What would happen to your business if a disaster
were to strike? What would happen if your business were shut down for a day? For a week? For a month? At some point, if you can't do business, you'll be out
of business. You can't always prevent disasters, but having
a disaster-recovery plan (DRP) can prevent a disaster from
ruining your business.
Also known as a business continuity plan, a DRP outlines
the steps that need to be taken if an event occurs that stops
your business sites from operating. The DRP helps your business continue to function.
Preparing your company to survive a shutdown isn't
simple, but careful planning coupled with follow-through
can turn a potentially business-ending event into a temporary interruption. The Gartner Group has said that 40
percent of business enterprises that experience disaster go
out of business within five years of the event. If you want
to be in the 60 percent of businesses that survive, you must
have a DRP in place before a disaster and follow the plan if a
disaster occurs. (Gartner has done many reports on disaster
preparedness, which you can find at http://www.gartner.com/1_researchanalysis/focus/aftermath.html.)
The complexity of your disaster preparations depends on
several factors, including the size of your business. In most
cases, recovering a small business is easier than recovering a
large business. But although a large business might require
a more extensive or complex plan than a small business,
all disaster-planning processes, regardless of the size of the
business, should include the steps outlined in the sidebar "Disaster-Recovery Checklist".
A complete recovery plan includes technical, personnel,
and facilities considerations. I walk through the IT aspects
here, but remember, your plan must also adequately address
crucial facilities and personnel requirements.
Put Together Your DRP Team
The first step in creating a DRP is putting together the planning team, typically a management team that determines
what needs to be in the DRP and designates who's responsible for each part of the plan. In a small business, the DRP
team might simply be the company owner and the IT person.
In a large corporation, the DRP team might be made up
of the department heads or division vice presidents. In all
businesses, the DRP team needs to include people who are
empowered to make key decisions and who know what data
and business processes need to be protected in the event of
a crisis.
In your DRP, you need to address budgetary, organizational, and business-process requirements, and the DRP team must agree on how to handle these requirements. The
DRP team can delegate some responsibilities—for example,
the team might assign certain steps to subordinates whose
expertise covers what needs to be done—but it's crucial that
DRP team members have authority to make the decisions
necessary to implement the complete plan.
Evaluate Your Business Processes
After you have the DRP team in place, it's time to evaluate
your business processes and determine which business functions are "mission critical," which are "must-haves," which are
"nice to have," and those that aren't essential. First, identify
which business processes are needed for the business to
continue in a crisis. Then, determine the minimal technology
resources that your business needs to restore those processes.
Note that although disaster recovery is often expensive, even
in a small company, when the DRP team determines the
minimum requirements, you must be prepared to preserve
resources and not cut any resources below that minimum
level. There's little point to having a DRP that requires
redundant hardware and software systems if someone up the
corporate chain of command decides that sufficient money
or support isn't available for those resources.
When determining what equipment is needed for the
recovery plan, you'll want to point out the investments
that serve double duty. For example, you might determine
that you need to have network servers in reserve, but you
can't do much with that hardware while it waits to be used;
if you put reserve servers into service, you increase the number of systems for which you need to provide redundant
hardware. But you can maximize your investment. Although
hardware such as online and offline data-protection
systems are crucial to your DRP, you can also make them
everyday parts of your IT process. Your recovery plan might,
in this case, motivate the business to add additional capabilities and features beyond what you need for regular
backup and recovery so that the expenditure towards the
DRP is incremental. For example, you might add new
generations of backup and recovery hardware, which
improves day-to-day workflow and improves your disaster
preparedness.
The DRP team also needs to decide what level of catastrophe the business is prepared to recover from. Your DRP might
cover everything from a simple short-term telephony or
networking outage to a full-blown Hurricane Katrina–level
devastation of local public and private infrastructure. However, most plans commonly focus on catastrophes that are
the most likely (fire, flood, weather problems). Be sure to
specify the level of disaster your DRP addresses.
Detail the IT Aspects of
Disaster Recovery
In "
Backup and Recovery Basics" (January 2007), we talked about your
data backup and recovery plan. You'll want to
include that data plan in your DRP. The data-recovery plan should, at a minimum, cover
the basics of protecting your mission-critical
(and valuable) corporate data. Note that some
items that are optional in simple data-backup
plans may become requirements in DRPs. For
example, your backup and recovery plan will
likely include the ability to restore servers if they
crash. Perhaps you've even provided backup
server hardware. But as part of a good DRP, you
might want the ability to restore servers to nonidentical hardware, which would then require
extra steps in the backup and restore process.
If your business is large enough, your DRP
might include a plan for duplicate data centers,
set up as redundant sites. If your business is
large enough to have multiple data centers, you
might want extra capability at each site to intervene should a data center become unavailable.
In all cases, you need to be able to back up data
offsite so that the loss of the primary location
doesn't mean the end of your business.