10 important steps to consider when drafting a Disaster Recovery Plan

Turrito takes Disaster Recovery very seriously.  Our solutions for Disaster Recovery protect your business-critical workloads and instantly recover your business-critical applications and data no matter the disaster.  

The purpose of drafting a Disaster Recovery (DR) plan is to assist a business in reducing downtime and restoring business continuity when a disaster strikes. When drafting such a plan and policy you should consider these 10 steps.  

Business Critical Applications 

To build a disaster recovery plan and process you need to take stock of what current business applications you have and rank them according to the severity of impact they would have on the business if said application was to go down. This will help guide your disaster recovery plan in terms of how quickly important business workloads need to be recovered and who is responsible for these workloads.  

Business Critical Data 

Where is your business-critical data like client information stored? Doing a recon of your data storage solutions will help you in understanding what failover solutions your business will need when building your disaster recovery plan. Ask yourself how important it is to your business to access this data quickly – how long can you afford to not access your data? 

How long can your business afford to not have access in the event of a disaster? 

Figuring out how long your business can afford to not have access to data and business-critical applications is the most important step in drafting your DR plan. This step will guide everything from your Recovery Time Objective (RTO) and Recovery Point Objective (RPO) to the system you use for DR. We discuss RTO and RPO further down.  

This necessary step must be revisited on an annual basis as your business changes. When working out the impact and cost of business interruption, you should consider these factors:  

• How will your clients, suppliers and users react to a disruption in business-critical applications and data?  
• How will other activities in the business be impacted by a disruption? For example, your sales team might still be able to make calls, but your accounts team can’t send quotes.  
• How will the disruption impact your business reputation?  
• Very importantly, how much revenue does your business stand to lose from a disruption?  
• Are there any legal or contractual ramifications imposed on your business if there is a disruption in services? At what cost to your business? 
• What are the costs associated with any additional services, over time and expenses when a disaster occurs?  

Janco and Associates have put together a useful table that you can use to understand the cost of a disaster on your business:  

Setting Disaster Recovery Plan Objectives 

As with any business plan or policy, your business has, a DR plan must include objectives in line with your major business objectives and goals. For example, “ The primary objective of this Disaster Recovery Plan is to ensure the continued operation of identified class 1 and class 2 systems in the event of a disaster or a catastrophic event.” 

Some DR goals that you can include in your plan are:  

• Minimizing downtime 
• Clear communication with senior management 
• Document the DR to record the effectiveness of the DR Plan.  

Recovery Time Objective (RTO) and Recovery Point Objective (RPO) 

To understand your business requirements Turrito looks at RTO and RPO. If you require low RTO we would suggest a failover server with replication (usually off-site or in another secure building). If you cannot afford any downtime, we would build highly available systems for you. Understandably, the shorter your RTO requirement, the more it costs the business so you need to consider the cost impact to the business as discussed above versus the cost of the solution. You also need to consider services and how staff connect and work so your RTO disaster recovery solution might include connectivity, networks and so on.  

When it comes to RPO. For example, if your business requires a low RTO but a very recent RPO, Turrito would suggest cloud back-ups but we would need to set the incremental backup to run more often to achieve the low RPO. If your business requires a low RTO and RPO you could use replication or high availability with snap-shots technology on Hyper-V to provide this solution. These are all examples of RPO and RTO and your RPO and RTO will depend entirely on your business needs.  

Other systems such as Azure, Acronis and Redstor can provide some options as well which we will discuss in the next step.  

There are many types of Disaster Recovery plans and picking the right one for your business can be overwhelming. As each business is different, it is important to understand the choices available to you to pick the plan that best suits your business needs. According to the Solutions Review, the top four DR plans are Data Center DR, Cloud-based DR, Virtualisation DR and DRaaS.  

Data Center Recovery  

A Data Center Disaster Recovery site is a facility your business can use to recover and restore your technology infrastructure. With this solution, your DR plan is not just limited to the facility it’s housed in. The entire facility building plays a large role in DR. Features within the building such as support, physical security and power back up all play a role in your DR plan. In the event of a disaster, all the features in the data centre must be in working order and if they are, your technology is at lower risk against a disaster. Unfortunately, this doesn’t protect you if a natural disaster impacts the facility.  

Cloud-Based Disaster Recovery  

A cloud-based DR plan allows your business to cut costs by using a cloud provider’s (think Microsoft’s Azure) data centre, rather than spend money on your data centre, which can be extremely costly. Your business can also benefit from the competition in the cloud-based solutions market as cloud providers continue to best each other. Before choosing a cloud-based DR, you need to address any challenges the provider may have with your backup and recovery objectives. Most of the time, the cloud provider can assist you in fixing backup and recovery problems as part of your DR plan.  

According to Neil Edmonds, Technical Manager at Turrito, “DR is getting easier with cloud solutions. Azure and Vodacom for example are based on a Highly available platform by default. Software as a service and so on is making it much easier for IT people.” 

Virtualization Disaster Recovery 

If you choose to go with a virtualization DR plan for your business it nullifies the need to reconstruct your physical server when a disaster strikes. As mentioned in the RTO section, your business would be able to achieve your targeted RTO easily.  

Disaster Recovery as a Service (DRaaS) 

The as-a-service model has made many aspects of information and communication technology easier. Most DRaaS solutions are cloud-based, however, it completely depends on the DRaaS solution provider you choose to go with. Providers like Turrito, offer our solutions based on your business and site-to-site needs. A benefit of using DRaaS as your DR Plan is that cloud-based DR can enable your users to access failover applications immediately, adapt failback to rebuilt servers and reconnect users through your business’s VPN. When choosing a DRaaS provider, you need to be aware that some providers have their DR products while others use a host of tools from vendors. You should always enquire who the provider’s partners are and the products they are using to make sure they suit your business requirements and RTO and RTP. Another helpful tip when going this route is to ask where the provider/vendors data centre resources are to give insight into what their capabilities are in the event of a regional disaster.  

Building your DR Policy and Procedure 

Now that you have outlined your business-critical workloads, data, measured the cost of a disaster, set your objectives and considered the DR solutions available, it is time to write your DR policy and procedure. This document will be crucial in outlining your DR plan and parties responsible for all aspects of your DR.  

When drafting the policy, we recommend you include the following:  

• Purpose and scope of the policy: In this section, you will include a summary of the policy, define disasters, why the policy is needed and what the plan must include based on your business needs.  
• Distribution list: This section of your policy includes your elected disaster recovery team members and their contact details.  
• Planned Objectives: These are the objectives you outlined above.  
• Recovery Teams and Responsibilities: This section includes the Disaster Recovery Team Charter and IT Operations Team Charter.  
  • Disaster Recovery Team Charter: The disaster recovery plan must contain a disaster recovery team charter outlying the responsibilities of your disaster recovery team. For example:  
    • Identifying the computing services recovery sequence in order of importance.  
    • Managing the recovery teams. 
    • Managing communication with senior management and users. 
  • IT Operations Team Charter: The Disaster Recovery Plan must contain an IT operations team charter outlying the responsibilities of your IT operation team. For example:  
    • Providing ongoing technical support.  
    • Restoring local and wide-area data communications.  
    • Restoring data libraries and databases.  
    • Coordinating user groups to aid the recovery of data 
• Recovery Scenarios: In your DR plan you should make provision for the 2 types of disasters; minor damage and major damage. You should define what constitutes a minor and major disaster and what actions to take.  
  • Minor Damage: In this type of disaster, only a part of your IT environment is out of action but your communication tools and the network is still running.  
  • Major Damage: In this type of disaster, all or majority of your IT environment is out of action.  
  • Scenario Considerations: For each type of disaster, you need to set up an overview of high-level tasks and assignments within your business. For example:  

• Recovery Activities: Your plan should include DR activities with relevant timelines. This may vary based on your business needs and objectives. We recommend you break this down into 3 sections:  
  • Immediate Tasks 
  • Within 3 hours 
  • Within 24 hours 
• Data Storage Location(s): You must include your data storage/vault locations where backups are stored in your DR plan.  
• Critical Business Systems:  Your DR plan must include critical systems classed as Class 2 or Class 1. A class 1 system would be classed a critical and a class 2 system would be classed as important. Based on this, class 1 systems would take priority over your class 2 systems in the recovery process.  
• Suppliers: A supplier list in your DR policy would need to include all critical business services, who supplies the service to your business and the primary contact of that supplier.  
• Inventories: Include an inventory list in your DR policy so that the recovery team can use it when initiating recovery. A good idea is to use an asset register and give access to your recovery team.  

Creating a Disaster Recovery Plan for your business can be time-consuming and difficult but it doesn’t have to be unachievable. By working with managed service providers like Turrito, your business will be able to have a Disaster Recovery approach that suits your business and protects your data from cyber-attacks, natural disasters and even simple human error.