How to create a disaster recovery plan for your business

Gimme shelter

Many disasters are assumed to be natural. The reality is that most are not. While natural disasters like hurricanes and earthquakes can have a major impact on a business’s ability to keep functioning, more common disasters — such as fires, electrical outages, plumbing problems and even human error —also can bring business to a halt.

That’s why it’s critical to have a disaster recovery plan in place.

A disaster recovery plan is a detailed document that spells out every step required for a business to regain operations. This includes enough detail that employees who don’t normally have job functions that might be called for in the recovery can still accomplish them.

There is no one-size-fits-all disaster recovery plan. Each business should create a plan tailored for their unique needs, circumstances and even location.

Though all disaster recovery plans are unique, they do share some common threads, including:

  • how to determine the risks to the specific organization.
  • the impact a disaster might have on the organization’s business.
  • the level of vulnerability for the specific organization.

In many cases, using the cloud can help. If brick-and-mortar locations lose power, or if buildings are destroyed, cloud-based services may not only be running, but might include everything needed to rebuild the business.

Organizational analysis

First, determine what functions your business performs that are necessary for its survival. Manufacturing and assembly? A call center? Knowledge workers? In many cases, office space and large volumes of data must be accessible.

Figure out which core systems must be operational, or if they are interrupted, must be restored as quickly as possible.

A bank for example, might be able to function briefly without teller windows if their ATM network remains functional. Likewise, a retailer might be able to function as long as warehouses and suppliers remain intact, if the office staff can find a way to handle orders and billing.

The goal is to analyze the importance of each system and determine how long the organization can function without it. In a small organization, it may work to create a chart or spreadsheet to list the options. Once this analysis is complete, it’s time to perform a threat assessment.

Understanding natural threats

On the East Coast of the United States, hurricanes can be a significant threat that can bring operations to a halt for days or weeks. In other locations, you might need to be prepared for floods or earthquakes. It’s a good idea to study the historical record to see what’s happened in the past. For instance, check with your insurance company to find out if the business location is in a flood-prone area.

There are, however, some threats that aren’t regional. Fires can happen anywhere, as can electrical outages and even gas explosions.

Rank the threats that can affect the company, and what those threats might do to the surrounding area.

The company factory, for example, might be on high ground, but a flood that closes the roads in the area can keep employees from work, effectively shutting down productivity.

Reducing vulnerabilities

While analyzing the organization and the threats that might affect it, you may discover that you can significantly reduce some potential impacts by eliminating a vulnerability long before a disaster.

Loss of electricity can create problems for data centers that go far beyond simply turning everything back on. Data loss and corruption, loss of virtualized systems, loss of storage can all happen if power is lost suddenly. You can avoid these consequences by installing standby generators and batteries that can pick up the load instantly.

Likewise, you can lower risks from flooding by moving to higher ground, building levees, or in some cases simply moving critical equipment to higher floors. Buildings can be modified to resist seismic movement. Fire suppression systems can be installed. Such actions can turn a disaster from major into minor and sometimes into an inconvenience.

Off-site storage of critical data and applications with a cloud service provider can mean that the business can continue — even while relocating away from any potential disaster. It is important to ensure that your cloud service provider itself is protected from disasters; many include secure facilities with redundant power, and in some cases operate failover data centers hundreds or thousands of miles separate from each other.

Arranging for replacements

About the only thing that can’t easily be replaced in an office environment is the staff. As long as data and applications are safe, work can get done provided computers and office space are made available.

Preserving the integrity of the staff is of primary importance.

They must have an environment where they feel and can work productively, and in which they’re not distracted by the welfare of their families. Providing office space and the necessary equipment can be as simple as allowing the staff to work from home. If that’s not possible, make advance arrangements for temporary office space. In some cases, disaster recovery vendors can provide temporary office space.

Using cloud services where it makes sense for your business can make providing space and facilities for staff easier in the event of a disaster.

For example, use hosted email, cloud-based storage and perhaps virtualized workstations so that the only thing to do is find a location, and the work environment will follow.

For longer-term recovery, arrange for new equipment and new workspaces if the old offices were destroyed or are inaccessible for longer terms. You can make such arrangements with a disaster recovery vendor if you choose, but it’s better to make such plans in advance.

Making it work

Once you’ve performed risk assessment, solidified relocation plans, and preserved data and applications in an area far enough from the at-risk location that the same disaster won’t hit both places, then document exactly what needs to be done.

The documentation must include:

  • detailed information as to where data is stored.
  • what arrangements have been made to arrange office space.
  • replacement hardware.
  • phone and data services

Record those plans in detail. This means providing names of specific people and their contact information — including mobile and home phones, email addresses and physical locations. Be sure to specify backups for each person and every function.

Store the detailed plan both online and in physical form in multiple locations. Provide copies to key employees and online, perhaps in the cloud storage.

Practice recovery

The best plan is worthless if nobody knows how to execute it correctly. Once the plan is complete, practice it rigorously. This means actually making use of stored data, bringing offsite workspaces up to speed, and transferring data and phone services. Carry these practices out frequently until everything works, and then rehearse every few months.

While practicing, fix any problems in the recovery plan and keep it updated.

While recovery from a disaster is rarely easy, a detailed, up-to-date disaster recovery plan can make staying in business during and after a disaster possible — and a lot less painful.

Image by: David Franzen via Library of Congress Archives

Wayne Rash is a writer and editor with a 35-year history covering technology. Wayne is a frequent speaker on business, tech issues and enterprise computing, and serves as the Washington Bureau Chief and Senior Columnist for eWEEK. Wayne is also a frequent guest on network news and talk shows, and has appeared recently on NPR, Fox Business News and NBC. He is the author of five books, including his most recent, “Politics on the Nets.” Wayne is a retired naval officer, a former principal at American Management Systems, a long-time columnist for Byte Magazine and a former News Director of NBC affiliate WVIR-TV in Charlottesville, Va.. Wayne was nominated for the Pulitzer Prize in 1998.