What is a disaster recovery plan (DRP) and how to create one?

Disasters that affect your IT capabilities happen more often than you think, but only 6% are caused by a natural disaster. The vast majority of disasters that cause significant IT downtime are human error, hardware and software failure, and cyberattacks. There are even stories circulating that talk of how a newly hired IT technician inadvertently deleted all company data on his first day!

During the past three years, 93% of businesses have been hit by a natural or human-made disaster – and many of these organizations could not recover.  

Whether your organization is large or small, the only way to prepare for a disaster is to develop and exercise a disaster recovery plan.

An IT disaster recovery plan (DRP) is a written document that spells out the policies, step-by-step procedures, and responsibilities to recover an organization's IT systems and data and get IT operations back up and running when a disaster happens. This plan is a sub-component of the organization's Business Continuity Plan (BCP).

Once developed, the DR plan must be tested (or exercised) to ensure that the IT team can fully recover the organization's IT systems regardless of the type of disaster. 

Disasters arrive unannounced, so it is essential to get an IT DR plan in place as soon as possible. A fully operational plan will help minimize risk exposure, reduce disruption, and ensure economic stability. It will also reduce insurance premiums and potential liability, and ensure your organization complies with regulatory requirements. Most importantly, a well-executed plan can save your organization thousands – even hundreds of thousands – of dollars in the event of a disaster.

Data is a valuable asset: Customer data; financial, human resource, and R&D documents; and emails are irreplaceable. Each document represents hours of work, and the ability to retrieve it is essential. To determine how much a disaster can cost your organization, consider the cost of system downtime – the impact on employee productivity, the loss of billable hours, missed sales from a down e-commerce website, and penalties for failure to meet regulatory compliance obligations.

In a worst-case scenario, your DR plan may save your company.  

There are four types of disaster recovery plans.

With a virtual DR plan, your IT organization replicates the entire IT infrastructure and stores it on an offsite Virtual Machine (VM). Since VMs are hardware independent, you do not need the same hardware as the primary site, so you can quickly back up your systems and data to dissimilar hardware. When a disaster happens, you can failover IT operations to the offsite VM and recover from a disaster in just a few minutes. 

A disaster recovery plan helps your IT team respond to an unplanned interruption of network services during a disaster, including voice, data, internet, etc. The plan must include procedures for recovering an organization's network operations, including local area networks (LANs), wide-area networks (WANs), and wireless networks.

An unplanned interruption of network services can range from performance degradation to a complete outage.

With this type of plan, your systems and data are backed up to a public cloud located at least 150 miles from the primary site. When a disaster happens, IT can easily failover their operations to the disaster recovery site and fail back to the same or new hardware – even if that hardware is dissimilar - to resume normal operations. Public cloud DR services are available pay-as-you-go and can be accessed from anywhere.

This type of plan requires your organization to set up a separate facility only used when a disaster happens. There are three primary types of disaster recovery data centers - cold, warm, and hot.

• A cold DR site is an office or data center located away from the primary site with power, heat, air conditioning, etc. but no running IT systems. Depending on the length of the disaster, an organization may install the necessary systems after the disaster hits.
• A warm DR site offers office space and a technology infrastructure used when a disaster hits the primary site. A warm site has power, heat, air conditioning, network connectivity, and redundant hardware/software already up and running. Backups from the primary to the warm site are performed daily or weekly, which can result in some data loss. 
• A hot site offers office space and a complete replica of the primary site's IT infrastructure, systems, applications, and up-to-date data. A hot site enables rapid recovery of all business processes. It is most expensive to maintain compared to other data center types, but, for many businesses, it's the most optimal solution.

Every business needs a disaster recovery plan unique to its data requirements. To define the best approach for your business, you must weigh the value of your data, systems, and applications against the risk your organization can afford to assume. When creating disaster recovery plans, be sure to include the following steps:  

1. Establish a planning group.
2. Perform a risk assessment and define an acceptable Recovery Point Objective (RPO) and Recovery Time Objective (RTO).
3. Prepare an inventory of IT assets.
4. Identify dependencies and establish priorities.
5. Develop recovery strategies.
6. Develop a communication plan.
7. Develop documentation, verification criteria, procedures, and responsibilities.
8. Test, test, test the plan.
9. Implement the plan.
10. Maintain the IT infrastructure.

We've outlined the basic steps in disaster recovery planning. Now, let's explore the five primary elements of a DR plan below.

A dedicated disaster recovery plan requires proper development, updates, and testing. It's best to form a dedicated disaster recovery team to cover all of those. Ideally, the team should include managers and employees from all branches of your organization.

The team's ultimate purpose is to design, develop, implement, test, and upgrade the DR plan to ensure you can recover core business services as quickly as possible following a disaster.

Moreover, the DR team should assign specific roles for each team member and their contact details in the DR plan document. The plan should also identify the first contact point (a responsible individual) in the event of a disaster.

Lastly, all company staff must have access to the detailed disaster recovery plan, know the disaster recovery processes, and understand their specific roles to cut down recovery time and quickly resume key operations after a disaster occurs.

Organizations must identify potential data risks - human-made, due to natural disaster or cyber-attacks. Restoring important systems and business operations in a disaster can reduce downtime and minimize financial and reputational loss, which is critical to your company's success.

Once you've identified the potential risks applicable to your company, you can calculate the Recovery point objective (RPO) and Recovery time objectives (RTOs). Having a precise RPO and RTO lets you manage disaster recovery systems easier, thus leading to a smooth and rapid restoration.

The next step comprises your company's critical systems - apps, data, documents, and resources. (buildings, machinery, onsite IT infrastructure, human and intellectual resources, etc.)

The DRP should focus on successful contingency planning - how to continue revenue generation and ensure cash flow as a short-term goal. In the mid-and-long term, the DRP must define how to get your entire system back up and running to resume normal operations.

You can rely on a Disaster-recovery-as-a-Service (DRaaS) to manage onsite and offsite coordination or use a robust disaster recovery solution to manage the process individually.

In both cases, you should aim to present the disaster recovery plan strategies to all data-processing personnel, assign critical business operations, outline backup operations procedures, and determine internal recovery strategies for your primary business site and emergency response procedures for your offsite disaster recovery sites.

(if you rely on a fully-equipped secondary site, you should also create an alternate hot site plan; if you rely on a mobile data center, you should implement a mobile site setup plan)

As your company grows, your DR risks and needs will also evolve. For example, if your company opens a new data center, it should be reflected in your DRP as soon as possible.

If you have more than one alternate site, it's best to use full resiliency program management. Bringing all of your information services backup procedures under one umbrella will let you design an appropriate emergency response for your data processing operations, mitigate business continuity risks, and, ultimately, enable rapid recovery to resume normal operations in the event of power outages and natural disasters.

Moreover, you will benefit from disaster recovery automation, which simplifies testing all technology recovery strategies. A tested disaster recovery plan ensures continuous innovation in line with the increased risk to your company data. Be it during power outages, natural disasters, or cyber-attacks, your organization will be prepared to restore even complex business operations rapidly.

A disaster can cause chaos and create an environment where your DR team members make mistakes. To overcome this challenge, build your list of do's and don'ts for plan development and use it before, during, and after the crisis.

Here is a quick synopsis of some of the most important “dos and don'ts.”

What not to do:

• Do not discount the importance of an IT disaster recovery plan because you have backups or have implemented high availability. You need such a plan no matter what!
• Do not consider DR an expense. It's an investment.
• Do not apply a single data protection strategy to all applications.
• Do not assume that your network can handle the traffic during an emergency. Identify alternative forms of communication if you cannot use the network.
• Do not create a DR plan just for the sake of having one or to simply satisfy executive management and your auditors.
• Do not simplify disaster recovery process milestones. It may speed up the planning phase but will rarely be optimal in the long run.

What to do:

• Be sure to get sponsorship for the DR plan from the executive team.
• Look for disaster recovery plan examples to use as a template to speed the development and improve the accuracy of your plan.
• Include key contact members from various departments in your planning committee. Include decision-makers from multiple departments - financial associates, customer service representatives, and IT personnel.
• Safeguard data not stored centrally, including data stored on desktops, laptops, and mobile devices. Also, consider the following:

1. Virtual environments
2. Application-specific agents
3. Snapshot storage requirements
4. Server activation and documentation
5. Backup and recovery

• Create a disaster recovery plan checklist to use as a quick reference when developing the DR plan and during an actual disaster. A list helps your team work quickly and perform tasks accurately.
• Perform end-user acceptance testing.
• Be sure to test a broad range of disaster scenarios regularly.
• Update and test your disaster recovery plan regularly.
• Choose a DR location that is not too close to your production site and can be remotely activated in the event of an emergency.
• Plan frequent meetings to ensure that resources are still available during a disaster.

DR addresses the recovery of IT infrastructure during or following disruptive events. DR relies on data security services to restore critical systems and complement your business continuity planning (BCP).

A good disaster recovery plan ensures you can always access essential company data. Focusing on the bigger picture, BCP encompasses all necessary precautions to safeguard your data and employees to ensure continuous business operations.

BCP focuses on optimizing your data processing system, disaster site rebuilding, enterprise resource management, and more to ensure no unforeseen event will disrupt your business processes.

Your BCP team must examine all disaster recovery plan examples created by your DR team, consult on the best one, and implement it to fortify your backup system, minimize your Recovery Time Objective, and turn the perceived disaster recovery complexity into an understandable, easy-to-follow guideline for all responsible employees.

If you are a small- to medium-sized business (SMB), consider using an IT disaster recovery plan template to help guide you and your team through the plan development process.

There are many DR and business recovery plan templates available on the internet, including templates offered by Solutions Review, Smartsheet, and template.net. You can also find IT disaster recovery templates for small businesses at SupremusGroup. 

If this is the first time your organization is developing a plan, using a DR plan template ensures you do not miss important steps in the process and eliminates the costs associated with engaging a consultant. 

You must test your disaster recovery plan and ensure you have all the elements in place for a successful test. This includes having a detailed script of test activities, ensuring that all IT components are in place and ready to use, documenting what happens during the test, and preparing a post-DR-test, after-action review.

Implementing your DR plan means you'll need to find a DR solution that fits your IT requirements and is realistic about managing and testing. Many SMBs now work with managed service providers (MSPs) who deliver and administer their IT needs – outsourcing the expense of that mission-critical expertise. Many of those MSPs offer managed DR services that are built on Acronis' disaster recovery solution. That's because, with Acronis, an MSP can add disaster recovery to your backup in a matter of minutes – so not only will you have backups that protect your data, applications, and systems, but when disaster strikes, you can spin up your IT systems in the cloud to keep your organization running. After the disaster passes, you'll be able to easily recover to the same, new, or dissimilar hardware.

How to Develop a Disaster Recovery Plan for Your IT Systems