However well-run your business, sometimes life can hit you with the unexpected. And while minor glitches and annoyances can be overcome with minimal disruption, a full-blown disaster could be catastrophic if you’re not prepared.
However much it may seem like another piece of admin you don’t have time for, a business disaster recovery plan is an essential part of business management duties. By planning for the worst, you are free to concentrate on making a success of your day-to-day business tasks, safe in the knowledge that you’ll know what to do when things go badly wrong.
In this guide, we’ll explain why you need a disaster recovery plan and how to go about drawing up your own plan.
- What is a disaster recovery plan?
- Why should you have a DR plan?
- Who needs a disaster recovery plan?
- What is the difference between business continuity and disaster recovery?
- When might you need to use a disaster recovery plan?
- How to put together a DR plan
- Small business disaster recovery plan checklist: what to include.
- Insuring for business interruption.
Also known as a DR plan or DRP, a disaster recovery plan is a document that lays out how you will protect your business in the wake of a catastrophic event, such as a cyber-attack, natural disaster, or act of terror.
It details the measures you will need to take to recover including, restoring your IT infrastructure, where you’ll work if your premises are out of action, and how you’ll work if your equipment cannot be used.
It can also include plans for:
- Power outages.
- Telephone system outages.
- Bomb threats or terrorism.
- Fire, flood or other natural event.
Essentially, it is a backup plan you can refer to in an emergency which will help every member of your team to get the business back to safe and normal operation as quickly as possible.
Disruptions to your business can lead to lost revenue, brand damage and dissatisfied customers. And the longer it takes to get your critical systems back up and running, the greater the business impact.
In the past decade this has proved even more critical with businesses now relying on often complex IT systems, combined with the increasing sophistication of cyber-attacks.
Statistics show that cyber-attacks often remain undetected for more than 200 days, allowing hackers the time to plant malware systems that can spread throughout the system and even infect recovery data. Such an occurrence requires a detailed plan that can be acted on immediately.
Other key reasons to have a detailed and stress-tested disaster recovery plan include:
- To minimize the financial impact of the interruption.
- To establish where and how you can operate in advance.
- To coach staff to deal with emergency procedures.
- To ensure a smooth and fast return to normal service.
Businesses of all sizes would benefit from having a DR plan. A disaster recovery plan for a small business is arguably even more important than for a large organisation. While a huge corporation may be able to ride out a storm with cash reserves, interruptions in trading for a small firm without a financial buffer can be catastrophic.
Disaster recovery and business continuity plans are similar concepts with some key differences, and operate best when developed in tandem.
They both take a pre-emptive approach to minimise disruption when a disaster occurs, and they both need to be tested and regularly reviewed.
However, whereas business continuity focuses on keeping the business running during a disaster, a DR plan primarily focuses on restoring data access and IT infrastructure after a disaster. In other words, a business continuity plan aims to keep the lights on, while a disaster recovery plan concentrates on getting the lights back on as quickly as possible. How can we keep going, versus how can we recover quickly?
DR plans focus mostly, but not exclusively, on data and IT. They often form part of a wider business continuity plan covering every aspect of the business. The recovery plan could apply to any point of failure across all operations including data loss, hardware failure, network outages, application failure etc.
A DR plan will come into action as soon as a disaster that affects your business strikes.
A good example of the importance of disaster recovery plans was Facebook’s outage on October 4, 2021, which saw users unable to access the social network and all of its subsidiary sites.
This was a result of a technical issue caused by Facebook making a configuration change to their routers. The changes effectively rendered Facebook’s servers invisible to anyone trying to access them, also shutting down the company’s internal communications systems and locking employees out of their offices when security passes stopped working.
This is a classic example of when a DR plan, rather than a business continuity plan, is required. Business could not carry on at all, so it was essential to recover services as quickly as possible to minimise losses.
Here, we’ll explain how to create a disaster recovery plan for a small business, including the steps you’ll need to take before you start, what to include, and how to test the plan.
Before you write the plan.
Risk assessment: Carry out a disaster recovery risk assessment and business impact analysis to address different potential disasters. Set your goal for what you want your DR plan to achieve.
Events can be classified as;
- Low probability/low impact
- High probability/low impact
- Low probability/high impact
- High probability/high impact.
Clearly the higher the impact or probability, the greater the need for planning. Consider the impact on each department, and on customers, business partners, finance and logistics, as well as the ability for employees to access data centre in case of a natural disaster, whether or not you use cloud backup, and whether you have a single site or multiple sites.
Run through a number of different scenarios and try to imagine what action you would take in each.
Once you’ve carried out your risk assessment, you’ll know which areas you need to focus on in your DR plan – your key vulnerabilities – and what your goals and objectives are.
Things you will need in your plan include:
- An internal contact list – people within your business.
- An external contact list – customers and suppliers.
- Details of exactly what type of events will trigger your DR plan.
- A plan of action for every eventuality (using information from your risk assessment).
- Inventories of critical equipment.
- What it would take to restore your whole IT system in the event of a system failure.
- Temporary alternative work locations if you cannot work at your main offices.
- An expenses log, which will be useful for any insurance claims.
- The policy number and claims phone number for your insurer.
- How often you will test the plan.
Include the following for each area of vulnerability:
- Who is responsible?
- How would it impact the organisation?
- How likely is it to happen?
- What is the timescale in which it must be resolved?
Test the DR plan.
How do you know that your plan will work? It’s important to develop criteria and procedures for testing the DRP to ensure you have feasible back-up procedures and facilities in place – and to identify any improvements that need to be made.
Carry out a dry run to test and correct any issues. It’s also important to make sure all of your staff have seen and read a copy of the DRP, so nothing comes as a surprise if it needs to be deployed. It may also be worth sending your DR plan to key customers and suppliers, so they are aware of how things will work in the event of an emergency or disaster.
It’s always worth consulting the expertise of a professional risk management service to make sure that your business disaster recovery plan fully covers all eventualities. For help with developing and implementing a DR plan, contact Alan Boswell Risk Management on 01603 967900.
These days, it’s also essential to have cyber insurance to protect you against the consequences of hacking.