For some IT teams that are just getting started in disaster recovery planning, building a discovery recovery plan (DRP) can be quite a challenge. How do you start? What elements should you add to your disaster recovery plan?
In this article, I’m going to share with you a basic disaster recovery plan template you can customize, build on, and tailor-fit for your business. Then, I’ll explain what each section typically contains. Before we get to that, I’d like to get some things out of the way. What exactly is a disaster recovery plan? Let’s start with that first.
What Is a Disaster Recovery Plan?
A disaster recovery plan is a documented set of policies and procedures. These aim to keep your business operational during or after a disaster. It’s something your IT team and other stakeholders (senior management, department heads, regular employees, etc.), can follow when your IT infrastructure becomes immobilized.
For example, let’s say an earthquake strikes. After the initial panic, you’ll find a trail of damaged servers, network equipment, and workstations. If you’re unprepared for this scenario, you’d have to waste time planning how you can get back into action. What if you still need to purchase hardware, install operating systems, and get applications? Worse, what if you don’t have any backup copies of your data?
A disaster recovery plan helps you know exactly what to do. After the disaster, you’ll quickly put this plan into action. Ideally, you’ll also have the backup IT infrastructure to support your recovery endeavors.
Is it absolutely necessary to have a DRP in place? Yes, and here’s why.
Why You Need a Disaster Recovery Plan
Time is essential in disaster recovery (DR). Major natural and man-made disasters can incapacitate your IT infrastructure. Think what would happen to you in an earthquake, tsunami, flood, wildfire, or hurricane? What if your business was hit with DDoS attacks or ransomware outbreaks?
If your IT infrastructure stays down for a long time, it’ll be difficult to resume operations. Some of your employees and customers might already be gone by then. To quickly recover, you need systematic disaster recovery initiatives. Otherwise, you could end up overlooking important details and making costly mistakes. That’s where a disaster recovery plan can come in handy.
A disaster recovery plan can ensure all stakeholders are on the same page. They’ll all know exactly what to do the moment a disaster strikes. Armed with this guide, all your actions are going to be methodical. They’ll also be business-driven, not hectic and unmanaged. In this case, you can perform disaster recovery faster, more efficiently, and with fewer missteps.
Even regular employees need to know about the DR plan. Most importantly, they should also be up to date on the sections that require their participation. For example, they may need to know who to contact if they see a crisis brewing. They may also need to know where to go if they have to continue working in a disaster recovery site.
Given the importance of this plan, I’ll help you create one for your business. First, here’s an overview of this disaster recovery plan template. It’s basically just an outline, but we’ll discuss each item in the succeeding section.
Elements of a Disaster Recovery Plan
Below is an overview of the proposed disaster recovery plan template. Again, this is by no means a comprehensive DRP outline. Rather, it’s a template you can build on to suit your specific DR program. I’m presenting it to you in outline form first so that it’s easier to see the individual sections. After that, we can dive into the details.
- DRP management
- Risk management
- Recovery teams
- Disaster recovery site
- Command center
- Contact Information
- Roles and responsibilities
- Disaster response
- Detection and evaluation
- Notification of authorities
- Recovery teams mobilization
- Command center activation
- DR site activation
- Notify employees
- Damage assessment
- Crisis communication
- Insurance policies
- Financial impact assessment
- Legal issues
Some of these sections may not suit your firm. For example, you probably won’t need sections for disaster recovery sites if your business isn’t big enough to afford one. Feel free to add or remove sections according to your specific requirements.
Next, I’ll walk you through what to include in each element of your disaster recovery plan document.
Dissecting Our Disaster Recovery Plan Template
Some first-time readers might have no idea what a DRP is about. This is where you introduce the reader (presumably your employees and other stakeholders) to the document. Explain what the document contains. Clarify when the readers will need to apply the DRP, and provide other relevant information. This will help everyone know what to expect.
Even if your readers already know what your document is about, some of them might not be aware of its importance. This is where you present the purpose of your disaster recovery plan. Explain the existence of various threats and how they may impact your business. Follow that up with an explanation of how the disaster recovery plan helps mitigate the risks involved. This section aims to help the reader appreciate the value of this document. It also helps them see the importance of your DRP as a whole.
Disaster Recovery Management
Undoubtedly, your disaster recovery plan should be properly documented. This section specifies all administrative aspects of the DRP document itself. That includes development, distribution, testing, and maintenance.
The succeeding subsections are mostly a guide for your disaster recovery team and senior management. They’ll clarify all about the DRP document’s administration.
Disaster Recovery Team
The disaster recovery team is composed of individuals tasked with developing, distributing, testing, and maintaining your DRP document. Ideally, it should be headed by someone from senior management, e.g. your CFO. It should also be well represented by various departments. This is to ensure your DRP takes into consideration all risks and risk-mitigation capabilities across your company. Enter all pertinent details about your DR team here. Mostly mention who they are and explain their roles in disaster recovery.
Disaster Recovery Distribution
People in your business need to know exactly where they can find the policies and procedures of your DRP. In this section, specify who’s in charge of creating digital and hard copies of your DRP. State where those copies will be stored. Make sure each member of your disaster recovery team has at least two copies—one onsite and another in their homes. This will ensure they’ll have access to the DRP when the need arises.
Disaster Recovery Testing
You’ll never know how effective your plan is until you’ve tested it. The effectiveness of your plan can also diminish as the threat landscape evolves. That’s why you need to test regularly. In this section, explain why you need to test your DRP and how often your company should carry out tests. Finally, include how you plan to conduct these tests. This section will remind readers of the importance of testing. It can also serve as a reference for people who need to audit your DRP.
Disaster Recovery Maintenance
The threat and business landscape changes with time. Technologies change as well. In turn, your disaster recovery plan should be a living document. It should evolve with those changes. In this section, specify why and how you’re going to carry out updates to your DRP. For example, you can include a stipulation that your DR team will meet annually to reassess your DRP. Mention that you’ll also update the DRP based on their findings.
Disaster Recovery Preparations
One of the key ingredients of an effective disaster recovery plan is preparation. Make sure everything you need whenever your DRP has to be activated is in place. In this section, cover all aspects of preparation. That includes threat management, backup plans, contact information, etc. This can serve as a guide and reference for stakeholders, especially your DR team members and senior management.
Every business can be impacted by a unique set of threats. Risk management allows you to identify what threats are most likely to hit you. It also helps you take precautionary measures to mitigate those risks. In this section, specify why and how risk management (including risk assessments and risk mitigation) must be carried out.
This is different from your disaster recovery team. Recovery teams are the technical teams that recover specific areas of your IT infrastructure. For example, you’d have a recovery team for networks, another team for desktops, another for servers, and so on. Make sure each team is skilled in the technologies they are assigned to and specify those assignments here. That way, other members of your company will also know who to talk to if they have an issue with a particular area.
Backups play a crucial role in disaster recovery. Unless you have data backups, you’d have nothing to work with if your main site is out of commission. In this section, include provisions for your backup strategy. You’d typically specify backup schedules, solutions, and methods (e.g., offsite or cloud-based backups). It’s also important to note any privacy concerns, and the adequacy of data privacy controls in the backup facility.
Disaster Recovery Site
A disaster recovery site is a facility located in a separate geographical location. Your employees should be able to use it if your main site becomes completely inoperable. Not everyone can afford a DR site, but if you have one, this section should state where it is and its type (cold site or hot site). Finally, list who’s eligible to use it (mostly employees handling mission-critical processes) and other pertinent details.
Ideally, this would be a comprehensive set of procedures to recover each set of components of your IT infrastructure. For example, you’d have a subsection detailing a set of procedures for desktops recovery. You’d also have another for server recovery, another for data recovery, and so on.
If your main site becomes inoperable, you need a single source of information and instructions. This will be your command center. A command center will ensure you can still coordinate all members of your company. It also won’t leave anyone in the dark. In this section, specify the where, how, and who about your command center.
To quickly mobilize your DR team, you need to maintain a contact list with all team members. That list should go into this section. All other relevant internal (e.g., recovery team captains, senior management, etc.) and external contacts (emergency services such as fire department, hospital, police, etc.) should also be included here.
Roles and Responsibilities
This section defines the roles of everyone involved in your disaster recovery plan. Specify the responsibilities of individuals and groups, especially during disaster response. For example, you can specify the people in charge of disaster detection, evacuation, recovery, damage assessment, communications, legal issues, and so on.
The Disaster Response section contains all your policies and procedures that come into play once a disaster occurs. It typically contains protocols regarding emergency detection, emergency services notification, recovery team mobilization, and so on. Your DR team can refer to these sections for guidance. Even other employees who may be inadvertently involved in a disaster should refer to this section. You can also use this as a reference when conducting DR testing.
Detection and Evaluation
Normally, you’d only activate your DRP after certain triggering events. For example, your DRP activates after a total loss of power, flooding inside your facilities, or a complete network outage. In this section, define what criteria classify an event as a trigger. In addition, you should also specify who’s authorized to assess an event and determine whether or not it’s triggering.
Here, you specify who’s in charge of contacting the fire department, police department, hospital, and other emergency services. You should also include these services’ contact numbers again. Even if you’ve placed this information in the Contact Information section, include it again here for easy access.
Recovery Teams Mobilization
This is where you outline the policies and procedures for mobilizing your recovery teams. Include your team captains’ contact information here. You should also provide the alternate team captains’ info.
Command Center Activation
In this section, you’d define the protocols for activating your command center. You’ll also want to specify your command center’s contact information (phone numbers, email address, URL, etc.). If employees can reach the command center via a messaging platform (e.g., Facebook Messenger, Signal, Discord, etc.), you should also add that information here.
Disaster Recovery Site Activation
If you have a disaster recovery site, this is where you detail the policies and procedures for activating that site. You should also specify who will be in charge of the DR site. Provide their contact information and the site’s address. If the site location is fixed, it helps to include a map and corresponding directions relative to your current location.
Generally speaking, department heads have to contact members of their department and relay all pertinent information. For example, they should clarify the next steps, command center contact information, disaster recovery site contact information, and so on. If a department head is unavailable or if certain employees don’t belong to a particular department, designated personnel can do this task instead. This section should provide all details pertinent to this aspect.
Damage assessment should be conducted by a team composed of people from property management, IT, and other departments. These teams can, in effect, determine the extent of the damage sustained by mission-critical applications, equipment, offices, and facilities. In this section, you’d typically define who’s in charge of conducting damage assessment. You’ll also detail the policies and procedures relevant to this exercise.
Designated staff (preferably from the communications department) will have to craft appropriate messaging in relation to the crisis. Then, they should relay that to the general public. They can do this through traditional media (e.g., TV, radio, newspapers) or modern channels (e.g., official website, social media). You might also want to employ a mass emergency notification system. This section should specify the policies and procedures that govern crisis communications.
Your company may have insurance policies that may come into play after a disaster. This section should contain a list of all relevant insurance policies. For example, mention policies like Errors & Omissions (E&O), Directors and Officers (D&O), and others. In addition, this section should include each policy’s coverage type, coverage period, amount of coverage, the person responsible for the coverage, etc. Lastly, it should specify who needs to contact the appropriate insurance company. Specify who will also coordinate with damage assessors and file the appropriate claim forms.
Financial Impact Assessment
Every disaster results in financial loss. That means you need to deal with that systematically. This section defines the policies and procedures for conducting financial assessments. It also discusses meeting financial requirements. Specify who should conduct the financial assessments, what items they should assess, and what financial needs they should address.
The damages from the disaster may also affect your customers severely.. For example, if you’re part of a supply chain, any extended downtime at your end can cause financial losses to other companies. As a result, some of them might very well file a lawsuit against you. This section should cover all policies and procedures dealing with potential legal issues that might arise.
Before we end, allow me to share some tips that can further improve your disaster recovery plan.
- Try to send an advisory to customers when you see an ongoing disaster is bound to cause delays. This will allow them to take an appropriate plan of action
- Implement precautionary measures to prevent or minimize the impact of a disaster. For example, you can adopt strong cybersecurity to prevent ransomware outbreaks
- Prioritize DR preparations. It can spell the difference between a successful DR response and a failure
- Conduct employee workshops/training on DR. This will increase employee awareness and ability to respond. In turn, this will improve the effectiveness of your DRP
- Aim to adopt virtualization. It can greatly simplify certain DR initiatives, such as instituting redundancy or building a DR site
Developing a disaster recovery plan isn’t easy, especially if you have no idea where to start. In this article, I covered some of the key elements of a DRP document. First, you should start with the introduction and objectives. Then, include development and disaster response, and continue your plan all the way down to financial and legal issues. Hopefully, this disaster recovery plan template has given you enough information to build your own DRP.
As mentioned earlier, this template is by no means complete. You’ll need to customize it and make it your own. Add (or remove) more sections and subsections as you see fit. In the end, you should have everything in place to implement an effective disaster recovery program. That way, you’ll recover very quickly if a disaster manages to incapacitate your IT infrastructure.
Have more questions related to disaster recovery? Check out the FAQ and Resources below!
What are man-made disasters?
Man-made disasters are highly destructive, business-impacting events caused by intentional or unintentional human actions. Examples of these events include accidental fires, arson, acts of terrorism or war, ransomware attacks, and DDoS attacks. Many of these events (e.g. ransomware outbreaks and DDoS attacks) specifically target IT infrastructures. Some even aim to cause outages or completely destroy the targeted systems.
What are natural disasters?
Natural disasters are highly destructive, business-impacting events caused by environmental factors. That could include earthquakes, floods, tsunamis, hurricanes, wildfires, polar vortices, and pandemics. Even though these disasters don’t specifically target IT infrastructures, they can still damage some companies’ IT infrastructure. Incorporating natural disasters in your risk assessments can improve the effectiveness of your DRP.
What is the difference between threats and risks?
Threats are entities that have the potential to inflict harm. They could for example target your business. Risks, on the other hand, consider how likely a threat can affect your business. Even if a threat exists, the level of risk it poses may vary depending on various conditions.
What is the difference between risk management, assessment, and mitigation?
Risk management is a discipline that includes risk assessment and risk mitigation. Risk assessment is the process of identifying threats. It calculates the level of risk it poses on a given subject. Finally, risk mitigation is the process of minimizing the impact of a said threat. A complete risk management program would involve both risk assessment and risk mitigation.
What is the difference between a cold site and a hot site?
A cold site is the most basic type of disaster recovery site. It only includes provisions for power and physical space to support your backup IT infrastructure. It doesn’t include the IT infrastructure itself. A hot site, on the other hand, is a complete facility that has everything you need to resume operations. Naturally, a hot site is more expensive than a cold site.
Subscribe to our newsletters for more quality content.
TechGenix: Article on Cloud Disaster Recovery Options
Discover various options for cloud disaster recovery solutions.
TechGenix: Guide for Surviving IT emergencies
Enhance your capabilities for surviving IT emergencies.
TechGenix: Guide to Azure Site Recovery
Dive into the details of Azure’s disaster-recovery-as-a-service offering.
TechGenix: Article on the Top Disaster Recovery Services
Find out about the top disaster recovery services for businesses of every size.
TechGenix: Article on the Top DRaaS Solutions
Discover the top Disaster Recovery as a Service (DRaaS) Options for 2022.