Back to Basics – Disaster Recovery Planning and Business Continuity Times
Disaster Recovery Plan is essentially a comprehensive strategy including people, processes, policies, and technologies, which ensures that the business quickly resumes and starts running smoothly after any disruption – natural or human-induced.
The Disaster Recovery Plan needs to be well-thought-out and workable. Here is how businesses can go about preparing a solid Disaster Recovery Plan –
Perform Business Impact Analysis
The first step is to identify the services that support the critical functions of the organization. Start preparing a list of requirements and how they can impact the functioning of the organization. Identify the risks that can hamper the uptime of the business.
The next step is to analyze the threats for probability and impact. It will help you setup the right priorities in your Disaster Recovery Plan. Here, you also need to define the Recovery Time Objectives (Targeted time duration and service level within which a business function must be restored) and Recovery Point Objectives (The age of files which must be recovered from backup storage).
Define Disaster Recovery Strategy
The global standard for IT Disaster Recovery (ISO/IEC 27031) notes that the “strategies should define the approaches to implement the required resilience so that the principles of incident prevention, detection, response, recovery and restoration are put in place.” Strategies essentially define the plan to respond to a disaster.
After identifying the critical functions, RTOs and RPOs, the next step is to formulate the strategies for prevention, response and recovery. List down the critical systems, their RTOs and RPOs, the threats for the critical systems, and then go on listing the prevention, response and recovery strategies for each system.
Once the risks are identified, you need to establish the budgets. For that, ask yourself –
- Can the threats be detected before they happen and how much will it cost?
- Can the potential of the threat happening be reduced?
- What are the costs of reconstructing the business data?What are the costs for per hour of downtime?
- How long can the business afford to be without its computer systems?
Answers to these and such questions will help you arrive at a budget which you would like to allocate for Disaster Recovery. While there is no fixed ballpark on the budgets, these typically range between 2 -8 percent of the overall IT budgets. Of course, for the companies for which IT system availability is crucial, the budgets are on the higher scale than the ones which can function without it. According to Emerson, a large IT establishment typically have 15 percent as standard budget.
Develop Disaster Recovery Plans
After defining the Disaster Recovery Strategies and the budgets, the next step is define the plans. For every response strategy, you need to define response actions and for every recovery strategy, you need to have associated recovery actions. This will help you define the high-level action steps.
A detailed DR plan must include –
- Roles and Responsibilities: Details about DR recovery team members, their contact details and spending allocation in case equipment need to be purchased.
- Incident Response: Provisions to become aware of an out-of-normal situation, assess the situation for damages, determine the damage severity, try to cover the disaster to bring it under control, and notify the key stakeholders.
- Plan Activation: Determine which recovery plans to activate – the criteria to invoke the plan, the procedures and authorities to make the decision.
Don’t wait for the disaster to happen to know whether your DR plans work or not. Make sure that you have regular drills or simulations to prepare the teams involved in DR activity. It will also help you know the viability of a plan and if there are any areas for improvement. If you discover any issues during the tests, make sure that you record the results and update the DR plan to address those and test again to ensure efficiency. Such periodic walk-throughs also help in ensuring that everyone knows their roles.
DR planning is not a one-time activity. As per the changes in the business, the need for business environment also changes. Make sure that you re-examine the plan frequently – check if the plan is still valid, do you need to add anything, do the budgets need to be adjusted, are there any new software/ hardware which need to be included in the plan, is there need of training to new employees and so on.
Key operational Decisions
Having looked at Disaster Planning at a higher level, let’s look at some of the operational decisions which you need to make during this planning –
- What are the types and amount of storage data?
- Where is the data backed up – locally or at a remote location
- How the data is backed up – Spinning disk arrays, tape library or Cloud
- What is the backup type – Comprehensive, incremental or differential
- What are the options for the employees to temporarily function in the case of a disaster – Considering the size, network, Internet, phone connectivity, and the costs
- How the employees will be communicated and updated throughout the recovery process
While we have seen a whole bunch of disasters and have helped organizations establish a strong disaster recovery plans, it seems that there is always something new to learn and master. It is very important to go back to the drawing board and relearn the lessons.
To know more email:firstname.lastname@example.org
Anupam Bhide | Calsoft Inc.