party resources

The business cost of downtime

Understanding the cost incurred by the organization when systems go down is crucial to the concept of disaster recovery planning. Building an effective DRP will ultimately involve cost trade-offs, so it is imperative that one understands the dollar impact of specific system downtime and loss scenarios. These costs will vary greatly between businesses of different sizes, industry types and technological complexities. In a recent study, Gartner determined that costs exceeding US$5,600 per minute are possible. When determining these costs (beyond the traditional downtime costs), be sure to consider the following:

• payroll costs of idle employees
• overtime after recovery to get business back on track
• lost revenue that cannot be recouped
• lost customer trust

Preparing the DRP

The purpose of a detailed DRP is to bring consistency and predictability to unplanned shocks to the business system. The following is an outline of the steps required to develop your first DRP:

1. Review the current environment – The first step is to generate a comprehensive list of all IT equipment. Be sure to list all PCs, servers, network gear and storage solutions. Also include the location, configuration and device model details.
2. Prioritize systems, applications and data – Similar to the work above, document all applications, systems and data repositories present. These items need to be prioritized and the potential impacts of loss recorded. Be sure to record all applications in use (even the simple ones), enlisting the help of representatives from different departments. Having a comprehensive and prioritized list is essential.
3. Conduct a risk assessment – For each item in the above lists of assets and applications, review and document any risks associated with each. Consider everything from simple power outages through to full-scale natural disasters. Once your list is complete, add the perceived probability of each scenario along with its potential impact. With the complete picture of impacts and probabilities, you can determine the level of intervention required for each combination. This will also highlight the areas that are low impact and less probable. Obviously, less effort (and budget) can be directed toward those areas.
4. Create a matrix for the recovery objectives – This is where the real work comes in. Utilizing the work above, create a matrix outlining the recovery steps and procedures. As part of this effort, consider the amount of downtime that each component can realistically absorb. This is where you balance the need to minimize recovery costs against ensuring valuable assets and data are recovered effectively. In building the recovery steps, consider if there are any special tools or techniques required, and whether they are currently in place. This matrix will form the executional part of the plan if it ever needs to be put into action.
5. Communicate the plan – A DRP is not much use if all those involved are not aware of it. Ensure you have buy-in from all the necessary stakeholders so that unexpected barriers are not encountered upon the plan’s execution. Distribute the plan widely but ensure that you record where it has been distributed so that any updates can also be accurately circulated.

After the plan is ready

A DRP is not a static document. If left unchecked, a DRP will quickly become dated and create a false sense of security. Plan deliberate practices of the recovery procedures to ensure proper understanding and effective execution by all stakeholders. Schedule regular reviews, and update the plan as needed. If gaps are present in the plan, work to fill them as your budget will allow. Your environment will change, sensitivity to downtime will evolve, and new technologies will be released – all of which will impact the accuracy and effectiveness of your plan. For that reason, a DRP requires constant re-evaluation and modification to help ensure its success.