Disaster Recovery Planning and Risk Management

Man doing emergency repairs as part of a disaster recovery plan.

Hohenhaus / Getty Images

Balancing disaster recovery planning with risk management will save your company money in the long run while offering adequate protection from the most likely disasters. Ideally, a disaster recovery plan will protect your company from every foreseeable disaster and return your company to full operations in the shortest possible amount of time. Unfortunately, this is cost-prohibitive. You simply cannot afford to protect your organization against every possible disaster. Selecting which scenarios and how to protect your company against them is called risk management.

Disaster Recovery with Risk Management

One company thought that storing their daily data backup in a fireproof safe in the basement was adequate protection against a disaster. That thinking changed when there was a flood and seven days later it was discovered that the safe was not waterproof. Statistics show that 75% of the businesses that experience a significant disaster fail within six months.

Remember that your company is a series of interconnected systems. If a disaster disables any one of those systems it could bring your entire company to a standstill. Arbitrarily picking one area to protect and not another will doom your company if disaster strikes. Therefore, concentrate your disaster recovery planning efforts on business continuation.

The hardest part of disaster recovery planning is asking your employees on the disaster recovery planning team to work through different disaster scenarios. You actually have to think of what bad things could happen to your company. When defining disaster scenarios think in terms of what area of your company will be affected and the duration that area will be out of operation.

The scope of disaster examples:

  • An isolated area of your operations/office/building:
    • Extended duration: fire in closet destroys phone system, water pipe breaks over servers
    • Short duration: flu bug infects customer service department
  • Entire operations/office/building:
    • Extended duration: fire destroys entire office, shooter on-site, computer virus attack
    • Short duration: sewage backup causes an evacuation, computer virus attack
  • Isolated small geographic area (e.g. approximately a city block):
    • Extended duration: flood, tornado, civil unrest
    • Short duration: power loss, police action
  • Large geographic area (e.g. Entire city or several counties)
    • Extended duration: hurricane, earthquake, wildfire
    • Short duration: power outage, storm

Data Backup Planning Is Essential for Disaster Recovery

Any disaster recovery plan must take into account people, property, and priorities. By this, we mean the employees that are essential to bring operations back online, with the necessary equipment and resources to do their jobs, in the order that best facilitates the recovery of the company.

In addition to all of this, you must have your data backups accessible in a timely manner in order to restore them to your recovery servers. The best solution is to store your data backups in multiple offsite locations. This can quickly become a logistical and security nightmare if you have a significant volume of data.

One affordable solution is to use the Internet to back up your data. iSCSI is a technology that uses backup devices located in various geographic locations by using the Internet to transport and back up your data. iSCSI stands for 'Internet Small Computer System Interface'. Originally developed for storage area networks that ran over Ethernet, it can now run over any IP-based network, including the Internet.

Also, remember laptops and portable devices that carry critical data for your company. If these devices are lost, stolen or destroyed, this too can seriously impact your company. Plan a backup strategy that covers devices like these in order to minimize the impact on your company.

Risk Management Balances Cost with Speed of Recovery

A comprehensive disaster recovery plan will take into consideration different scenarios for recovery and their associated one-time and annual costs. The more disaster scenarios you cover, the more expensive it will be to implement. Each scenario that is covered should include an estimate of the time it will take to bring your company's operations back online. It's not cheap, but it's like buying insurance; nobody wants to use it but you're sure glad it's there when you need it. Your budget for disaster recovery should include each of the three steps: planning, implementation, and testing. Also, for each disaster scenario check with your insurance carrier to verify what is covered, what is excluded, and if recovery/relocation costs are included.

Budget for the Most Likely Scenarios

As previously stated, it is cost-prohibitive to plan for each and every type of disaster that could possibly impact your business. Spend your money wisely in order to cover the disasters that are most likely to occur to your business. Take an objective look and try not to get caught up in the headlines of the day. For example, terrorism seems to be at the top of the news lately, but it is one of the most unlikely events to occur in the United States. If you live in the Northeast, a snowstorm is more likely to impact your business for few days. In Florida, a hurricane can hit. In California, earthquakes can be a real concern.

Also, budget for the physical security of your business during the disaster. This may include relocating contract employees from an area that was not affected by the disaster.

Finally, create a plan to buy the resources necessary to communicate with your employees during and after the disaster. This may include cell phones, walkie-talkies, or directions to listen to local radio stations for further instructions.

Test Your Plan Routinely to Reduce Risk

Creating the plan is meaningless if it is never tested. Testing the plan once is not enough either. Testing should be done at least annually, but it doesn't have to be a full execution of the disaster recovery plan. Individual pieces may be tested independently as long as all pieces are tested at least annually. For example, over one weekend your key IT employees could fly to your designated offsite location and ensure that your backups can be recovered in a quick and timely manner. The next month, accounting can make sure that a supply of all critical forms (paychecks, invoices, etc.) are stored in an offsite location that is easily accessible in order to ensure the continuity of the business. Execute this methodology for each section of your disaster recovery plan at least once a year.

Check Your Disaster Recovery Plan for Completeness

As stated earlier, your business is a chain of interconnected systems. If one link is missing, the whole system may not work. Seek a trusted friend or business acquaintance that can review or your plan for completeness. Your disaster recovery plan should include data, employees, facilities, network, communications equipment, notification strategies to vendors and a communication plan for your customers.

Take Into Account the Human Factor

Finally, all of us are human, with emotions, husbands, wives, families, homes, cars, etc. Depending upon the type of disaster that strikes, people may have other priorities at the moment. If it's a widespread disaster (like a severe hurricane), people may be tending to family priorities like injuries and damaged homes. If it is a "shooter on the premises", the emotional toll on your employees may seem insurmountable. Take this into account when planning for your disaster recovery. Remember to use all assets that are available to you. It may be as simple as relocating employees temporarily from a location that is not affected.