Riskology

Disasters, like bushfires and pandemics as we've seen most recently, can wreak havoc on people and businesses. There are threats locally and globally we often can’t predict, and when something unexpected happens, it highlights the necessity of planning for the worst-case scenario. This is why it's crucial for businesses to have a disaster recovery plan (DRP).

A disaster recovery plan is a part of your overall business continuity plan (BCP) and its purpose is to help your company and its staff minimise the consequences if disaster strikes and resume business as soon as possible. To clarify, a disaster recovery plan differs from an incident response plan (also a part of your BCP) as an IRP is aimed at helping you deal with a crisis immediately before, during, or after it happens whereas a DRP is more focused on getting your business back up and running so it lasts in the long run. 

To make sure your plan is set to get your business up and running, you should make sure it includes certain key elements.

1. The scope of your plan

There are multiple types of crises that could affect organisations and multiple dimensions of an organisation that need to be protected, so as simple as it seems, the first part of your disaster recovery plan should define what scope it covers. For example, does it cover what to do in the event of a cyber attack or more so in the event of a natural disaster? Ideally it should cover both, but that needs to be documented. 

2. Organisational roles and responsibilities 

In order for recovery to take place, your organisation should have a designated disaster recovery team that is well-acquainted with the documented recovery processes and plays a specific role in the plan. Responsibilities of the recovery team should not only cover what do during and post-disaster, but also, in advance of, such as:

• Ensuring more than one person knows how to perform necessary tasks, so if something happens, there isn't the risk it won't be done properly or at all.
• Ensuring your staff know the manual way to perform certain processes (if they exist) as software or hardware might be damaged or disrupted during a disaster and not be available.
• Training of all staff, so they are prepared for how to act and do their jobs safely in the event of a disaster. Especially if your organisation operates in a high-risk environment, adequate training can significantly reduce the impact of a crisis.

3. Your critical business functions and the tolerance for downtime

Your critical business functions (CBFs) are the vital functions of your organisation that without which it cannot operate properly or at all. In determining the strategies that will help your business recover from a disaster, you have to identify these functions as well as determine how long you can last without them before experiencing severe loss. This is also know as your Recovery Time Objective or RTO. By outlining your CBFs and how long you can survive until they are restored, you can better prioritise the processes listed in your recovery plan. 

4. The strategies, processes and procedures to resume your critical business functions

Now that you have identified the functions of your business that need to be restored in order for your business to run, you can design your strategies accordingly. 

For each critical business function, you should document the following:

• Preventative/Recovery actions that should be taken to back up or restore the CBF
• Resources/Equipment required to facilitate those actions
• Recovery time objective (So you know how you quickly actions must happen)
• Responsibility (Who is in charge of making sure the actions happen)

You should also develop a checklist that is used to assess the extent of the damage after a disaster and monitor the recovery process. 

Let's see this in an example most companies can relate to:

5. A communication plan

If disaster strikes, the last thing you might want to do is address your customers, employees or other stakeholders, but effective communication is key to showing you are in control of the situation and that it will be resolved. Effective communication doesn't just mean communicating everything as soon as possible, but knowing the necessary chain of communication and reporting accurate information. This is why it's important to outline a thorough communication plan that covers these elements.

This plan should include contact lists of those who will need to be communicated to (internally and externally), a protocol for what information can be communicated and how it should be conveyed, depending on the situation. For example, the communication following a natural disaster will be different from the communication following a data breach, and your plan needs to account for those variations. 

6. Schedule for Testing, Reviewing & Improving

As businesses change and evolve quickly, disaster recovery plans need to evolve as well. Unfortunately it's not as simple as you create a DRP and then your business is ready for anything. Your company should dedicate time to test or rehearse your plan to make sure it's useful and review the plan, so that it stays up to business and industry standards. If business is booming and your staff doubles, for example, you'll need to account for those additional staff or office space in your disaster recovery plan. Depending on the rate of growth or change in your organisation, schedule testing of your plan quarterly to annually. 

While some of processes you need to think through as part of your disaster recovery plan may seem like common sense, the truth is that people don't often think clearly in the midst of disasters. Rather, shock, stress and panic tend to take over. In those moments, these plans tell your organisation what to do to minimise repercussions and leave you facing a better outcome whatever the circumstances. As the saying goes, "it's better to be safe than sorry."

To learn more about how RiskWare is making the world a little less risky, visit us at RiskWare.com.au.