What is a Disaster Recovery Policy and How Do You Create One?
How you respond during an expected or critical change in your organisation's operational capacity can significantly impact on your reputation with external clients and partners, as well as on the morale of your staff.
Much of the success is determined by how well you have anticipated and planned for such circumstances, whether that be recovering from a data issue such as a cyber attack, a major event at your premises such as a fire or flood, or a loss of key personnel.
This is where important documents such as the following can help:
- Disaster Recovery Policy
- Disaster Recovery Plans
- Incident Response Plan
- Business Continuity Plans
Each has an important role to play; some of which may not be required for most businesses but all should at least be considered.
In this article, we focus on the Disaster Recovery Policy and aim to answer some of the most common questions including:
- What is a Disaster Recovery Policy?
- How is a Disaster Recovery Policy different from other plans and policies?
- What are the benefits of a Disaster Recovery Policy?
- Who should create a Disaster Recovery Policy?
- What should a robust Disaster Recovery Policy include?
- How often should you update a Disaster Recovery Policy?
- How to get help with creating a Disaster Recovery Policy
What is a Disaster Recovery Policy?
A Disaster Recovery Policy is a high level statement and set of policies which define how an organisation will respond to a major incident. In some cases it may also identify an organisation’s critical assets needed to ensure that it can continue to operate in the event of an unexpected disaster. Where there are multiple assets, an organisation may opt to link from the policy document to a regularly updated, master spreadsheet of assets such as file servers, web servers, firewalls, routers, PCs, laptops, etc.
It is worth noting, a Disaster Recovery Policy is different to a Disaster Recovery Plan.
A plan defines step by step processes an organisation will undergo to address issues (ie. lack of connectivity, cyber-attacks) in order to recover from a significant event.
How is a Disaster Recovery Policy different from other processes such as a Business Continuity Plan or Disaster Recovery Plan?
This is one of the most challenging questions to answer succinctly as, whilst the terms do all have different meanings and purposes, you will often find that either some of the terms have been used interchangeably (such as Disaster Recovery Plan in place of Business Continuity Plan, or even Incident Management/Recovery Plan).
In addition, not all businesses will require all of the processes; Indeed, it would be true to say that most small businesses may only require a Business Continuity Plan, or may include their Disaster Recovery Plan within their BCP.
However, each is typically defined as follows:
- Business Continuity Plans:
- BCPs focus on keeping business operational during a disaster. It can include contingency plans, such as stating how the company will operate if it needs to move to a new location (due to an office fire/flood).
- Disaster Recovery Policy:
- Disaster Recovery Policies are a high level strategy document which defines how an organisation will react to a catastrophic incident, such as cybercrime, natural disaster, fire, or pandemic, and communicate a commitment to taking disaster recovery seriously.
- Disaster Recovery Plans:
- Disaster Recovery Plans (sometimes referred to as DRPs) are the actual steps that a business puts in place for responding to a catastrophic event. Disaster recovery involves a business's measures to respond to an event and return to safe, regular operation as quickly as possible.
The following analogy will hopefully help you understand how each of them piece together. Please bear in mind that the following is a highly simplified explanation and that in reality, the needs of an individual organisation can change this picture somewhat.
Example Scenario - Airline Suffers a Computer Outage Following a Cyber-Attack
Picture the scene; a major airline is going about its daily business checking in travellers at a large international airport seeing tens-of-thousands of passengers a day. Check-in staff are busy checking passports, processing customer reservations and placing baggage onto the luggage belts to be whisked away, hopefully to be seen again.
Then the system crashes.
Staff look around. Every other airline is operating normally so it can’t be a localised issue such as an internet outage, and customers' bags are still disappearing into the background so other operational aspects are still functioning. So what do they do?
It’s at this point when the Disaster Recovery Policy kicks in. Managers on-site will potentially dash to check their records on what they should do under this scenario. At this stage, it’s not about trying to fix the issue. It’s about identifying next steps.
For example, the policy of what to do in a non-life threatening situation such as a computer or power outage, may be different to what to do in situation where there is potential risk to life such as a fire or terrorist attack.
The disaster recovery policy may state that in a non-life threatening situation such as a cyber attack, the next step should be to implement the Business Continuity Plan and alert senior management at head office.
Implementing the Business Continuity Plan allows the organisation to continue to minimal impact to the business or users until the operational issue has been resolved.
The Business Continuity Plan might for example specify that staff should:
- Switch to an alternative means of collecting and processing passenger data such as writing down all passenger detail on backup forms which are stored at the location
- Liaising via phone with another team or body to verify customer records, visa and passport information
- Dusting off the old fax machine which has been sat dormant for the last 20 years, and getting it connected so that they have an alternative means of sending documents to the necessary locations
- Taking photos of passports and faxing copies to head office for retrospective processing once the systems come back online
Whilst the above may seem somewhat comical in this modern age of technology, you get the idea. Perhaps more importantly, it doesn’t take much to imagine how much chaos would ensue if the above wasn’t already in place and staff had to create a workable and coherent solution on the fly.
What neither the Disaster Recovery Policy nor the Business Continuity Plan do, is define how to solve the problem. Instead, that is the job of the Incident Response Plan (most commonly used in IT environments) and the Disaster Recovery Plan.
What are the benefits of a Disaster Recovery Policy?
With more organisations becoming reliant on technology, in the event of an unplanned event, such as a power outage or data breach, an ill-prepared company can suffer significant damage. The severity of repercussions will depend on the business itself. This is why a Disaster Recovery Policy can be so beneficial as it:
- Allows the business to understand what assets are critical and require restoring quickly to keep operating
- Encourages businesses to regularly back up their data so that in the event of a disaster, it can be recovered
- Reduces productivity downtime after a disaster
Decreases financial damages (the longer a business is offline, the greaters its financial loss; think Travelex NYE cyber attack, which ultimately led to its demise!) - Reduces damage to the organisation’s reputation
- Enables the organisation to invest in what assets need protecting
- Provides peace of mind, in that staff know that there are clear policies in place for how to respond to a disaster.
A Policy may also include an organisation’s Recovery Point Objective (RPO) and Recovery Time Objective (RTO).
Recovery Point Objective: Measured in time, this describes how much data can potentially be lost that will enable the organisation to continue business operations. This helps the business decide how frequently they should be backing up data.
Recovery Time Objective: Measured in time, this describes the maximum ‘downtime’ an organisation can sustain post-disaster and how long it takes to recover data lost.
Who should create a Disaster Recovery Policy?
You’ll often find larger organisations (especially those that are ISO-compliant) will have a Disaster Recovery Policy, whereas smaller businesses will often roll their Disaster Recovery Plan and Policy into one Business Continuity Plan.
Within an organisation you then need to define who is going to take overall responsibility for ownership of the recovery policy, and whether this is the same person or teams who are responsible for the various recovery and continuity plans. In large organisations, they may not be the same and could involve multiple stakeholders, but it may require input from the Head of IT, Technical Director, Chief Operations Officer, Human Resources, and so on.
What should a robust Disaster Recovery Policy include?
In order for an organisation to develop a successful Policy, they’ll need to consider several aspects. This will vary from organisation to organisation, but some common sections include:
- Purpose and Scope
- Roles and Responsibilities
- Definitions, including a list of possible events and their severity which should trigger the BCP and/or DRP
- Monitoring and evaluation
- Emergency contacts
- Document version control
How often does a Disaster Recovery Policy need updating?
It is recommended that a Disaster Recovery Policy should be reviewed annually, or whenever changes are made to the organisation, and that any Business Continuity Plans are tested twice annually. This helps to ensure that everything is accurate and up-to-date , and reduces the risks of any unplanned scenarios. Regular testing should be a part of the Disaster Recovery Policy and should be documented.
How to get help with creating a Disaster Recovery Policy?
An organisation changes its operations from time to time, and with this, its Disaster Recovery Policy and controls need updating too. If your policies and procedures are not up to date, or you simply don’t have any at all, it might be time to call in some expert help to conduct a review.
We understand that no two organisations' needs are identical, so we offer support tailored to your unique needs.