I remember when I had to write my first disaster recovery plan. It was for a small business, and it was an intimidating task. I spent hours researching "What is a disaster recovery plan?" and speaking to the company's IT and human resources teams.
Based on what I learned in my research, in this article, I explain the differences between a disaster recovery plan (DRP) and a business continuity plan (BCP), then I break disaster plans down into several easy-to-follow steps so you can create your business's disaster plan.
Due to the complexity of disaster planning, our advice is for small and midsize businesses only. If you work for a big business that has a lot of moving parts, we recommend contacting a disaster recovery specialist.
Disaster recovery plans: Because man-made and natural disasters happen
Your boss tasked you with writing a disaster recovery plan. Why should you care (aside from wanting to keep your job)? Why is a disaster recovery plan important?
Disasters can't always be avoided, but you can prepare for them. It's important to have a disaster recovery plan and/or business continuity plan in place. These plans help recover what is lost, whether it is data from a cloud data center, physical property (e.g., office space in a hurricane) or something else.
What is a business continuity plan/disaster recovery plan, and why is it important?
While there are differences between a BCP and DRP, some companies merge them into one plan.
"A business continuity plan is a defined, documented strategy designed to help business owners and their employees prepare for any event that may disrupt business operations, including natural disasters, single-building fires or floods, supplier outages and more," said Mick Whittemore, vice president of IT enterprise operations at Paychex.
Conversely, a DRP, sometimes referred to as a disaster recovery policy, describes how to resume business operations quickly, and is typically applied to details-level planning of an organization's IT infrastructure and applications.
The DRP should allow IT to recover enough data and system functionality to operate the business, according to Whittemore. [Interested in hard drive recovery services? Check out our best picks on our sister site, business.com.]
With your business's DRP, there are four approaches or strategies available to you:
- Data center disaster recovery – With this approach, your business's data is stored onsite. Your DRP should specify what the critical assets are and ensure there are redundancies in place (e.g., generators) to protect your company's data.
- Cloud-based disaster recovery – With this approach, your company's data is stored offsite where it is not vulnerable to damage or loss.
- Virtualization disaster recovery – Virtualization creates a virtual version of IT resources (e.g., your servers, applications and networks), which are stored with a host. Virtualization cuts the time in performing a full restoration of your system. In the event of a fire, for example, you don't need to reconstruct a server.
- Disaster recovery as a service – With this approach, providers can host and run a secondary hot site for your data. In addition, they can rebuild and ship servers to your business.
To ensure your business can continue operating after a disaster, you need both a BCP and a DRP.
"With the proper planning, the loss can be a bit less devastating, and in some cases, you could even prevent certain damaging situations from happening," said Jay Shelton, senior vice president of executive risk at Assurance. "A disaster restoration and business continuity plan can significantly reduce the effects of a loss."
What's included in a company disaster recovery plan: Key elements
According to Shelton, a good DRP covers the following elements: a planning team, goals, capabilities and hazards, action plans, written documentation, and staff training.
We break it down further with regard to each of Shelton's elements.
A planning team: Establish a planning team of employees or volunteers who are responsible for the development of the emergency maintenance plan.
A leadership execution team: Throughout your plan, specify who is responsible for executing the plan, and assign a lead. In some cases, the entire company will be responsible, but to keep execution organized, always have a disaster recovery plan lead.
Goals and objectives: Identify goals and objectives for what your plan is going to accomplish. Establish answers to questions like, "Where do we relocate?" and "Whom should I partner with?" Your primary goal should be to resolve the issue.
Capabilities and hazards: Gather information about current capabilities and possible hazards and emergencies. Consider what the worst-case scenario would be. Also consider something most businesses don't think about – the recovery point objective, or RPO. RPO is the age of the files that need to be recovered from backup storage so can continue as usual. The age of your files will affect your data backup strategy. Due to the complexity of this subject, consult an IT expert for assistance.
Action plans: Each type of possible disaster (fire, flood, earthquake, etc.) should have its own action plan. Each action plan should list the procedures to be followed. In addition to an action plan, it's important to have a long-term recovery plan in place.
Written documentation: Include backup protocols and systems to ensure everyone on your team knows what needs to be done and can follow the outlined plan. Specify the following so your plan is simple and easy to follow:
- Who are the team members responsible?
- What is the specific type of threat?
- What is the likelihood of it happening?
- What impact would it have on the business?
- What are the recovery objectives?
- What are the required response steps?
- What recovery and repair might be required?
- What follow-up is required?
Employee training: All staff members, from management to maintenance, should understand your company disaster recovery plan. Integrate plans into company operations and employee trainings.
Testing and re-evaluation: Your disaster recovery plan is not complete after you create this initial plan. Testing and re-evaluation are critical parts of the plan. See where there is room for improvement, then evaluate different plans of action to ensure disasters are handled in the best ways possible.
How and when should employees be trained?
Employee knowledge is integral in creating a BCP and DRP.
"Employees need to be informed about their roles and responsibilities in support of any recovery effort," said Whittemore. "They should be trained when the BCP is first developed and then refreshed every year as the document is updated."
While existing employees benefit from training at the time the plan is created, incoming employees need to be informed about the process.
"Employees should be trained on the plans once they arrive at the company," said Bradley. "Many companies use simulation exercises or drills to implement parts of the plan to ensure critical infrastructure is working."
Bradley added that using e-learning to introduce your DRP is fine, but the best practice is to simulate the plan at least once a year.