No matter how big or small your business, it’s probably fair to say that you rely on IT to function. And all IT, whether it comes in the form of a mobile device, an email server or a cloud-based application, is susceptible to failure.
This is an increasingly big deal. According to a December study from EMC, data loss and downtime cost companies worldwide a massive $1.7 trillion (£1 trillion) in 2014. Moreover, a 2013 report from the Ponemon Institute and Emerson Network Power pegged the per-minute cost of data centre downtime at an astonishing $7,900 (£5,000). In today’s data-dependent world, the failure to bounce back from an IT outage could be enough to kill your business.
The practice of preparing for downtime, and of taking steps to ensure a speedy return to normality, is called disaster recovery (DR) planning. Unfortunately, it’s not always a walk in the park to create an effective DR plan, particularly when you’re only a small business. Doing it well requires time, knowledge and expertise, and measuring ROI can be difficult.
Luckily, help is available. A quick Google search should turn up a raft of free resources for organisations to use in the DR planning process, including DR plan templates that span a broad spectrum in terms of length and complexity. We’ve even created one of our own: the Kroll Ontrack small business DR plan template.
What is a disaster recovery plan, anyway?
A DR plan consists of the policies and procedures that a given entity – in your case, your business – will follow when IT services are disrupted. This could happen because of a natural disaster, or as a result of technological failure or human factors such as sabotage or terrorism. The basic idea is to restore the affected business processes as quickly as possible, whether by bringing disrupted services back online or by switching to a contingency system.
Your DR plan should take into account the following:
- IT services: Which business processes are supported by which systems? What are the risks?
- People: Who are the stakeholders, on both the business and IT side, in a given DR process?
- Suppliers: Which external suppliers would you need to contact in the event of an IT outage? Your data recovery provider, for example.
- Locations: Where will you work if your normal premises are rendered inaccessible?
- Testing: How will you test the DR plan?
- Training: What training and documentation will be provided to end users?
At the centre of most DR plans are two all-important KPIs, which are typically applied individually to different IT services: recovery point objective (RPO) and recovery time objective (RTO). Don’t be confused by the jargon, because they’re very simple:
- RPO: The maximum age of a backup before it ceases to be useful. If you can afford to lose a day’s worth of data in a given system, you set an RPO of 24 hours.
- RTO: The maximum amount of time that should be allowed to elapse before the backup is implemented and normal services are resumed.
Structuring the perfect disaster recovery plan
Even a small business DR plan can be a lengthy and complex document. However, most follow a similar structure, encompassing definitions, duties, step-by-step response procedures and maintenance activities. In our template, we’ve used the following outline:
- Introduction: A summary of the objectives and scope of the plan, including IT services and locations covered, RPOs and RTOs for different services, and testing and maintenance activities. Also includes a revision history to track changes.
- Roles and responsibilities: A list of the internal and external stakeholders involved in each DR process covered, complete with their contact details and a description of their duties.
- Incident response: When should the DR plan be triggered, and how and when should employees, management, partners and customers be notified?
- DR procedures: Once the DR plan is triggered, the stakeholders can start to action a DR process for each affected IT service. In this section, those procedures are set out step-by-step.
- Appendices: A collection of any other lists, forms and documents relevant to the DR plan, such as details on alternate work locations, insurance policies, and the storage and distribution of DR resources.
Keeping your disaster recovery plan alive
Like any policy document, a DR plan is useless if it spends most of its life sitting in a drawer somewhere. There’s no point in creating one if you’re not going to allocate sufficient resources to training staff on the existence of the plan, as well as what their own roles and responsibilities would be in the event of an IT outage.
Keeping it up to date is important, too. As time passes and your business grows, you’ll need to accommodate new systems and IT services in your DR plan. Be sure to notify any affected stakeholders when you do this.
Finally, it’s fundamentally important that you test your DR plan and know whether your RPO and RTO KPIs are viable, or even whether your procedures are fit for purpose at all. It can be tempting to test your DR plan in stages, but don’t neglect to test it in its entirety from time to time, too – it’ll show you if different processes cause friction when they run concurrently, as well as if there’s anything you’ve failed to account for.