Creating an effective disaster recovery plan

Technology is not perfect. At some stage, every organisation will have their technology services disrupted. A disaster recovery plan minimises down time and staff disruption, giving you a tested plan to get things back as quickly as possible and allowing staff to focus their efforts on making a difference – not on struggling to help people without critical information systems.  

Disaster Recovery Plan activities are initiated by a disaster event. After discovery of an incident, a nominated individual will take ownership of the recovery activities, often in collaboration with a Disaster Recovery Team or key technology suppliers. They will activate the Disaster Recovery Plan.  

There are five primary steps to developing a Disaster Recovery Plan: 

1. Pre-planning activities: 

• Get the right buy-in: top leadership must support and be involved in the development of the disaster recovery planning process. Management must nominate an individual to coordinate the development of the Disaster Recovery Plan and ensure its effectiveness to enable an organisation to recover in the event of a disaster. 

• Establish a planning committee: a planning committee should be appointed to oversee the development and implementation of the plan. The planning committee should include representatives from all functional areas of the organisation. Key committee members should include the Operations Manager and an IT Representative. The committee should include representatives from key areas of the organisation such as information systems, IT/ digital technology support, systems development, operations, communications, and key business units. 

• Identify objectives: identify what the organisation aims to achieve in the event of  a disaster. For example, the objective of having a disaster recovery plan is to minimise the duration of a serious disruption to operations and resources (both information processing and other resources) and to prepare technology personnel to respond effectively in disaster recovery situations. 

• Scope: identify in-scope or out-of-scope infrastructure, equipment, IT systems and information services in the plan. 
   

2. Key information services and IT systems: Identify key information services and IT systems that the organisation depends upon for the delivery of its products and services. Perform a high-level impact analysis outlining the availability requirements for these systems e.g., a certain IT system must be accessible within 24 hours, email systems must be operational within 4 hours. 

• Determine the maximum acceptable limits to disruption that the organisation can cope with in terms of downtime/service level and then identify required Recovery Point Objective (RPO) and Recovery Time Objective (RTO) for key IT systems and services.   

  RPO refers to the maximum length of time that data can be restored from e.g., an RPO of 24 hours means that the maximum data loss in the event of a disaster will be 24 hours. RTO refers to the maximum time taken to recover from a disaster e.g., an RTO of 8 hours means that an IT system will be back online in 8 hours. 

  The illustration shows the relationship between the RPO and RTO. 

• Determine the data backup arrangements in place and/or the Service Level Agreements (SLAs) in place with your IT provider for the delivery of these IT services 

• Based upon the identified RPO and RTO, and a comparison with data backup arrangements and Service Level Agreements, determine if additional measures are required to ensure the operations of the organisation can be recovered within required timeframes based on cost/benefit. 

3. Risk assessment: there are a number of potential disruptive threats which can occur at any time and affect normal organisational operations. The potential disasters can be flood, fire, electrical power failure, cyber incident, loss of internet connectivity, and more.

   Identify threats to IT services/systems (e.g., loss of Internet, loss of power, cyber security incident) and document these as scenarios that could impact key IT services/systems. 

4. Document Disaster Recovery Plan.  Depending on the IT systems and services, the plan must include the following: 

• Disaster recovery team and responsibilities: in the event of a disaster, different groups will be required to assist and restore normal functionality to the operations of the organisation. The different groups and their responsibilities should be identified such as: 

  • Disaster Recovery Lead(s) 

  • Senior Leadership Team

  • Technical coordination team (network, server, applications, operations). 

• Disaster Recovery Call Tree: this refers to a layered hierarchical communication model that is used to notify specific individuals of any disasters. In a disaster recovery or business continuity emergency, time is of the essence so the organisations will make use of a Call Tree to ensure that appropriate individuals are contacted in a timely manner. 

• Communicating during a disaster: identify all internal and external stakeholders requiring notification of the disaster, including the details that will be communicated to the various stakeholder groups. 

• Dealing with a disaster: outline the steps to be followed to activate the disaster recovery plan in the event of a disaster, including stakeholder communications and restoring IT system functionality. 
   

5. Exercising the disaster recovery plan: It is key to ensure that IT systems and services can be restored as expected and a test is performed to check this. This may require validation by your IT support provider or the provider of your key IT systems. 

Download the Disaster Recovery Plan template. Follow the above steps to customise it, to meet your organisation's requirements.

For more details on the requirements and principles to consider for technology disaster recovery planning listen to the recorded webinar here: 
Disaster Preparedness for Nonprofit Organizations 202: Preparedness Plan for the Technology.  Please note that this is a paid recording.