Ladder

For most businesses, the consequences of a ‘disaster’ will inevitably include significant disruption and the financial implications can be crippling if suitable plans aren’t in place to minimise the impact. The economics of having a disaster recovery plan are simple – in fact not only will your investment in disaster recovery planning pay back - in terms of getting your data and IT systems back on track, it could also minimise the risks too. Here are a number of key areas that you should consider when you’re creating a disaster recovery plan:

  1. Probability firstEstablish the most likely disaster events. Sometimes it’s easy to think about events such as the headline-grabbing floods as a major risk, but if you aren’t on a flood plain, near a major water course or your server equipment is all housed on the second floor, is flooding really a contingency you need to plan for? However, a telecoms fault or power outage may be far more likely – and both could impact significantly on your daily operations.
  2. Like for likeGroup together similar types of disaster events and try to put them together to reduce the costs of planning around many different scenarios. For example, the recovery from a sustained power outage and a local telecoms failure may invoke similar recovery plans. If you’re running services in the Cloud, then your contingency plan might involve sending everyone home to work using remote access.
  1. Not all data is equalIt’s often the view that all services are absolutely critical and must be instantly recovered with zero data loss. Instead, consider the impact to the business of each individual service failure – so you can create a far more cost effective – and economically viable – disaster recovery plan. The key to this is to understand the RPO (Recovery Point Objective) and the RTO (Recovery Time Objective) for each service. For each set of data, system or application work out two simple things:1) How much data can you afford to lose and this is your RPO. It might be 5 minutes, 1 hour, 4 hours, a couple of days or none at all.2) Now consider how quickly you need to get that service back online and this is your RTO. Again it could be 5 minutes, 1 day, 5 days or as close to instant as is possible

Work out what will have the biggest impact? If you rely on email to receive the majority of your orders then email is arguably most critical. If delivering great service relies on your contact management system, then you need both the application and the data available to the frontline team. It’s the combination of RTO and RPO that will allow you to build a cost-effective and successful strategy for recovery.

Moving to a cloud-based email service could mitigate the risk, although it’s worth checking SLAs. And there are now devices on the market that allow almost instant recovery of key services and data to keep the essentials up and running.

  1. PrioritiseOnce you’ve identified the potential risks and the impact on different areas of the business, collate the information into a coherent format for review. The next step is to prioritise based on their likelihood and business impact – and of course, the cost to mitigate against each risk profile.A simple ROI formula plan will help and this is where help from your IT provider comes in. You can discuss options and budgets around each of the plans and formulate the final results into a coherent disaster recovery plan.
  2. Allocate responsibilityOne area that’s often overlooked is allocating whose responsibility it is to call it a disaster in progress and invoking the DR plan. This may sound obvious but the decision may involve multiple people or third parties.
For example, is the server really totally irrecoverable or would a quicker option be to uplift and repair the systems rather than start workplace recovery procedures – which might involve much more complexity and cost. It’s essential that everyone understand their role and the role of others in implementing the DR plan.
  1. Document itEstablish who’s responsible for documenting the DR plan – someone within the business or your IT service provider? Obviously, the document should be accessible in the event of a disaster – so copies should be held in multiple locations – and more than one person in the organisation should be aware of where to locate the plan and how to invoke it. Obviously, you need to ensure that everyone is working to the latest, definitive version and that it’s reviewed and updated on a regular basis.
The DR plan should be broken down in to different types of disaster that need to be planned for, with the relevant recovery steps, and the contact details of everyone involved in implementation including the decision makers.
  1. Clearly the main element of any disaster recovery plan is the failover procedure – i.e. how you go from a disaster situation to having usable services again. However, it’s also important to consider the failback to normal systems, especially as this could have a significant financial impact.Part of the broader business continuity plan – i.e. covering general operational issues rather than just the data and systems recovery element – may be to send everyone to a managed office with remote access to their systems. But how long are you prepared to do this? What will it cost? And how will you manage the process of reverting to normal business operation when the disaster is over? That’s what we mean by failback.
  1. Test itA disaster recovery test should be regularly planned to iron out any issues.
Some businesses plan DR tests monthly, whilst others many only do this annually. According to Aberdeen Group research, best-in-class organisations are 90% more likely to regularly test their business continuity or disaster recovery systems.

by Paul Burns, chief technology officer, at TSG