What is a Disaster Recovery Plan (DRP) and How Do You Create One?
A company's response to both planned and unplanned changes can have a significant effect on its reputation, both with internal partners and external customers. Thorough response strategies prevent damage to this reputation, maintain the morale of your staff and prevent financial risks related to being ill-prepared.
Changes to a business's operations, such as a cyber attack, natural disaster or power outage, must be well planned for and anticipated in advance.
Disaster Recovery Plans (sometimes referred to as DRPs) are the actual steps that a business puts in place for responding to a catastrophic event. Disaster recovery involves a business's measures to respond to an event and return to safe, regular operation as quickly as possible.
This is where important documents such as the following can help:
Each document is important and should be considered by every business, though not all will be required for some. All documents on their own play an important role in a company’s response strategy.
In this article, we focus on the Disaster Recovery Plan and aim to answer some of the most common questions including:
- What is a disaster recovery plan?
- What is the difference between an incident response plan, a business continuity plan and a disaster recovery plan?
- What are the benefits of a disaster recovery plan?
- Who should create a DSP?
- What does a robust disaster recovery plan typically include?
- How do you test your disaster recovery plan?
- How often should a disaster recovery plan be reviewed, tested or updated?
A Disaster Recovery Plan (DRP) is the steps implemented by a business in response to a major event. It outlines in detail the steps that will be taken in order to resume regular business operations and return to safe conditions whilst protecting a business's IT infrastructure. Having a DRP in place enables the restoration of data from data backup systems.
It should be noted that a Disaster Recovery Plan and a Disaster Recovery Policy are NOT the same things. Many people confuse the two terms and use them interchangeably, so finding a clear definition of either one can be challenging
There are 3 main goals that a Disaster Recovery Plan sets out to achieve:
- Protect an organisation's IT infrastructure and essential data systems required for a business to operate
- Detect any potential threats to a business's data in the event of a disaster
- Prevent damage associated with loss of data and ensure backups are regularly done to make important data retrievable
What is the difference between an Incident Response Plan, a Business Continuity Plan and a Disaster Recovery Plan?
Not all businesses will require all of this documentation, however, each company should at least consider whether or not it would be beneficial. The majority of small businesses might only require a Business Continuity Plan (BCP). Often you’ll find a DRP created in conjunction with a BCP, despite them covering different aspects.
Whilst the Disaster Recovery Plan focuses on the actual steps that a business puts in place for responding to a catastrophic event to return to normal operations efficiently, it is useful to be aware of what the other plans cover.
- Disaster Recovery Policy: Disaster Recovery Policies are a high level strategy document which defines how an organisation will react to a catastrophic incident, such as cybercrime, natural disaster, fire, or pandemic, and communicate a commitment to taking disaster recovery seriously.
- Business Continuity Plan (BCP): Allowing the business to operate as normal during a disaster until it is resolved. For example, if there is a power cut and payments cannot be carried out, they might switch to writing customer payment details down on paper.
- Disaster Recovery Plans: Disaster Recovery Plans (sometimes referred to as DRPs) are the actual steps that a business puts in place for responding to a catastrophic event. Disaster recovery involves a business's measures to respond to an event and return to safe, regular operation as quickly as possible.
- Incident Response Plan (IRP): You might also see this referred to as Incident Management Plan (IMP). This usually refers to environments with a larger IT infrastructure that requires data to be protected and recovered for operations to keep being carried out. They define exactly how to solve the problem.
All documentation (including DRP, BCP and IRP) falls under the Disaster Recovery Policy. This is a high-level statement and set of policies which define how an organisation will respond to a major incident.
The following example scenario may help to explain how they all fit together. Please bear in mind that this is a very simplified explanation and that in reality, the needs of an individual organisation can change this picture somewhat.
Example Scenario - Port Authority Suffers a Fire
Picture a major port authority on the English coast, from where a number of ferry companies operate routes to continental Europe. Thousands of passengers and tonnes of freight pass through the port every day. Cruise ships, vehicle and passenger ferries, tankers and fishing vessels all rely on a range of complex IT, ticketing and handling systems to carry out their commercial operations.
Then disaster strikes. An unknown cause leads to a fire within some port buildings resulting in smoke spreading across the site and a potential safety risk to people and vessels.
The port authority will have a Disaster Recovery Policy, which is the high level strategy document outlining how it will react and deal with a range of incidents so this will be the first port of call (no pun intended). This will help them identify the relevant disaster recovery plan for a given scenario.
The Disaster Recovery Plan itself then gives more specific detail on the steps to be taken, and the action necessary both at the time of the incident and in the immediate aftermath.
Assuming the initial evaluation determines there is no significant risk to life or property within the main operating area of the port, the decision may be made to continue to operate, at least in the short term, especially if the fire can be contained to non-essential areas. This is where the Business Continuity Plan kicks in.
The Business Continuity Plan contains information on how the port can continue to operate at as close to normal levels as possible to minimise impacts both on passengers, ferry operators, and the port revenues.
The BCP might include a pre-defined alternative traffic routing pattern which diverts vehicles away from different sectors of the port depending on where an incident occurs. Similarly, it is likely to provide information on how to process bookings offline; such as if the on-site computer systems have gone down as a result of lost power due to the fire.
Once the issue has been fully resolved, the Disaster Recovery Plan includes information about how to review the incident and improve processes if necessary.
As more organisations become dependent on technology, in the event of an unplanned event, such as a power outage or data breach, an ill-prepared company can suffer severe repercussions This is why implementing a Disaster Recovery Plan is so important and can be so beneficial as it:
- Significantly improve incident recovery times by ensuring you have already considered “what if” scenarios in advance, and have robust plans, procedures and checks in place designed to streamline recovery steps
- Reduces stress on staff as there is less need to troubleshoot on-the-fly
- Improves cost efficiency by implementing preventative measures to reduce the financial risks associated with disasters. Detection methods are designed to rapidly identify issues when they occur and corrective measures are used to restore essential data to resume operations.
- Increases productivity by having trained staff with designated roles and responsibilities. This helps with organising recovery processes and allows the return of staff productivity swiftly.
- Improves customer retention by helping a business to meet and maintain a higher quality level of service in every possible situation.
- Maintains compliance with industry regulations.
- Enables scalability by enhancing and simplifying recovery processes into detailed guidelines to follow.
You’ll often find larger organisations (especially those that are ISO-compliant) will have a Disaster Recovery Policy, whereas smaller businesses will often roll their Disaster Recovery Plan and Policy into one Business Continuity Plan.
In terms of the internal structure of the organisation, the roles and responsibilities of specific staff will need to be documented and assigned. These individuals should be trained and know exactly what to do in response to a disaster. All staff within the company should be aware of both the Disaster Recovery Plan and Policy, as well as how a business will continue to operate.
In order for an organisation to develop a successful DRP, it’ll need to consider several aspects. This could vary between organisations but some important considerations should include:
- Risk assessment - A list of all potential risks and reasons for downtime.
- Creating an inventory of assets - What assets are crucial to the continuation of business operations, both on the premises and in terms of data systems and storage?
- Cost downtime - What are the critical needs of the business and what is the cost (to both reputation and finances) of not being able to operate if they’re lost? Organisations can then invest in preventative measures.
- List of responsibilities - Who is responsible for each aspect of the Disaster Recovery Plan and what is their role both immediately after an incident occurs and actions taken once issues have been resolved?
- List of internal communications - Who needs to be notified after a disaster occurs and what information requires relaying?
- List of disaster recovery sites - A ‘host’ recovery site should be designated with alternative data centres holding all critical systems.
- Restoration processes - A comprehensive list of steps that need to be taken to get the businesses back online and restore data.
- Review backup processes - Sensitive systems should be regularly backed up to reduce the risks of them being lost. The risk of being unable to recover data systems should also be documented.
- Regular updates - DRPs will need updating every time there is a change within the organisation to their IT infrastructure and data changes.
To test your DRP, an organisation will need to develop a list of criteria and procedures that cover how the plan will be tested. This is essential to ensure that the plan covers all bases and identifies areas which need modifications. An initial ‘dry run’ should be carried out to understand where potential gaps in the DRP lie.
There are different types of tests an organisation can carry out, such as
- Checklists tests
- Full interruption tests
- Parallel tests
- Simulation tests
It is recommended that a Disaster Recovery Plan should be reviewed annually, or whenever changes are made to the organisation, and that any Business Continuity Plans are tested twice annually. This helps to ensure that everything is accurate and up-to-date, and reduces the risks of any unplanned scenarios.
How to get help with creating a Disaster Recovery Plan?
Organisations are constantly changing and evolving so it's important that any Disaster Recovery Plans are regularly reviewed and updated. If your plans and procedures are not up to date, or you simply don’t have any at all, it might be time to call in some expert help to conduct a review.
We understand that no two organisations' needs are identical, so we offer support tailored to your unique needs.
Get in touch for a tailored quote