Here’s a Checklist for Disaster Recovery Plans
A tornado will strike your office at 8:37 tonight. Will your business be up and running again tomorrow? If you haven’t planned for a worst-case scenario, the answer is no: not tomorrow and possibly not ever. We’ve created this simple checklist for disaster recovery plans to help you plan for how you’ll restore your operations after a disaster.
Most disasters don’t come with warnings
Even tornados are generally predictable with today’s weather-forecasting technology. You usually know when certain natural disasters are coming, like hurricanes, heavy rains and blizzards. But most of the time, disaster strikes when you least expect it—and for unpredictable reasons: fires, cyberattacks, terrorist attacks, malware and even simple human error.
Each type of disaster has unique consequences on the people, systems and processes that make your business run. Use this checklist for a disaster recovery plan to make sure you’re prepared for virtually any major event.
Checklist for Disaster Recovery Plans
1. Identify who does what in a disaster.
In most disaster recovery plan examples, this is often called a “mission-critical hierarchy of personnel functions.” But in a nutshell, it’s a list of key stakeholders, executives and managers, along with their disaster-response responsibilities.
This section is usually the first in the DRP. It outlines the people who oversee the organization’s disaster recovery planning and/or those who need to remain in close communication when a disaster occurs.
Here’s a quick checklist of questions that this section should answer:
- Who wrote the disaster recovery plan? Who is on the disaster recovery team? How should they be contacted in an emergency?
- Which stakeholders need to be updated on the status of recovery efforts?
- Who will monitor the impact on sales and cash flow?
- Who will make decisions on business relocation?
- Who has access to secure systems or the ability to grant authorization to others?
- What tasks need to be completed in each department to restore operations ASAP?
Decisions like these will need to be made immediately, so your recovery plan should spell out exactly who will make them and how.
2. Set the objective of the plan.
Not all disaster recovery plans have the same goals. For example, it’s extremely common for IT to implement its own DRP, focused strictly on IT systems, such as networking, data storage, backup and so on. This can be a good strategy, as long as there are additional disaster recovery plans created for other divisions of the business.
The “objectives” section of your DRP makes it clear what the plan is focused on. It states which areas of the business the planning applies to, i.e. the entire organization or individual departments such as IT.\
- What is the specific goal of this disaster recovery plan?
- Why is it needed?
- Which systems, divisions or business units does the plan apply to?
- How will the DRP actually help the business recover from a disaster?
In addition to identifying the scope (and limitations) of the plan, the objectives section also serves as a brief explanation of the importance of disaster recovery planning. This can be useful for demonstrating to decision-makers the critical need for further DR investments.
3. Put people first.
When you Google “checklist for disaster recovery plan,” it’s shocking how many lists neglect to mention the risk of actual human harm in a disaster. If your plan is focused on the organization as a whole (rather than specific systems), then you must have a plan for how you’ll take care of your employees.
Aside from the ethical concerns, the safety of your workforce is vital to your ability to maintain continuity. Without safe and healthy workers, the business will not be able to recover. So it’s critical that your disaster recovery plan outline how your employees will be kept safe.
- Where should employees shelter if caught in a natural disaster such as a tornado?
- What about active-shooter situations or terrorism? How should employees respond? What should they do?
- What if there are widespread injuries at the office?
- Where are medical supplies kept? Who has access to them, and how can they be distributed to those who need them?
- How will you obtain urgent medical care for the more serious emergencies?
- Is there a point-person who will contact authorities and oversee the situation?
Tip: In terms of disaster recovery planning, businesses must think beyond the mere first-aid kit. If you want to make your people a priority, then there must be thorough planning in place to ensure the wellbeing of employees in every possible disaster scenario.
4. Spell out the specific risks.
You can’t plan to recover from a disaster if you don’t know what those disasters will look like. Much like a business continuity plan, your disaster recovery plan needs to include a thorough assessment of the most likely disasters to disrupt operations.
This risk assessment is essential for understanding all plausible disaster scenarios on a deeper level. It’s not enough to simply say, “This is what we will do in an earthquake.” The DRP should outline each individual risk that the earthquake poses: destruction of facilities, loss of servers and data, physical harm to people and so on.
- Which disasters pose a threat to operations?
- What do those disasters actually look like? What would happen? Why are they being listed here?
- On a scale of 1 to 5, how likely is each scenario? How should the disasters be prioritized?
- Have you considered all possible disasters, including those that are unique to your organization or area?
5. Define the impact of those events.
Depending on the scope of your disaster recovery plan, you may also need to include a “business impact analysis” here. (This is a common section in business continuity plans as well.) An impact analysis helps to define how each of the possible disasters actually affects operations.
So for example, in the risk assessment, maybe you defined ransomware as a form of malware that encrypts your data. In the impact analysis, you spell out the actual impact: loss of data, idled workers due to computers not being accessible, information systems going offline and so on.
- Which business processes are affected by each type of disaster?
- What is the specific outline? How are operations disrupted?
- What is the impact on productivity, service availability, revenue, workforce, company reputation, etc.?
- How much will that disruption cost the business?
That last question is usually one of the most important for determining the severity of each disaster. Defining the financial impact on an hourly or daily rate helps to provide clarity about which disasters are most destructive and thus also how recovery planning should be prioritized.
6. Outline steps for prevention and mitigation.
The “best” disaster scenarios are those that can be averted altogether. While that may not always be possible, preventative planning within your DRP can help to ensure a much smoother recovery.
Consider a ransomware attack that is stopped at the first infected device, before it spreads across the network. Or a hurricane that destroys an office building but not operations, because they were relocated days before the storm arrived. Those are prime examples of how prevention and mitigation can greatly reduce the impact of an event.
- What measures or systems can help to avoid the disasters outlined in your risk assessment?
- When disasters do occur, how can their impact be mitigated?
- What should be the immediate response to each type of event? How can those steps help to prevent a full-blown disaster?
- Which mitigation procedures will help accelerate recovery efforts?
7. Define recovery protocols and systems.
This is the real meat of your disaster recovery plan. This section outlines the full procedures and systems for recovering from each of the disasters you’ve listed above.
The level of granularity here will vary depending on the plan’s objectives. But ideally, every possible disruptive event should be accompanied by specific instructions for overcoming the incident and recovering all affected operations back to their normal state.
- What steps must be followed to fully restore operations?
- Which systems need to be leveraged, and how?
- What are the specific procedures for each potential disaster?
- Who will perform those procedures?
8. Have a backup office.
A disaster recovery plan must take into consideration the risk of losing an entire work site due to natural disaster or other events. If there is no backup location available, then it will be far more challenging to recover operations.
For most businesses, this doesn’t mean paying rent on an additional space that you’d only use in an emergency. But you do need to evaluate what your options are. Consider where your staff will work if the office cannot be opened.
- What is the plan for relocating the operations if the primary site is destroyed or inaccessible?
- Does the organization have other locations that could be used by dislocated teams in an emergency?
- Is technology in place to allow people to work remotely?
- Can other facilities be quickly secured if needed?
Tip: Consider creating a separate, evolving checklist that identifies potential available real estate that would allow the business to relocate immediately, if necessary. That means making phone calls and remaining in close contact with real estate professionals who could get you into a new space right away.
9. Determine equipment needs.
You’re operating on a limited, mission-critical staff. How many computers will you need? How many mobile phones? Who gets them, and where do they get them from?
To recover operations during a disruption, you’ll need to have the necessary equipment – especially if the business is forced to relocate. Defining these resources in your disaster recovery plan helps to ensure that the business will have the backup equipment they need (or will be able to quickly obtain it) to maintain continuity.
- Every business should already have up-to-date inventories of all office equipment, including computers, IT infrastructure, furniture and other assets.
- Your disaster recovery plan should identify how you’ll reproduce that entire inventory after a major disaster, as well as a smaller inventory of absolute mission-critical equipment.
- If backup equipment isn’t readily available, how will it be acquired? What are the fastest methods and who will oversee these efforts?
10. Identify data backup and recovery systems.
Data backups are a critical component of any disaster recovery plan. Most organizations today are heavily reliant on their data for numerous aspects of their operations. Files, emails, digital assets … if it’s saved anywhere on your network, it needs to be backed up constantly and easily restored after a disaster.
At a time when ransomware poses a constant threat to business’s data, having a dependable backup system is a must. This system should be thoroughly defined within the DRP, along with procedures for recovery.
- Data is your business’s most valuable asset and the most important component affecting your business’s downtime. Having a solid backup solution must be a critical part of your IT disaster recovery plan.
- Consider how and where you are backing up your data. Is it on-site? In the cloud? Is the data encrypted?
- How quickly can it be restored? What is the risk of data being compromised or corrupted during recovery?
- How frequently should data be backed up?
- How long should backups be retained?
- How quickly should data be recovered from backup after loss has occurred?
11. Make communication easy.
Recovering after a disaster is impossible if your people can’t communicate with each other or don’t know how. Consider not only how people will communicate but also with whom.
- What devices will mission-critical teams use?
- How will you communicate with your workforce if email and phones are offline?
- Who should employees contact to confirm the status of the business or find out what’s happening?
- Who will stakeholders need to contact to actually execute the disaster recovery plan?
12. Protect hard-copy documents.
Even in today’s digital-centric world, most businesses still have mountains of important paper documents stored in boxes and file cabinets. You need to plan ahead for how you’ll protect, copy, recover and/or reproduce these documents should you suddenly lose access to them.
- Where will physical documents be stored? On-site, a remote location or both?
- Which documents require backup copies and where will those be kept?
- How quickly can backup documents be secured if they are needed in an emergency?
- Who is in charge of document management, particularly in a disaster situation?
13. Know what you’ll say to the outside world.
In addition to communicating internally, you may need to reach out to the media, clients, customers and vendors. How? Which ones? What core messages will you need to get across after a crisis has disrupted your business?
Things to consider:
- Many disaster recovery audit checklists include the need for a “crisis media kit.” This is a good idea if you believe you’ll need to send out a press release or other urgent communications.
- Don’t put this off. Nobody wants to be writing a press release after a disaster has just devastated the business. Have one pre-written, templated and ready to blast when needed. (If you’ve done your job creating a disaster recovery plan, then you already know what this release will need to say – almost regardless of what kind of disaster you’re facing.)
14. Set expectations.
Should a recovery take two hours or two days? In any disaster recovery plan, it’s enough to simply define what the recovery entails. To meet continuity objectives, the plan must also set expectations for how quickly the recovery should be completed.
In IT, for example, it’s common to define specific objectives for recovering data after a data-loss event. A recovery point objective (RPO) designates the maximum desired age of a backup, and a recovery time objective (RTO) specifies how quickly the data should be recovered. Similar principles can be applied to other recovery efforts as well.
- How quickly should each disaster incident be resolved?
- What is the expected timeframe for each type of recovery? How many hours?
- What are the time thresholds that should not be exceeded in order to prevent a more catastrophic outcome?
- Are there any extra steps that will ensure those objectives are met?
15. Constantly reevaluate.
Disaster preparedness is a work in progress. You need to constantly reevaluate your plan to ensure that you’re planning for all possible scenarios.
- When creating a checklist for a disaster recovery plan, keep in mind that the information you include is likely to become outdated in just a few months.
- Your plan should outline a timeline for how often it’s updated and by whom.
Most disaster recovery plans are far from perfect, and the list above is intended only as a rough guide. Consider consulting with a disaster planning professional, who can help you create a comprehensive, individualized plan for your business.
See how today’s best data backup and disaster recovery solutions can protect your organization from a data-loss disaster. Request a free demo or speak to our business continuity experts at Invenio IT today. Call (646) 395-1170 or email success@invenioIT.com.