Disaster-Preparedness Checklist

What would happen to your business if a disasterwere to strike? What would happen if your business were shut down for a day? For a week? For a month? At some point, if you can't do business, you'll be outof business. You can't always prevent disasters, but havinga disaster-recovery plan (DRP) can prevent a disaster fromruining your business.

Also known as a business continuity plan, a DRP outlinesthe steps that need to be taken if an event occurs that stopsyour business sites from operating. The DRP helps your business continue to function.

Preparing your company to survive a shutdown isn't simple, but careful planning coupled with follow-through can turn a potentially business-ending event into a temporary interruption. The Gartner Group has said that 40percent of business enterprises that experience disaster goout of business within five years of the event. If you wantto be in the 60 percent of businesses that survive, you musthave a DRP in place before a disaster and follow the plan if adisaster occurs. (Gartner has done many reports on disasterpreparedness, which you can find at http://www.gartner.com/1_researchanalysis/focus/aftermath.html.)

The complexity of your disaster preparations depends onseveral factors, including the size of your business. In mostcases, recovering a small business is easier than recovering alarge business. But although a large business might requirea more extensive or complex plan than a small business,all disaster-planning processes, regardless of the size of thebusiness, should include the steps outlined in the sidebar "Disaster-Recovery Checklist".

A complete recovery plan includes technical, personnel,and facilities considerations. I walk through the IT aspectshere, but remember, your plan must also adequately addresscrucial facilities and personnel requirements.

Put Together Your DRP Team
The first step in creating a DRP is putting together the planning team, typically a management team that determines what needs to be in the DRP and designates who's responsible for each part of the plan. In a small business, the DRP team might simply be the company owner and the IT person. In a large corporation, the DRP team might be made up of the department heads or division vice presidents. In all businesses, the DRP team needs to include people who are empowered to make key decisions and who know what data and business processes need to be protected in the event ofa crisis.

In your DRP, you need to address budgetary, organizational, and business-process requirements, and the DRP team must agree on how to handle these requirements. TheDRP team can delegate some responsibilities—for example,the team might assign certain steps to subordinates whoseexpertise covers what needs to be done—but it's crucial thatDRP team members have authority to make the decisionsnecessary to implement the complete plan.

Evaluate Your Business Processes
After you have the DRP team in place, it's time to evaluateyour business processes and determine which business functions are "mission critical," which are "must-haves," which are"nice to have," and those that aren't essential. First, identifywhich business processes are needed for the business tocontinue in a crisis. Then, determine the minimal technologyresources that your business needs to restore those processes.Note that although disaster recovery is often expensive, evenin a small company, when the DRP team determines theminimum requirements, you must be prepared to preserveresources and not cut any resources below that minimumlevel. There's little point to having a DRP that requiresredundant hardware and software systems if someone up thecorporate chain of command decides that sufficient moneyor support isn't available for those resources.

When determining what equipment is needed for therecovery plan, you'll want to point out the investments that serve double duty. For example, you might determinethat you need to have network servers in reserve, but youcan't do much with that hardware while it waits to be used;if you put reserve servers into service, you increase the number of systems for which you need to provide redundanthardware. But you can maximize your investment. Althoughhardware such as online and offline data-protection systems are crucial to your DRP, you can also make themeveryday parts of your IT process. Your recovery plan might, in this case, motivate the business to add additional capabilities and features beyond what you need for regular backup and recovery so that the expenditure towards theDRP is incremental. For example, you might add newgenerations of backup and recovery hardware, whichimproves day-to-day workflow and improves your disasterpreparedness.

The DRP team also needs to decide what level of catastrophe the business is prepared to recover from. Your DRP mightcover everything from a simple short-term telephony ornetworking outage to a full-blown Hurricane Katrina–leveldevastation of local public and private infrastructure. However, most plans commonly focus on catastrophes that arethe most likely (fire, flood, weather problems). Be sure tospecify the level of disaster your DRP addresses.

Detail the IT Aspects ofDisaster Recovery
In "Backup and Recovery Basics" (January 2007), we talked about your data backup and recovery plan. You'll want toinclude that data plan in your DRP. The data-recovery plan should, at a minimum, coverthe basics of protecting your mission-critical(and valuable) corporate data. Note that someitems that are optional in simple data-backupplans may become requirements in DRPs. Forexample, your backup and recovery plan willlikely include the ability to restore servers if theycrash. Perhaps you've even provided backupserver hardware. But as part of a good DRP, youmight want the ability to restore servers to nonidentical hardware, which would then requireextra steps in the backup and restore process.

If your business is large enough, your DRPmight include a plan for duplicate data centers,set up as redundant sites. If your business islarge enough to have multiple data centers, youmight want extra capability at each site to intervene should a data center become unavailable.In all cases, you need to be able to back up dataoffsite so that the loss of the primary locationdoesn't mean the end of your business.

Offsite data storage can range from the low end (an employee is responsible for taking the daily backup tapes to a secure offsite location) to the high end (sufficient network bandwidth is available to allow for real-time data replication to offsite storage). Internet-based backup and recovery systems can serve a dual purpose, providing regular backup and recovery services along with a reliable and secure offsite location for mission-critical corporate data.

Test and Implement the Disaster-Recovery Plan
You've decided what aspects of your business to protect and how you're going to protect them. Now you're ready to test and implement the DRP. This means documenting each DRP task, outlining the order in which the tasks should be carried out, designating the person responsible for seeing each task is completed, specifying who manages the entire DRP operation, and testing the entire DRP.

After you roll out any additional hardware or software, you'll want to walk through the entire DRP, making sure that the planning documentation matches the actual recovery process. This is the time to make necessary changes to the plan or to the technology. Remember, as you make changes, you'll want to re-confirm previous steps to make sure that they still apply. Having a DRP is not a one-time event: You need to keep working through the DRP until you achieve repeatable, consistent results.

When you're certain that the DRP works and that the documentation accurately reflects the process, you're ready to have the DRP team approve the final version of the DRP. Then, you're ready to distribute the plan as appropriate, in whole or in part, to all affected parties. Also, be sure you have secure offsite storage for printed copies of the detailed DRP.

The Ongoing DRP Process
Even though you now have a DRP in place, you've only just begun the disaster-recovery process. Very few businesses are static, so as business changes, your DRP will also change. As with any business-critical activity, testing and maintaining your DRP is an ongoing process. As you add technology to your business, you must determine how the new technology affects the DRP, then change the DRP and associated processes as necessary. Changes in the way you do business can also affect the DRP, so be sure that you alter the DRP to reflect any changes to business workflow. Regularly evaluate your plan—how often you evaluate depends on how fast and how often the business changes. Simply documenting changes is unlikely to be sufficient. Your DRP should be tightly integrated into your business model—any changes to the business also mean that the DRP will change and need to be updated and re-tested.

The job of the DRP planning team continues as well. The composition of the team may change somewhat after a functional DRP is in place, but the DRP team still needs to organize the management and maintenance of the DRP. Regularly scheduled DRP team meetings can give multiple departments the chance to interact and the opportunity to provide recommendations for current and future updates of the DRP and its processes. Continuing involvement with the DRP team also helps remind business staff of the ongoing importance of having an up-to-date disaster-recovery plan.

Various analysts studying disaster recovery have noted that nearly 50 percent of all large companies lack any sort of comprehensive DRP, with that number climbing closer to 80 percent when small businesses are included in the calculation (for more information, see http://www.gartner.com/1_researchanalysis/focus/aftermath.html). Every business, regardless of size, can benefit from having a DRP. Defining what needs to happen in the event of an emergency lets you gain some control over a crisis that might otherwise put you out of business. Implementing a DRP, even on a small scale, can make the difference between business survival and failure.