BCP / DRP
Business Continuity Plan / Disaster Recovery Plan
All organisations experience disruptions, whether that’s from a cyber attack, IT failure, weather event or something else, and they need to be prepared. The longer it takes to address an issue, the more the costs will spiral and the harder it will be to recover.
What is a disaster recovery plan?
A disaster recovery plan gives organisations a process for responding to a variety of incidents. Along with business continuity planning, it’s an essential strategy for managing the ever-increasing risk of disruption.
Do you need a disaster recovery plan ?
Disaster recovery is effectively a form of insurance; you are spending money preparing for a scenario that you hope never occurs. The costs might seem high initially, but when disaster strikes (and it will), an effective plan could be the difference between a bad day at the office and your organisation going out of business.
Writing your plan
Geoffrey H Wold of the Disaster Recovery Journal provides a ten-step template to creating a disaster recovery plan:
1) Obtain top management commitment
Disaster recovery planning requires a lot of resources and input from the whole organisation, so you need to make sure top management is on board. They will allocate a budget and set aside the necessary help.
2) Establish a planning committee
Top management will then appoint a handful of employees to lead the planning process. This planning committee should contain representatives from all areas of the organisation, with the operations manager and data processing manager acting as key members.
3) Perform a risk assessment and business impact analysis
The planning committee’s first action should be to prepare a risk assessment and BIA (business impact analysis). This will identify the threats facing the organisation, the likelihood of them occurring and the damage each one can cause. The organisation won’t be able to plan for every threat, so the team needs to decide which ones pose the biggest problems.
4) Establish processing and operations priorities
You must evaluate and prioritise the effects of each threat on each department. Some areas of your business will need to be restored urgently or will take time to fix, so they must be tackled first.
5) Determine recovery strategies
The next step is to determine how you will restore affected processes and operations. You don’t need detailed procedures at this point, only broad strokes for the best methods of addressing affected parts of your organisation.
6) Collect data
Before you can turn your recovery strategies into a fully fledged plan, you must collect information on how every department operates and what processes need to be followed in the event of each identified disruption. You’ll need contact details of regulators, power providers and key members of staff; data breach notification checklists; inventories; insurance policies; and data flow maps, to name a few things.
7) Organise and document a plan
Now that you have all the necessary information, it’s time to document your disaster recovery plan. You’ll need a plan for each threat that you face, but the framework will be the same in most instances: you’ll always need to identify and address the source of the threat, secure the physical premises, ensure staff are safe, find a temporary solution and then begin recovery.
8) Develop testing criteria and procedures
All organisational plans must be tested regularly to ensure nothing has been overlooked. But first you need to develop criteria to assess whether a test is successful. Your biggest concern will be whether your organisation actually recovers, but you should also assess, for example, whether the recovery happens within an acceptable timeframe and how much data you retain.
9) Test the plan
With the criteria in place, it’s time to perform the test. This will give you answers to questions you identified in the previous step, but you might also identify problems that you weren’t aware of. Any problems discovered in your test should be documented and addressed as soon as possible.
10) Obtain approval
The final step is to submit the plan to top management. They are ultimately responsible for all policies and procedures, so your plan can’t go into operation until it’s been approved.
What Else ?
You can find out more about the ways you can prepare for disaster by reading Disaster Recovery and Business Continuity. We can help you to establish disaster recovery and business continuity plans, and discover the major causes of IT failures that you need to prepare for.