How to Create a Disaster Recovery Plan

A disaster recovery plan is a comprehensive, documented strategy that outlines the procedures and processes to follow in the event of a disaster to ensure the continuation of business operations.

Create a Disaster Recovery Plan

9 minutes
image_pdfimage_print

A disaster recovery plan is a set of documents representing how your organization will withstand events that impact the continuity of business operations. They’re simple documents but surprisingly complex to develop. 

In part, that’s because of the importance these documents carry. They represent continuity in the face of a crisis or worst-case scenario. It’s also because a thorough disaster recovery plan requires a comprehensive quantification of business operations and their continuity objectives. 

In this article, we’ll explore what a disaster recovery plan is and how to develop and implement one. 

What Is a Disaster Recovery Plan?

A disaster recovery plan is a comprehensive, documented strategy that outlines the procedures and processes to follow in the event of a disaster to ensure the continuation of business operations. Its primary goal is to minimize disruption and ensure a swift return to normalcy. There are three primary elements:

  • Documented procedures and processes
  • A disaster
  • Continuation of business operations

The disaster recovery plan is, first and foremost, a procedure and set of processes. They’re fluid documents designed to provide a mid-level description of continuity of operations, plus detailed desk-level manuals for how to do so. 

They’re designed to be flexible, unlike rigid policies. They’re also detail-oriented. A disaster will involve situations that you couldn’t have anticipated. The document should be detailed enough to act as a checklist in the event of a crisis but not so rigid that it’s completely inflexible.

A disaster recovery plan also presumes that a disaster has occurred—a type of crisis that substantially disrupts business operations. Something short of that is an inconvenience and highlights a key distinction between the disaster recovery plan and a related document, the business continuity plan, or BCP. 

A BCP is very descriptive in that it focuses on maintaining business continuity. That can occur during operationally impactful inconveniences, like a snowstorm or flood. These types of events will impair operations but can generally be circumvented quickly. 

Business continuity maintenance is also necessary during a crisis like a complete unavailability of technology infrastructure during a ransomware attack. That becomes significantly more complicated since business typically can’t just continue as normal with a simple workaround. 

The disaster recovery plan highlights how these crises must be addressed: what systems need to be recovered, in what order, and how to operate without them. It supplements a business continuity process when an incident constitutes a “disaster” and provides additional guidance for navigating the crisis. 

Proactive planning is essential. Every organization should develop a business continuity and disaster recovery plan. Waiting until business operations are impacted and a disaster strikes to formulate a recovery strategy is a recipe for failure. In that situation, recovery teams will be scrambling to determine what to recover, when, and also addressing how to maintain operations. That adds significant inefficiencies and guesswork to an otherwise largely mitigatable situation. 

A well-prepared disaster recovery plan ensures that an organization can respond quickly and efficiently, minimizing downtime and loss. Knowing how you’ll address disaster means that you’ll be prepared to do so and focus on the recovery efforts, as identified. 

Key Components of a Disaster Recovery Plan

A comprehensive disaster recovery plan has a few different components, all of which synergize to maximize success. 

  1. Risk assessment. The risk assessment is a critical component of the disaster recovery plan. It informs the criticality of hardware, software, and business processes to your overall organizational operations. Those that are most critical to preserving core business operations and driving revenue should be recovered first. 
  2. Recovery procedures. The main purpose of a disaster recovery plan is to drive recovery of business operations. Your plan should elaborate on how to do that, even if by reference to other documentation. Your disaster recovery plan shouldn’t leave recovery objectives to the imagination. 
  3. Backups. Ideally, your recovery efforts include some level of backups. The more immutable and trustworthy the backups the better. Without reliable backups, you’re likely forced to rebuild the environment supporting business operations. That can take a long time and result in significant losses. 
  4. Communication. Being in the midst of a crisis is also the worst time to figure out how you’re going to communicate with other teams, vendors, partners, and clients or customers. Your disaster recovery plan should include, or include reference to, solid communications options and templates. 
  5. Testing. The theme of disaster recovery components has been to establish recovery processes and understand what they are. Testing and practice are the best ways to establish and fortify disaster recovery processes. The more you know your process, the better you’ll be at implementing it. What’s more, you’ll likely identify opportunities for improvement. 
  6. Maintenance. Even if you don’t test and practice, maintenance is critical to ensuring backups and critical recovery infrastructure are available when needed. It’s not enough to have backups, for example. You also need to know they’ll be available on command. 

You may want to include additional components in your disaster recovery plan. Ultimately, what makes a serviceable disaster recovery plan for your business depends on your specific needs, and you’re the expert when it comes to that. 

Remember to keep the disaster recovery plan relevant, though. Include what you need to include to alleviate and eliminate your disaster. 

Creating a Disaster Recovery Plan

Creating a comprehensive disaster recovery plan doesn’t have to be daunting. The key is to take it step by step. 

To start, you’ll want to take an application inventory. That inventory doesn’t need to be complex. Simply identify what you have and how it supports business operations. To add a layer of complexity, identify what kind of data each application has. 

Next, ask your operations staff what would happen if that application were unavailable. Their answers will inform application tiering. Tier 0 is critical; no business happens without these applications. Think core business applications for scheduling or payroll, for example. 

Not everything is Tier 0, despite what different business units say. After you poll your operations staff, you’ll want to evaluate with your senior leadership which applications are, in fact, direly critical and which applications are less critical. You can create a binary list of Tier 0 and “everything else,” or you can add levels of granularity with other tiers. Those will define the stages of your recovery efforts. 

After you tier your applications, talk to your technical teams about how to bring these applications back from collapse. Understanding how to recover your applications is more important than what applications to recover. If you don’t know how to recover your applications, you’ll have costly difficulty recovering your applications. 

At this point, you have a few different objectives to pursue, all of which have relatively the same importance and are generally pursued in parallel by different teams. The conceptual must meet the tactical and both tiering and recovery will be committed to paper. 

Communications plans are also critical to document. Typically, this will happen within a communications, marketing, or legal department. Whoever is responsible for corporate communications should be responsible for developing these plans and templates. 

Finally, training is key. If employees don’t know that a disaster recovery plan exists and what it covers, they won’t know that they should use it in a disaster. At the very least, identifying that one exists and highlighting key features is a must.

Testing and Maintaining the Disaster Recovery Plan

Testing and maintenance can be broken down into four objectives:

  1. Test the plan. Walk through the plan, even if only conceptually. Go step by step as a group and identify who is responsible for what and how they’ll be held accountable for that work. Even better, actively test backups and recover applications to a test environment. 
  2. Document the tests. Your tests will result in data, which is critical for improvement. It identifies what worked well and what needs improvement. Documenting means that you’ll be able to drive better strategy and data-based decision-making. 
  3. Update the plan. Take your test documentation and incorporate it into the plan. Rewrite the plan and identify where it’s changed. Iterative improvements are critical to maximizing recovery efficiency. 
  4. Involve the business. Too often disaster recovery plan testing occurs just within IT. Ensure that your business partners are at the table, identifying opportunities to build efficiency and efficacy. That will ensure not only comprehensive accountability but also that business objectives are appropriately incorporated. 

Implementing the Disaster Recovery Plan

This is where the rubber hits the road. Disaster has struck and you need to implement the plan. Fortunately, everyone will know what that is. Comprehensive training and drilling will help ensure implementation is a breeze. 

Step one is activating the plan. Formally declare a disaster and invoke the plan. This will help galvanize the organization to work toward continuity and recovery. 

After invoking the plan, follow your recovery processes, especially those around decision-making. Curve balls will be thrown and your organization will need to reallocate resources to accommodate. Be confident that if you follow the plan, you’ll be able to meet that adversity head-on. 

To mitigate some of the chaos and calm the nerves that come with a disaster, be ready to communicate robustly. Follow your communication plans and ensure that stakeholders are doing what they should when they should do it. 

How Pure Storage Promotes Your Disaster Recovery Plan

Effective disaster recovery requires access to backups, confidence in the integrity of those backups, and the ability to bring them to bear when you need them. Pure Storage’s solutions assure all of that, even across distributed cloud environments. 

Solutions like Purity//FA help you seamlessly manage storage and your backups whether they’re on premises or in the cloud. Purity//FA provides resilient and scalable management tools to ensure that data is appropriately managed within your secure edge. 

Pure Protect™ //DRaaS provides an immutable and resilient cloud recovery solution that gets you back on your feet fast. It guarantees clean recovery to anywhere you need it. Better yet, you can test it in a test environment that won’t impact your production environment or ability to back up. 

Hacker's Guide to Ransomware Mitigation and Recovery

Conclusion

Creating a disaster recovery plan can help ensure your business operations are up and running quickly in the face of adversity. Understanding what’s in your environment and when to recover it is key. Effectively mobilizing staff around that effort helps manage recovery times and objectives. 

Pure Storage can help. Our solutions provide effective and secure distributed storage with immutable backups available at a moment’s notice. Rest assured that Pure Storage will be ready to assist when disaster strikes.

Written By: