Disrupted by COVID-19? Time to Update Your Disaster Recovery Plan
In fact, as your business adapts to the current situation, now is arguably the best time to update your planning to ensure you’re prepared for further disruptions in the future.
Preparing for the unexpected is what disaster recovery planning is all about. You’ll be forgiven if your business hadn’t planned specifically for a pandemic, but don’t assume that this period of massive change is over.
Over the past two months, businesses have faced a storm of unexpected obstacles, one after another:
- Health risks to employees
- Government stay-at-home orders
- Forced business closures and/or modified operations
- Workforce shortages
- Supply-chain disruptions
- Rise in coronavirus scams & cyberattacks targeting businesses
- Overall economic fallout
As each week passed, new challenges arose. The situation has underscored the fact that disasters are nearly always abrupt and unpredictable. And the next new challenge could come at any time: tomorrow or 2 years from now.
This is why every business should be using the lessons from COVID-19 to reevaluate their disaster recovery plans.
Here’s how to do it.
Redefine the plan’s objectives
Every disaster recovery plan (DRP) should begin with an objective section that outlines the purpose and focus of the planning. For example, some businesses focus their DRP strictly on IT disaster recovery, whereas others may use the document more like a broader business continuity plan. Whatever the case may be, it’s important to define those objectives, so that there’s no confusion.
If you’re revisiting the plan in response to coronavirus, a key question to consider now is: does your current objective go far enough?
- Consider whether the current scope of the DRP is still narrow (or broad).
- Use lessons from your COVID-19 response to determine how planning should be expanded or modified.
- Remember to keep this section focused on the core objective of the document (i.e. plans for recovering IT systems after a disruption, etc.), rather than the specific strategies to achieve that goal. Those strategies will be outlined in later sections.
Make plan activation clearer
Every DRP needs to define which events should activate the plan. Should those protocols be revisited in light of the pandemic?
Typically, this section of your planning will dictate the very first response to a disaster: what circumstances need to occur for recovery procedures to be followed, who makes those decisions, how the decisions are communicated to others and so on.
As you re-evaluate your DRP, consider how COVID-19 changed your perspective about those steps.
- How can decisions about activating the plan be made even faster?
- In an event such as a pandemic, how can recovery teams be equipped to forecast potential operational disruptions at the earliest possible warning signs?
- Beyond steps to activate the plan, recovery teams or stakeholders should begin having these conversations about preparations as risks become apparent. But what types of disasters should set off those conversations and what warning signs?
Reassess your risks
A core component of your disaster recovery plan is a risk assessment. A risk assessment identifies all the potential threats to your operations or IT systems.
But here is the million-dollar question: did your assessment include the risk of pandemic?
If not, there’s no better time to update this assessment using the lessons from COVID-19.
- Consider the different ways that the coronavirus outbreak had an impact on operations and how each of those factors presents a unique risk that needs to be planned for.
- Take the stay-at-home order, for example. For many businesses, this presented the challenge of maintaining operations without having workers on-site. In turn, this presented IT challenges of equipping remote workers with the technology they need do their jobs from home.
- What about the health risks of a pandemic? Many companies quickly deployed new protocols for protecting essential workers, such as the use of face masks, gloves and other precautions. These protocols should be documented in your DRP if they aren’t already.
- What about cybersecurity risks? The COVID crisis ushered in a new wave of cybersecurity threats, which presented yet another challenge for IT.
Keep in mind that your existing disaster recovery plan may already outline a similar set of risks, outside the context of a pandemic. At the heart of this disaster are risks that businesses should already be planning for, such as:
- Workforce interruptions (shortages, transportation disruptions, etc.)
- Threats to IT infrastructure (phishing scams, viruses, ransomware, data loss, etc.)
- Restricted access to business location (fire, natural disaster, terrorist activity, etc.)
Every possible risk needs to be considered. If a disaster occurs that a business is not prepared for, then recovery becomes far more challenging.
Document the impact (right now)
As part of your DRP’s impact analysis, you define the potential outcomes of threats identified in your risk assessment. What better time to document the outcome of a pandemic than right now, when your business is in the middle of one?
Calculating the impact of a disaster is key to understanding how the business will be affected:
- Which operations and services will be disrupted
- How long those disruptions may last
- How much it costs
For example, your analysis might forecast that a ransomware attack could cost the business an estimated $10,000 per hour of downtime, due to idle workers, service interruptions, productivity losses and other factors.
The same goes for pandemics. A comprehensive analysis is needed to determine all the ways operations will be affected by such a disaster. The analysis does more than just uncover potential damage. It guides decisions about disaster prevention and recovery procedures.
Update recovery procedures
If you could go back to January and start planning for the risks of a pandemic and state-ordered shutdowns, what would you do differently?
Some businesses were indeed already making contingencies based on available data at the time. But for smaller companies with limited time or resources for disaster planning, the threat didn’t become real until it was too late. Stay-at-home mandates sent businesses scrambling to find ways to keep their operations running.
In retrospect, how could your recovery procedures have been better positioned to deal with the current situation?
- For example, consider the deployment of remote working technologies and processes. How could clearer protocols have improved the speed of this shift and eliminated chaos?
- Consider the CDC’s social distancing measures that businesses are now adhering to. For most businesses, these are new protocols that should be added to the DRP, so they can be implemented even faster in the future.
- What about preparations for a sudden loss of revenue or economic collapse? Consider steps that can help stave off the business’s demise, such as emergency loans, government assistance, layoffs and so on.
Review your recovery technology
Technology deployments have played a crucial role in helping businesses adapt to the pandemic. Office workers needed dependable technology to do their jobs remotely. Companies needed secure networks to prevent remote systems from being compromised. Brick-and-mortar businesses needed technology to process orders by web and phone.
For unprepared businesses, making these adjustments has been a challenging and costly learning experience. This is why every business should be re-evaluating their technology deployments now, so that future recoveries are swifter and more seamless.
- Start with the backbone of your recovery infrastructure. Data backup, networking, servers, cybersecurity systems – all of these components should be evaluated on an ongoing basis to ensure they provide adequate protection for every situation (pandemics and beyond).
- Consider the technologies that could have helped your company respond to the COVID crisis even faster: cloud services, remote collaboration platforms, endpoint protection solutions and so on.
- Even if some of these technologies won’t need to be leveraged during typical operations, your disaster recovery plan should outline the specific protocols for how and when they’re used.
Reexamine asset management and contingencies
In disaster recovery, asset management typically refers to the company’s IT assets: servers, computers, network devices and so on. But it can also apply to other company assets, such as office furniture or the office location itself.
When disaster strikes, assets can become inaccessible, because they are destroyed or unavailable. It’s important for businesses to have backup assets for these situations or contingency plans for quickly restoring them.
COVID-19 forced many businesses to rethink how they would “relocate” the business to a decentralized environment and how they would equip workers with the devices they needed to do their jobs from home. This is exactly the kind of strategic planning that should be documented in your DRP.
- Beyond a pandemic, consider additional scenarios that might require the business to quickly relocate or carry out operations from other locations.
- What planning can help to secure that backup location, or other assets, prior to a disaster occurring?
- What outcomes from the coronavirus outbreak can help guide stronger asset management planning as it relates to disaster recovery?
DR planning never stops
The coronavirus pandemic has given businesses numerous lessons to learn from. While companies in every industry are still facing tremendous obstacles, these challenges can help to guide future recovery planning.
Documenting new processes and updating your DRP now will ultimately help to ensure your business’s survival in the uncertain days and months ahead.
Get expert guidance
If you need assistance with your disaster recovery planning as it relates to data protection, backups, file-sharing solutions or IT infrastructure, please reach out to our business continuity experts at Invenio IT. Call (646) 395-1170, email success@invenioIT.com or request a free demo of our recommended backup solutions.