You can't protect your business unless you know what systems it relies on and how important they are to it. In the risk assessment phase, identify your critical systems and measure their importance to your key business processes. Document the threats facing those systems and log the impact to those processes if the threats materialise. This assessment may turn up unexpected weaknesses. For example, you may find an unprotected hard drive with no backup managing client files that could stop a contract cold if it failed.
Armed with this information, you can calculate your disaster recovery objectives. There are two main metrics to consider: the recovery time objective (RTO), and the recovery point objective (RPO).
The RTO defines how quickly you want to get operations up and running again. Some critical functions may need an instantaneous failover. For non-critical systems, a few hours might be sufficient. Depending on the complexity of the system, shorter RTOs might carry a greater cost.
The RPO defines the point from which you want to restore your data, and therefore how much of it you are willing to lose during a disaster. An RPO of one hour means that you could restore your data to its state 60 minutes before the disaster, for example.
Now comes the tricky part. A disaster recovery plan extends beyond just your data. It includes the people that use that data, the facilities they work in, the equipment they use, and the processes they follow. A disaster may affect your suppliers and your customers. Your plan should include all of these elements and define how they interact when a disaster hits.
With this in mind, define a disaster recovery team responsible for handling tasks such as situation assessments, choosing which plan to implement, and managing different strands of that plan including things like site relocation and data recovery. You may have different disaster recovery plans for incidents like natural disasters, disease epidemics, catastrophic workplace accidents, or computer outages. Each should have a flowchart in place showing the steps necessary for mitigation and recovery. For example, a flood that takes out your data room could trigger a plan that verifies data backups and begins a switchover to an alternate server at another location, while relocating staff to a backup office, or even to their homes.
From a data perspective, your disaster recovery plan will include a backup and restore strategy. Options here include real-time data replication or periodic 'grandfather-father-son' backups that keep multiple copies of your data for different time periods. You can manage your own backups between different sites, or take advantage of disaster recovery as a service (DRaaS), which uses cloud infrastructure to manage your backup and restoration. The advantage of DRaaS is that you can use it to not only restore your data but also spin up virtual servers in the cloud to provide alternate computing capabilities during a disaster.
Finally, make sure that you test your disaster recovery plan regularly. You don't need to simulate a company-wide blackout every month; test small parts of your disaster recovery strategy to minimise disruption while ensuring that each works smoothly. With DRaaS, you can test data restoration easily thanks to built-in tools designed for that process.
Businesses know that disasters can happen, but everyday firefighting frequently puts planning on the back burner. Don't put off a proper disaster recovery plan until tomorrow. Dedicate the staff and time to doing it properly. Hopefully, you'll never need to use it, but at the very least, this protection will give you valuable peace of mind.