Disaster recovery plan checklist: Key steps for a smooth restore
Disasters are unpredictable, but good planning can mean the difference between total data loss and a swift recovery. Avert potential crises with a disaster recovery plan checklist.
Comprehensive preparation is the only way an organization can defend itself against potential disaster. You cannot stop disruptions like ransomware attacks and natural disasters, but a good disaster recovery plan helps businesses get back on their feet as soon as possible.
Creating a disaster recovery (DR) plan involves more than just making backups that can be restored following a data loss event. If a DR plan is to be successful, then leadership must help carefully construct it to account for any risks to the organization. The plan must also provide guidance that will enable the organization to operate normally in times of crisis.
Here are 11 key steps for a disaster recovery planning checklist. Make sure they are a part of your organization's plan before it's too late.
1. Request inventory of existing equipment and assess needs
The first step in creating any disaster recovery plan is to direct IT leadership to compile a comprehensive inventory of all hardware, software and data assets. Effective disaster recovery planning is impossible without first identifying the resources that must be protected.
While the inventory collection process is useful for identifying assets that require protection, the process should also identify any resource gaps that might limit the success of disaster response efforts.
For example, a thorough resource audit might reveal that the organization is quickly outgrowing its backup capacity, or that systems intended to handle workload failovers need to be moved to another region. Ironing out these needs early is key, and this inventory should be kept up to date during future revisions of the DR plan. Leadership should also keep an eye on emerging technologies that might aid with disaster recovery, such as AI and machine learning.
2. Define recovery expectations
Another key step in a disaster recovery plan checklist is to establish clear recovery time objectives (RTO) and recovery point objectives (RPO) for all critical business functions. This process will define acceptable downtime based on potential losses, with the goal of guiding the organization’s investment in recovery resources. Leadership should be included in a formal approval process when establishing RTO and RPO, to make sure that the adopted policies fully align with the organization’s business objectives and risk tolerances.
3. Understand and mitigate risks
As you work toward creating a disaster recovery plan, it's important to conduct a risk assessment and business impact analysis. The goal is to identify risks to your organization's ability to do business, then quantify them based on the likelihood they'll occur and the potential severity of the effect.
For example, natural disasters are likely to occur at some point and could potentially be devastating to the organization. Similarly, a fire could also severely affect the organization’s ability to do business. Depending on the region where the organization is located, environmental risks like this might be heightened or reduced.
Once credible risks have been identified, executive leadership should focus on mitigating the effects of such disasters. It might be impossible to prevent some incidents from occurring, but a disaster recovery plan should outline a strategy that enables key business processes to continue, even during times of disaster.
4. Establish a recovery task force
Determine who will be a part of the disaster recovery team, and what each person's responsibilities will be. This must be done in a way that ensures that each disaster recovery team member knows exactly what is expected of them in times of crisis. As you establish these roles, you must provide team members with the necessary ongoing training. Additionally, task force members must be given the authority to act in accordance with their roles.
5. Invest in proactive prevention
Invest in resources that will reduce the potential damage stemming from disaster. For example, automated fire suppression systems might mean the difference between a small, minimally disruptive fire and a large fire that destroys an entire data center. Similarly, redundant storage arrays might prevent certain types of data loss events.
6. Secure recovery locations and infrastructure
If an organization's primary data center is impacted by a disaster, then key workloads must be able to fail over to an alternate location where they can continue to run. This might be a secondary data center, or it could be a location in the public cloud. In any case, organizations must decide what they'll use as their recovery site. When selecting a recovery site, organizations must consider budgetary constraints, connectivity, and geographic proximity to the disaster area.
7. Document and refine procedures
There should be no ambiguity in times of disaster. Organizations must ensure that detailed recovery procedures are well-documented and kept up to date. These documented procedures must be accessible to and fully understood by the recovery task force. This further underscores the need for DR team members to receive training in line with their roles.
8. Develop a communications protocol
An often overlooked step in a disaster recovery plan is to create a crisis communication plan. Such a plan should focus on managing communications with internal and external stakeholders in times of crisis. This plan must outline acceptable communications channels, designated spokespersons and pre-approved messaging.
9. Plan for restoration of operations
Just as it is necessary to create a detailed failover plan for business-critical workloads, it is just as important to establish a failback plan to implement once the disaster has passed. This plan should establish the conditions the organization must meet to move forward with failing back workloads. It should also address task force roles and failback procedures.
10. Manage public perception
Statements to the press must be carefully constructed, because those statements can affect the organization's stock prices, future revenue and, depending on the type of disaster, even expose the organization to civil or regulatory penalties. As such, organizations must appoint a designated PR officer who will act as the organization’s sole media liaison. The employee handbook must also be updated to prevent employees from speaking to the media.
Similarly, a policy should be put into place regarding the crafting of official statements. For example, a statement might be written by the CEO, but be submitted to the legal department for review before being released to the media.
11. Conduct ongoing validation and improvement
Mandate regular DR testing drills. After each drill, review the test results and revise the disaster recovery plan accordingly. Such a drill may occasionally reveal a need for additional training or for various IT resources. Leadership must be prepared to budget for these needs if the disaster recovery plan is to remain effective.
Brien Posey is a former 22-time Microsoft MVP and a commercial astronaut candidate. In his more than 30 years in IT, he has served as a lead network engineer for the U.S. Department of Defense and a network administrator for some of the largest insurance companies in America.
