All of us would agree that it is not possible to avoid a natural disaster- it can strike any hour. While no amount of planning can prevent an earthquake, a hurricane or floods from affecting your business operations, having an effective disaster recovery plan-and knowing how to implement it-brings a lot of difference. If you are thinking of drafting a disaster recovery plan for your business, here are the steps you should consider. 1) Prepare an Inventory of All Assets As the very first step of your disaster recovery plan, prepare an inventory of all the assets in your organization. This is important to understand how complex your inventory is. All the servers, storage devices, data, applications, access points, network switches and appliances should be mentioned in this list. For each asset, mention its physical location, the network it is associated with and dependencies if any. 2) Carry out a Risk Assessment Once you have mapped all the assets, go through each asset one by one and mention all the internal as well as external threats that could impact it. These threats could include anything ranging from natural disasters like an earthquake and floods to mundane power outages lasting a few hours. Once you have listed all possible events, figure out the probability of the event taking place. Also, mention the likely impact it would have on your business. Here, it goes without saying that mundane events are more likely to occur when compared to natural disasters. 3) Identify the Criticality of Assets Before drafting a disaster recovery plan, you need to classify all the assets in different classes based on how critical they are to the functioning of your enterprise. This is one step where you need to enlist the support of your business managers and support staff. Look for some common properties and classify them based on how critical they are for the continuity of your business operations. For instance, for a medium-sized enterprise, assets can be grouped into low impact, medium impact and high impact categories. Assets that don’t need immediate restoration for continuity of the business can be classified as low impact. Assets whose absence will not stop the business but slow it considerably can be grouped under medium impact category. Assets whose absence will bring the business to a halt can be grouped as high impact. 4) Define Recovery Objectives Recovery objectives can differ from application to application. For instance, for an online retailer, a database of customer transactions will have aggressive recovery objectives as the business cannot afford to lose any of this data. On the other hand, an old internal system may have less aggressive recovery objectives as the data does not change often and is less critical to get back online. It’s imperative that you involve business managers while setting recovery objectives to make sure the business can prioritize more critical applications or systems during the recovery process. Two metrics are of key consideration in this step. One, recovery time objective (RTO) and two, recovery point objective (RPO). Recovery Time Objective (RTO) for an application is the time duration for which it can remain unavailable without affecting the business. To calculate the RTO for any application, estimate the revenue your enterprise would lose if the application went down for a given length of time, say an hour or a day. Calculation of your RTO is important for determining the frequency of backup of the application. For instance, if an application has a low RTO, say a few minutes, you will require continuous back up. The other key metric is the recovery point objective (RPO). RPO is the acceptable amount of data your organization can afford to lose. If your enterprise has a high tolerance for data loss, your RPO will be high and you can back up the data every hour. If your enterprise can afford to lose very little data, your RPO will be seconds and you will need to back up every few seconds. 5) Determine the Right Tools and Techniques Once you have mapped the assets and grouped them on the basis of their criticality, it is time to choose the right tools and techniques that help you execute your plan most efficiently. The tools and techniques should offer the most appropriate level of protection. If the tools selected are more sophisticated than you need, it will cost you a lot and introduce unnecessary complexity. On the other hand, if the tools are cheap but do not offer the requisite level of protection, it will put your enterprise at risk. A critical element of your disaster recovery plan is offsite protection. The method you choose should be commensurate with your recovery objectives. The offsite location on which your data is sent should be at least 100 km away from your primary data facility and should not fall in the same geographic risk zone. It is also important to streamline and automate the recovery process as much as possible. Automation minimizes the risk of data loss. 6) Involve all the Stakeholders It is essential to involve all the stakeholders in the planning phase of your disaster recovery plan. Business managers and application owners should agree with you about the service level agreement your team should provide. Always consult your vendors and strategic partners to ensure you can make the most of your disaster recovery solutions. Stay in close contact with any vendor you employ so that any problem can be identified and resolved on time. 7) Document and Communicate your Plan Once you are clear on your disaster recovery strategy, it is important to get it documented. The document will help people understand how to get the business back to a working state. Once your document is ready, it needs to be duly communicated to the right people. Make sure your disaster recovery plan is in a place where it can be easily accessed. A good idea is to print and post it in multiple locations. 8) Test and Review your Plan No enterprise can ever have a perfect recovery plan in place, but testing your plan will not only help you identify and rectify the shortcomings but also help execute the plan more effectively whenever needed. You do not need to practice the entire disaster recovery plan each time; it is perfectly fine to select one or two parts of the plan and test them. Once you have a documented disaster recovery plan in place, it is important to review the plan from time to time in view of the changing environment of your business. Your tolerance for downtime may change with time. Key personnel from your IT department may leave the organization. Your business may shift to a new location. You may acquire new hardware and operating systems. Your disaster recovery plan should reflect the current state of your organization.
