Disaster Recovery Planning and Testing: 7 Steps to a better DR Plan
Monday, March 10th, 2008Our experience as IT Consultants has shown that Disaster Recovery (DR) plans are often inadequate to effect full recovery of critical business systems. The frequency of testing is also low and these two factors combine to create an unnecessarily high risk for business. This fact, coupled with the increased requirements for reporting on DR in the forthcoming Isle of Man Financial Services Act 2008 has placed disaster recovery back on the agenda for many Isle of Man company directors and business leaders. A recent Institute of Directors survey of SME’s also places DR and Security high on the priority list for action.
In the event of a disaster situation, you need to be certain that you can recover your critical business data and continue to run your business. So in order to help companies improve their Business Continuity planning, I would like to share with you a simple seven step framework for designing, implementing and maintaining your own Disaster Recovery plan.
1. DR Policy
The policy details why you have a plan, who is responsible for it and how is is to be resourced. Legal and Statutory obligations usually feature at key points within your policy statement. It is also important to remember that your policy should encompass people, process and technology.
2. Risk Analysis
Identify failure risks and categorise these by impact - where possible these should be expressed in financial terms. Look out for cascade effects and dependencies between systems - where the failure of one single step has a knock on effect on many others. Performing Risk Analysis (also known as Business Impact Analysis or BIA), allows you to concentrate your resources where they can create the greatest impact.
3. Controls and Preventative Measures
Many simple and cost effective methods can be employed to reduce the risk of failure. Look for single points of failure and balance the cost of implementation against the risk of failure.
4. Recovery Strategy
This is your high level document that should specify Disaster Scenarios and how you will respond to them. Typical scenarios might include: Pandemic Flu, Building Lockout, Server Failure, Power failure. The strategy document sets the targets for the DR team to meet. You must skip the detail at this stage and concentrate on objectives. In Disaster recovery parlance, the most useful here are Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO). You should also consider here how you will communicate with your staff, customers, press and other stakeholders and how you will decide to invoke your DR plan. You should also consider creating a core DR team made up from representatives of each area of the business.
5. Detailed Recovery Planning
For each of the scenarios specified in the Recovery Strategy, a detailed recovery plan is drawn up. The outputs from this step are comprehensive plans for how you will achieve the strategic objectives. All areas of the business need to contribute and show that they have plans in place and that your staff are aware of how these will work in practice. Typical things to consider are data backup, telephone and telecommunications arrangements, office space, insurance. You will need to be able to demonstrate compliance with the legal and statutory requirements of your particular industry sector. All of these arrangements must be documented and lastly and most importantly, be made available off-site. You do not want your recovery plans to be locked in a building you no longer have access to!
6. Test the Plan
Once you have created your DR plan, you must test it. In some industry sectors this is a requirement that must be met annually. If you can arrange for independent testing then do so, as it can be difficult for those closely associated with the creation of the plan to remain objective when testing it. If your business is large enough you can form two DR teams, one to create and one to test. Tests can be desk-based, partial recovery or full recovery.
7. Maintaining the Plan
Change happens! As a result, disaster recovery plans must change too. Because you keep a copy of your disaster recovery plan in multiple locations, you need to make sure each copy remains current. Too often we find that planning for DR is something we do after a new business project is implemented. Embedding DR planning into your project management process will mean that new projects will trigger the requirement to maintain the plan.
If you require any assistance with your own disaster recovery planning and testing, KDR Ebusiness can help. Our experience can help you to meet your statutory requirements and reduce the business risks you face. If you already have an in-house team, we can provide an independent, external audit and test of your existing plan.
Bookmark to:
