How to build a disaster management plan

Computers and IT systems are integral to every part of a business, with downtime and disruptions likely to cause productivity losses and economic damage. Whether it’s a natural event, a cyber attack, or simple human error, when disaster strikes, solutions are needed fast. In the context of IT, a disaster management plan is a set of strategies and procedures that attempt to restore hardware, software, and data in order to ensure fast and effective business recovery.

Benefits of a disaster management plan

An IT disaster management plan should always be developed to ensure fast and effective recovery. While data backup is an important part of this process, additional measures need to be taken to ensure compliance and the continuity of critical business systems. When implemented alongside a continuity plan using accurate information from a business impact analysis, disaster management has the ability to reduce data losses, minimize downtime, and promote a healthy business reputation.

Actionable steps to ensure containment and recovery

Managing an IT disaster is a complex and challenging task, with many issues to consider and lots on the line if something goes wrong. Success depends on organization and management before, during, and after the disaster takes place. While being able to react effectively to a situation is crucial, proactive measures are just as important. From carrying out a business impact analysis and documenting risk assessment through to containment and recovery, let’s take a look at the steps you need to take.

1. Business impact analysis

A comprehensive business impact analysis lies at the heart of every successful disaster management plan. It’s no use waiting until disaster strikes. An impact analysis will allow you to research the potential impact of disaster events. Businesses that understand how much they have to lose are much less likely to fail when a disruption occurs.

An analysis is responsible for identifying critical business functions, measuring impact events, and defining recovery strategies. Generally carried out before a risk assessment, this analysis defines critical systems and quantifies internal and external risks that may affect business data and processes.

2. Risk assessment

Once a business impact analysis has been conducted, it’s time to carry out an IT risk assessment. While these two processes are linked, a risk assessment is more concerned with describing potential threats and measuring their likely impact on business processes and resources. A business impact analysis defines your potential losses, and a risk assessment identifies and quantifies actual disaster events. Successful disaster management requires both of these steps, with businesses able to dedicate resources more effectively when they link specific disasters with specific outcomes.

3. Respond quickly and contain

While planning and organization are all well and good, action is more important than anything else when disaster strikes. Having the ability to respond quickly and effectively is critical before additional problems develop. Check on people first if a natural disaster strikes, review physical damage to computer and network resources, and ensure open communication channels at all times. The extent of data loss often depends on how quickly you respond and contain the threat.

4. Recover and minimize downtime

When the actual threat has been neutralized, it’s important to stay calm and recover quickly according to your established plan. It’s important to stay productive if possible, with some businesses able to carry out manual operations, communicate via telephone rather than computer, or initialize cloud-based backup solutions.

According to Wikibon, enterprise cloud spending is predicted to grow by 16 percent annually between 2016 and 2026. It’s important to distinguish between internal recovery and cloud-based recovery, and get access to critical business systems as quickly as possible. Downtime represents the most significant cost of disaster events, at an average of $5,600 per minute according to Gartner.

5. Protect your business reputation

An IT disaster has the potential to adversely affect your reputation, especially if it’s linked to cybercrime or network security breaches. It’s important to be proactive after a disruption event and do everything you can to protect your reputation. Regular and ongoing communication with customers and other stakeholders plays a big role at this stage, so keep people in the loop and be honest about the situation. With the right preparation and the ability to respond quickly when disaster occurs, any business can face their challenges head-on and emerge with something resembling a smile.

Your business really needs a disaster recovery plan—here’s why

According to FEMA, 40-60% of small businesses affected by disasters will never reopen their doors. Regardless of your industry, there is a lot riding on how you protect your business from disaster. You likely physically protect your business with alarm systems, cameras, and even safes. You also probably invest in protections for your data and technology systems, as well.

A disaster recovery plan (DRP) is a tool used by successful businesses the world over to protect themselves. In this article, we’ll explain why so many businesses use it and how you will benefit from having one, too.

Anatomy of a disaster recovery plan

Let’s start by going over the core of any DRP. The details and number of points often vary, but the core of any effective plan has these points:

    1. Assess your business – Inventory your business assets and identify critical processes and functions.
    2. Determine acceptable downtime – Downtime is costly. How long can you (or your customers) afford for systems to be down? This helps determine how quickly you must restore basic operations following a disaster.
    3. Create an action plan – Create a plan to get critical functions up and running within the timeframe determined by step 2. There may be multiple plans to account for different types or scales of disasters.
    4. Determine responsibilities and communication – Who is responsible for which critical roles and essential communications? Be specific.
    5. Test and update – An untested DRP is almost as bad as no DRP. Test your DRP and find the holes and issues. Make adjustments, test again.

Related: 5 Crucial Components of a Disaster Recovery Plan

Get a clear picture of your business

We’ve all heard that old quip about people who “can’t see the forest for the trees”. Whether you are a details person or a big picture person, this is your opportunity to get a good look at both.
The first step in creating a disaster recovery plan is to take a step back and assess your entire business. This enables you to take a holistic view of your operation that you don’t often see when you are working in the day-to-day operations. Make the most of this opportunity to ensure that you are not duplicating efforts or leaving any one area exposed. Take a close look at every aspect of the business and get reacquainted (or get familiar) with aspects that you may not have considered recently. Start with your hardware, but consider also your infrastructure and even your partnerships.

Related: 7 typical disaster recovery plan mistakes (and how to fix them)

Prepare for the inevitable

We would all like to think that we are one of the lucky businesses who will not be adversely affected by circumstances like natural disasters. The reality is, though, that even just a few hours of downtime can cause big problems for a small business. In September 2018, a cooling problem at one of its data centers caused an outage of over 24 hours for Microsoft Azure customers in much of the US. For businesses that rely on Microsoft Azure, that downtime could have cost them dearly. A successful business is dependent on a number of systems, so it’s important to evaluate each one critically and understand the risks and damages of being compromised. Your website outage can be a very different problem if you’re only using it as an advertising landing page than if you are using it to conduct daily business transactions or interactions.
Consider how a business with a DRP might have handled the Azure downtime compared to a business without a DRP. When the event occurred, a business with a DRP plan would have been able to quickly assess the situation, go to the action plan, and determine the best response based on that plan. At its heart, a DRP is about minimizing losses. One day of downtime is unlikely to close your business for good, but it will still cost you. It pays to be realistic about what your priorities will be when a problem arises and how much downtime you can reasonably tolerate.

Related: Why 23% of companies never test their disaster recovery plan, despite major risks

Roll with the punches

In 2016, Southwest Airlines experienced a chain of failures in critical systems that started because of a router breakdown. Over a period of fewer than 48 hours, they canceled hundreds of flights and delayed thousands more. The cost of lost ticket sales alone was between $5 million and $10 million. While this may seem like an extreme example, it’s relevant when you consider that the cause of all this lost revenue and two days of downtime was a simple, unforeseen hardware failure.
Downtime happens to everyone. The best and biggest service providers don’t promise 100% uptime, even as a best-case scenario. What can separate your business from the rest is what you do when downtime strikes. Will it result in a few hours of downtime or a few days?
Restoring your systems efficiently and successfully takes a lot of research and preparation. It’s likely you would rather address your disaster recovery plan while you have the foresight, time and bandwidth, instead of when you’ve got one or multiple systems down and the pressure is on to get things back up. Investigating this kind of information and planning a response tailored to your business is easier to navigate by consulting with the experts.

Related: How to include your MSP in your backup and disaster recovery plan