Most businesses and organisations rely heavily on IT systems to help deliver their core mission. From logistics to payroll, financial and sales systems, human resources, and don’t forget websites and e-commerce systems. But what happens if something goes wrong? A power outage, flood, or fire? A cyber or ransomware attack? An IT or communications failure? How about a pandemic!
Businesses need a plan in place with disaster recovery services to cover these eventualities, allowing any negative impact to be minimised.
What is a disaster recovery plan?
A disaster recovery (DR) plan is a set of policies and procedures that detail the steps to take in case of an unforeseen ‘disaster’. The objective is to minimise the negative impact to the business, focusing on restoring critical business systems in a timely and cost-effective manner.
A disaster recovery plan (DRP) should comprehensively explain the actions that need to be taken before, during, and after a disaster, including who is responsible for taking those actions and any co-dependencies. The plan should take into account that any disaster may mean that traditional lines of communication and command are disrupted, as well as the possibility that physical resources, such as buildings and equipment, may not be available.
A DR plan is likely to be part of a wider business continuity plan (BCP), which would consider non-IT centric issues, for example the loss of buildings, such as offices, warehouses, and stores, or impacts on logistics and production.
What should a disaster recovery plan include?
Each DR plan will vary, depending on the size, shape, and mission of an organisation. A very large business, or one dealing with critical information, such as financial services, may require duplicated systems, constantly synchronised, to ensure no outage time. A smaller business may be able to recover using the built-in cloud services in Microsoft 365. However, common elements of a robust DR plan will include:
Goals – what needs to be achieved
Perhaps the most important element of a DR plan is a clear articulation of what is trying to be achieved. This will include a recovery time objective (RTO) and the recovery point objective (RPO). The goals will feed into the design and running of the IT systems on a daily basis, informing issues such as back up frequency, design of network and use of cloud services.
Personnel – who needs to do what
Clear details of who is responsible for the execution of the steps in the DR plan. This needs to be updated regularly and include details of alternates, in case of illness or vacation. A good DR plan will contain a level of detail that should enable a wide range of personnel to execute it. Relying on one or two key individuals who ‘know what to do’ is fraught with danger.
IT inventory – what assets are there
This should include servers, networking systems as well as software licences. Importantly, it should also include details of cloud services. The inventory should include a summary of what applications or tools run on each system.
Backup procedures – how are systems and data backed up
Data is perhaps the most valuable asset to a business and so a critical part of a DR plan. Ensuring that the right data is stored in the right place is vital. The plan needs to detail how data is backed up and where it is stored. An onsite copy of backup data is of little use in the case of a fire, for example. The RTO and RPO requirements, set out in the goals section, will have an impact on backup requirements.
Disaster recovery procedures – how are systems and data recovered
This is not as simple as restoring the data saved during the previous step. Planning needs to consider how to recover any data created since the last backup, as well as ensuring that, in the case of cyber security issues, the backup data is not infected or compromised.
Disaster recovery sites – where will the systems and users be located
Depending on the RTO and RPO objectives, it may be necessary to consider a remote ‘hot’ DR site, where systems can be backed up or replicated. For smaller businesses, thought should still go into where systems and users could be located, in the event of a disaster impacting the main site, rather than simply the systems. A combination of cloud computing and remote working can be considered as part of the solution.
Return to BAU – what needs to be done to return to 100% running
Whilst the DR plan will help to restore the functionality of critical systems, thought should also go into the recovery of secondary systems and how to migrate back to a BAU IT environment. Including this in the DR plan will help set timescale and budget expectations, as well as informing earlier DR decisions.
Types of disaster recovery plans
Many disasters will only hit part of an overall IT system, and as such it is normal to have a set of DR plans that cover a particular type of outage. Common examples include:
Website and e-commerce recovery
Recovery of the online offering is vital to ensuring ongoing contact and business with customers and prospects. Scaling is important. The plan needs to include details of how to quickly restore the new site and divert all traffic to it seamlessly.
Network recovery
As networks get more complicated, so does the recovery plan. It is important to include a highly detailed and tested recovery procedure, and to keep it updated. The plan should include priority systems and services, performance (speed and bandwidth) requirements and key networking staff.
Cloud recovery
Cloud DR can range from simple file backup procedures to a complete IT replication. The plan must address security, and care should be taken to check that software licensing issues do not arise.
Data centre recovery
This more traditional type of plan focuses on the data centre facilities and infrastructure, including IT equipment, buildings, power systems, physical and online security, and office space for users.
Benefits of a disaster recovery plan
The benefits of a good DR plan are simply to minimise the interruptions to normal operations, and in so doing take the smallest economic and reputational ‘hit’. The financial cost of unscheduled IT downtime can be huge, especially when the impact on non-IT operations is considered, for example factories that cannot manufacture, lorries that cannot deliver, or financial transactions that cannot be completed. Longer term issues with customer satisfaction and ongoing loss of business also need to be considered.
It is vital the costs of a disaster are considered in advance, to ensure that sufficient focus and resource is given to creating a robust recovery plan.
How to develop a disaster recovery plan
A disaster recovery plan is necessarily tailored to the needs and shape of a business or organisation. Both risks and critical systems are likely to be unique, and as such there is no one-size-fits-all plan that can be used. However, common steps to create a plan include:
1. Identify the potential disasters
Potential disasters cover everything including geographic (flooding, earthquake), location (under flight path, rural area prone to power outages), IT related (hardware or communications failure) or directed (malware, cyber, or DoS attack). Consideration should be given both to the severity or impact of the disaster, and the likelihood of it happening. With recent events, issues such as another worldwide pandemic or environmental extreme should also be considered.
2. Understand the risks from those disasters
For each of the disaster scenarios, consider which IT systems and so wider business functions, would be impacted and how. This will require close collaboration across the business, to ensure the full scope of an IT system is understood. Paradoxically, the greatest misunderstanding of risk may come from a business function who have benefited from a fully working and effective IT system for many years!
3. Evaluate critical business needs
The next step is to work out which business functions, and therefore IT systems are the most critical to a business. Thought should go into what constitutes an issue for each function, including how the criticality might vary throughout a day, week, month or indeed year. For example, an outage for a retailer is likely to be more critical close to Black Friday, or a payroll or finance system may be able to be down for a few days, away from critical month end periods.
4. Set recovery objectives
From this analysis, it should be possible to work out which systems are the most vital and how much downtime is acceptable. This may result in the need for a set of DR plans, which vary by time-of-year or the type of disaster. This is where the recovery time objective (RTO) and the recovery point objective (RPO) for each system or business function are detailed.
5. Collect information and data
Next, critical data and information needs to be collected, which will enable a successful recovery. This will include technical system information, locations of back up data, names and contact details of key personnel, etc.
6. Create a written document
Once you have the information, a written plan (or plans) can be created, detailing the step-by-step actions that need to take place. It is vital that there is a named and empowered coordinator in place at the time, to ensure that the plan is executed as intended, and that issues can be quickly resolved. This is likely to be a senior leader or manager, with sufficient power to make informed decisions. Thought should go into how the plan will be accessed in case of a disaster!
7. Test and revise the plan
Perhaps the most important step is to test and revise the plan. This can usually be done in discrete parts, without impacting the core systems and functions. Using a suitable third party to oversee the testing can help identify weaknesses or areas that can be improved. Lower cost alternatives can often be identified too.
What are the next steps?
When it comes to DR planning, having an experienced partner to guide you through the decision-making processes can really help. Which is where we can step in with disaster recovery services. We have a wealth of experience helping customers to design, test and implement disaster recovery plans. If you would like to find out more about how to create secure, automatic UK or global-based back-ups and a water-tight Disaster Recovery Plan for your IT systems, get in touch today. We look forward to hearing from you.
