Using a business impact analysis template: A free BIA template and guide business continuity policy

Words to go: Disaster recovery planning checklist

Working on a disaster recovery plan? Don't forget to include these vital tests, exercises, plans and assessments when preparing for a disruptive event.

So, it's time to go down the old disaster recovery planning checklist. Maybe you're just getting started on a disaster recovery plan, or maybe your company's established plan needs a refresher. There are so many different policies and practices to know when creating a comprehensive recovery plan; it can be helpful to have them all laid out and addressed prior to an incident occurring.

While there is only so much that can be done to prevent a disaster from hitting your organization, thorough preparation can help keep your data safe and get operations up and running as soon as possible. With the right assessments, you can find out where your organization might be vulnerable and what resources you have available, which will enable you to customize a DR plan to suit your needs. Afterward, you can ensure the plan works in practice and make adjustments with testing and drills.

Below, we cover seven key terms you should find in your disaster recovery planning checklist. From the initial analyses to tests and exercises to run once your planning is complete, we cover recovery planning from start to finish.

Business continuity policy. A business continuity policy is the set of rules and standards your organization follows to ensure continuity in a time of crisis. This policy is enforced by the organization and will vary by compliance requirements and available technologies. The goal of having a business continuity policy in place is to have documentation of what is needed to restore continuity and the timeline that must be followed.

If a policy is clearly outlined and followed, it ensures that the organization has set realistic recovery expectations. Internal staff, such as corporate management and DR team members, should be aware of the continuity policy, as well as outside vendors, stakeholders and customers, if applicable.

Business impact analysis (BIA). An organization conducts a business impact analysis prior to a disaster occurring to see how operations will be affected by potential events. This should be one of the first items completed in any disaster recovery planning checklist, and should be updated periodically as circumstances change, either within the company or in the world around it. When conducting a BIA, an organization gathers information about how the business would be affected by different potential disasters and creates a report based on those findings to help make changes or add to a business continuity and disaster recovery (BC/DR) plan.

While a company may be confident about its DR plan in theory, conducting a DR test is a surefire way to check the effectiveness of the plan and fill in any gaps.

This can be done within the company or outsourced to a third party. A questionnaire or survey is a common method of conducting a BIA among staff, collecting detailed information about all the different departments and parties that can be affected and what can be done to get operations up and running.

Risk assessment. Not to be confused with a business impact analysis, a risk assessment analyzes potential disasters or events a company might face, the likelihood of those events occurring and what preventative measures that company should take. Taken after a BIA is conducted, a risk assessment identifies likely hazards and the assets that are put at risk when those hazards occur. Assets can include staff, property, data, supply chains, contract obligations and even company reputation.

The goal of a risk assessment will vary by organization, as will the process. But, essentially, the purpose of a risk assessment is to evaluate hazards and determine the inherent risk created by those hazards. Keeping track of risk assessments and updating results is a major part of updating a DR plan.

Risk mitigation. With risk assessment findings in hand, a company can begin the process of risk mitigation. Risk mitigation involves updating or adding processes to a BC/DR plan to address likely risks and prevent them from causing too much damage to company assets. Rather than preventing an incident entirely, risk mitigation assumes the event will take place and takes precautionary measures to lessen the impact.

Although the principle of risk mitigation is to prepare for all potential risks, a risk mitigation plan weighs the effect of each risk and prioritizes planning around that effect. Risk mitigation steps might be investing in backup DR sites or cloud disaster recovery or even updating social media policies to prevent damage to company or employee reputations.

Disaster recovery test. While a company may be confident about its DR plan in theory, conducting a DR test is a surefire way to check the effectiveness of the plan and fill in any gaps. Testing should be done regularly, though frequency will vary by organization. Once a test is completed, the results should be analyzed and used to make any necessary changes.

Disaster recovery providers often include testing as part of their services, so when vetting providers, DR teams should be sure to ask about testing and test frequency. Internal tests may also be conducted and can be included in maintenance projects and staff training.

Tabletop exercise (TTX). A tabletop exercise is an example of a DR test exercise that can be performed to evaluate the efficiency of a DR plan. In a TTX, not only do administrators get to see how a plan would play out, but plan participants get a trial run of their roles in a particular disaster. This involvement makes a tabletop exercise a valuable part of a disaster recovery planning checklist.

A discussion-based exercise, a TTX involves a facilitator narrating an event and guiding the participants, talking through the steps that should be taken. Common examples of TTX scenarios may include natural disaster or pandemic response, but will vary by organization, industry, region and other factors.

Typically lasting a few hours, a TTX runs through an event from start to finish, allowing participants to become familiar with their roles and responsibilities from onset of the disaster to post-disaster recovery efforts. The outcome of a tabletop exercise can inform DR planning and identify gaps in knowledge from personnel or security flaws that must be fixed.

Emergency communications (EC) plan. Another staff-focused aspect of DR planning is emergency communications. In the event that a company campus is closed or dangerous, there must be a system in place to communicate these details to employees and get everyone on the same page. An EC plan should establish the method of communication and ensure that participants are aware of it and know their role, if they have one.

An emergency communications plan may involve an automated mass notification system through text or email or a phone tree that employees participate in to inform large numbers of people about a situation in a quick and efficient manner. While modern technology has made automated notifications a popular option, due to speed and efficiency, a call tree is effective in establishing two-way communication faster. It may take time to figure out if employees have received a notification without sending back a response, so calling may be a more immediate method of interacting with staff and ensuring they have the information. Methods will vary based on company size and resources, but, regardless, the plan should be filed with human resources and accessible to all members of the organization.

Along with the status of the physical site, an EC plan can also communicate to employees the locations of remote worksites and when it is okay to return to the primary site.

Next Steps

Get started on planning with our guide and free DR templates

Backup tips for your natural disaster recovery plan

Free service-level agreement template for DR plans

How to use AI for business continuity and disaster recovery planning

Dig Deeper on Disaster recovery planning and management