When disaster strikes, whether it’s a natural calamity or an unexpected system failure, the consequences can be devastating. It’s easy to think, “That won’t happen to us,” but the truth is that disasters can happen to any organization, and the impact can be severe. Disaster recovery planning (DRP) is not just a good business practice — it’s a necessity.

Understanding the Reality of Disasters

Jon William Toigo, an expert in disaster recovery, highlights some startling statistics in his comprehensive book on the subject:

• Financial Impact: Organizations typically lose 2–3% of their gross revenue during just eight days of a computer center outage.
• Irrecoverable Losses: Companies experiencing more than 10 days of downtime often find it impossible to fully recover financially.
• Probability of Disruption: While the likelihood of a disaster affecting a data center is less than 7%, the broader risk of some form of operational disruption is significant.

These statistics underscore the importance of having a well-thought-out DRP. For small and medium-sized businesses, the absence of such a plan can be catastrophic, leading to severe financial losses and, in the worst cases, a complete shutdown.

The Hard Truth: Many Organizations Aren’t Prepared

Unfortunately, many small and medium-sized businesses fail to prioritize disaster recovery planning. Often, they rely on basic backup procedures that may not be sufficient during significant events like fires, floods, or earthquakes. Larger organizations, particularly those in highly regulated industries like finance or chemicals, are more likely to have DRPs in place due to legal requirements.

This chapter isn’t about teaching you how to create a DRP from scratch. Instead, it provides key insights into managing the development of an effective DRP.

Consequences of Not Having a DRP

The risks of not having a disaster recovery plan are severe:

• Severe Financial Losses: Business operations can grind to a halt, leading to significant revenue loss.
• Liability for Damages: Stakeholders may seek compensation for the disruptions caused by a lack of preparedness.
• Escalation of Minor Issues: Small incidents can quickly spiral into major disasters due to inadequate response strategies.

Benefits of a Well-Designed DRP

Having a robust DRP offers several advantages:

• Rational Response to Disasters: Enables a calm, effective reaction when disaster strikes.
• Comprehensive Coverage: Ensures all aspects of the business are considered, including technology, operations, people, and processes (BTOPP model).
• Tested Procedures: Provides a roadmap of tested actions that can be swiftly implemented during a crisis.
• Potential Insurance Savings: A solid DRP might even reduce insurance premiums.

A secondary benefit of a well-executed DRP is that it often doubles as a form of business process reengineering (BPR). Analyzing key processes to design protective measures frequently uncovers opportunities for cost savings and efficiency improvements.

Steps to Take Next

If you’re an IT manager, your first challenge is often convincing business stakeholders of the real risks and the necessity of investing in disaster recovery. Here’s how you can build your case:

1. Research Legal Requirements: Determine if federal or state laws mandate DRP for your industry. In some countries, these regulations are strict.
2. Gather Data: Collect statistics from external research groups to support your case.
3. Use Internal Auditors: Leverage insights from auditors who may already have DRP-related information from their work with other service providers.
4. Explain the Costs: Outline the costs of the proposed plan based on the risks and potential losses, including lost sales opportunities, customer dissatisfaction, fines, and legal expenses. Use average employee salaries to calculate the cost of downtime.
5. Consider BPR Savings: Highlight potential cost savings from process improvements that could offset the expense of DRP.

The second major step is ensuring the DRP covers the entire BTOPP model. A DRP that only focuses on IT technology is insufficient; you also need to consider the organizational, personnel, and process elements. This means addressing:

• Office Equipment: Ensure the availability of essential office supplies like fax machines, phones, forms, and other items.
• Facilities: Plan for the relocation of offices, desks, and other necessary furniture.
• Reference Materials: Secure access to essential reference materials like price books and catalogs.
• Communication: Establish protocols for informing staff and coordinating their move to alternate work sites.

The third step is selecting a qualified DRP designer and system. Look for the following indicators of competence:

• Experience: Verify the designer’s track record by contacting previous clients.
• Tools and Techniques: Ensure they have the right tools for risk assessment, modeling, documentation, and testing.
• Focus on Critical Processes: The plan should concentrate on critical business continuity areas, making management and cost control more straightforward.
• Ease of Maintenance: Maintaining the DRP should be as simple as possible. Consider using available software tools to manage this process.

The fourth step involves reaching an agreement with the DRP consultant. Follow the guidelines outlined in Chapter 10 (SLAs) and Chapter 15 (Managing Consultants) to ensure the process runs smoothly. Key points include:

• Identify Risks and Probabilities: Ensure all risks and their likelihoods are clearly identified.
• Reflect Likely Failures: The DRP should focus on scenarios that are most likely to occur.
• Focus on Critical Processes: Ensure the plan addresses essential processes, not minor or irrelevant ones.
• Comprehensive Coverage: Make sure the DRP encompasses all aspects of the BTOPP model.

Keep the Plan Manageable

It’s essential to remember the wisdom of military strategist Moltke: “In general, only plan for what is necessary, and avoid planning for the unforeseeable.” When a disaster strikes, you’ll realize that, like in war, there’s no universal method, and flexibility is crucial.

Your DRP should provide clear guidelines and adaptable procedures, rather than rigid instructions that may not fit the situation. As you develop your plan, ensure it adheres to the principles outlined in Chapter 9. The process should be gradual and involve regular validation at key milestones, starting with the initial analysis and risk assessment.

Having a DRP, even a basic one, is crucial for preventing hasty, uncoordinated actions during a crisis. To create a functional and reliable DRP, study Toigo’s book and other available resources, consult with experts, and keep the process straightforward while considering all BTOPP dimensions.

Checklist for DRP

1. Do You Have a DRP in Place? Ensure you have a plan that addresses potential disasters.
2. Offsite Copies: Are there offsite copies of the DRP? This is crucial for recovery in case of a major site-wide disaster.
3. Comprehensive Coverage: Does your DRP include non-technical items like office supplies, forms, and essential documentation?
4. Relocation Needs: Have you accounted for the logistics of moving to a recovery site?
5. Communication Plan: Is there a plan for communicating with the media, customers, staff, and suppliers during a disaster?
6. BTOPP Consideration: Does the DRP consider all BTOPP dimensions, beyond just IT?
7. Cost Modeling: Have you modeled the costs of implementing the DRP, as well as the costs of not having one?
8. Process Integration: Does the DRP integrate with new or re-engineered business processes?
9. Detailed Asset List: Is there an accurate and comprehensive list of all organizational assets in the DRP?

By following these steps and ensuring your DRP is thorough, you’ll be better prepared to handle whatever disasters may come your way, protecting your business from the severe consequences of unplanned downtime.

Join the Newsletter

Subscribe to get our latest content by email.

Subscribe

We won't send you spam. Unsubscribe at any time.

Built with Kit