Disaster Avoidance and Recovery Planning

Updated: July 10, 2009

One of the most important things for a business is to have a good disaster avoidance and recovery plan. Unfortunately, it is also one of the areas that businesses spend little time or money on. Particularly, when budgets are tight, it is easy to not spend on something that hopefully will never happen. But, if a disaster does happen, all the hope in the world may not help you.

Another challenge in this area is that people often think of a disaster as a large event, such as an earthquake or fire. While these are certainly disasters, a disaster can also be as simple as a lost piece of paper (with all the corporate admin passwords on it!).

A third concern in this area is that companies usually focus on disaster recovery, but forgo planning on how to avoid disasters. You would think this is an obvious thing to do. After all, every company would rather avoid a disaster if possible. But still, this aspect of planning is often overlooked.

Good disaster avoidance and recovery planning looks across the entire organization and develops a plan that covers the gamut of issues from the macro level (i.e. HQ is destroyed) to the micro-level (i.e. a lost diskette). Further, this planning is also a fluid activity. Once a core plan is developed, it is important to revisit it regularly to ensure that it is up to date and accurate.

Regardless of the magnitude, emergencies occur anywhere, anytime, and under any condition. They can be natural, such as a hurricane or earthquake, or they can be "man-made", such as a hazardous material release, fire, power outage, or computer virus. Regardless of the origins of the incident, for the business to survive it is essential to avoid impact to critical business operations and if the interruption is unavoidable to ensure that these systems are reestablished on a timely basis.

Often the most common disaster scenarios (e.g., data loss, data corruption, software viruses, interruptions to data transmission, patch and upgrade compatibility issues, human error, etc.) can be prevented through the practical application of proven procedures and the appropriate implementation of proper configurations, system monitoring and redundancy.

DAR planning should employ a structured, verified methodology to analyze potentially vulnerable areas, define mediation, mitigation and recovery strategies, and implement those plans. Each phase includes concrete deliverables that not only form the basis for the following phases, but also serve as templates for on-going analysis and maintenance of the DAR plans.

Phase 1: Project Initiation

In the first phase of the project, the project scope is defined, key personnel are identified, and an inventory is made of the priority business processes and data. This phase sets the project parameters and establishes executive sponsorship and ownership. The project plan is introduced and refined to a level appropriate for the size of the effort. Most importantly, the team is introduced to a DAR methodology so that each member can begin to assume their role and set of responsibilities.

Phase 2: Business Impact Analysis

After initiation, a vulnerability assessment is performed. This phase focuses on which business processes are most critical to the business and which are most susceptible to interruption. The goal of the business impact analysis is to define the operational, financial and service impact of an interruption to each of the target business processes. The deliverable identifies the cost of an outage over time and hence the recovery time objective. For example, a manufacturing company may be able to keep the manufacturing process going for up to 2 hours without the company's systems. This phase also establishes a baseline for reasonable future investments in disaster recovery planning and avoidance.

Phase 3: Strategy Development

Using the information from the business impact analysis as a foundation, business continuity strategies are formulated and budgetary costs developed. The critical time frames and impacts from the business impact analysis will be used to determine which contingency strategies are viable. Additionally in this phase, disaster avoidance plans are prepared. These plans will be developed, documented and budgeted to define contingency and implementation requirements.

Phase 4: Plan Implementation

It is essential to first develop the full set of remediation and recovery plans, as described above. Few companies can afford to invest in 100% disaster avoidance, so with the complete plans from Phase 2 and 3, the company is now armed with concrete information and data for making informed decisions about their business and how to protect it. The next step in the process is for management to prepare budgets and priorities taking into account cost/benefit and cost avoidance figures. Once this step is completed, clear objectives are set forth for each system, accounting for both disaster avoidance remediation and disaster recovery planning. Teams are assigned (serially or in parallel as appropriate) to work on each system and/or plan. It is important to attend to details throughout, for an incorrect phone number or misplaced data file can derail your recovery efforts.

Phase 5: Testing and Maintenance

Last, and probably most important, through testing and training exercises, you then verify that the plan functions correctly and will be used effectively. By including tailored user procedures, you can also ensure that your staff follows a regular, certified schedule of maintenance, testing, and update procedures. Most DAR plans fail due to lack of testing.

As a last point, it is also important to develop a DAR plan that is manageable. In one circumstance, a relatively small company had a 200 page plus DAR plan. Once they developed it, nobody ever looked at it again. It was so complex and detailed that it was overwhelming. The result, they might as well not have had the plan at all. Part of keeping the plan manageable is to remember that a plan is also somewhat of a tradeoff. It balances avoidance and recovery against cost and risk. Good luck in your planning and may your business never be down.

Featured Research
  • Best ERP Features and Benefits for Your Business

    Are you considering investing in ERP software for the first time? Or maybe you already have an ERP solution but you’re worried it’s becoming dated. If either of the above apply to you, read our latest guide on the top ERP features and benefits based on the size of your business. You may be surprised at how versatile and cost-effective it is becoming - regardless of if you own a small business or run a large enterprise. more

  • 9 Spooky Signs You Need a Contact Center Upgrade

    When was the last time you evaluated the performance of your current contact center and the software you are using? The results may be frightening! If it’s been awhile since you invested in contact center software, there is a good chance that your needs have changed or that there are better options available now. Fortunately, it’s relatively easy to determine if you need an upgrade or not. more

  • 7 Ways the Wrong Phone System Can Haunt Your Business

    The wrong phone system could be haunting your business - and we’re talking about problems more serious than ghosts and ghouls. From increased costs to issues with scaling, we’ve identified seven important ways that a less than ideal phone system could be holding you back. You’ll be surprised at how much of a difference this can make to your bottom line too. more

  • Ditch Your Fax Servers

    An in-house fax server gives an IT department centralized management and monitoring over the entire enterprise's faxing. This can help your company track usage and better maintain records for auditing and record keeping. However, there are serious drawbacks that come with utilizing an in-house fax server solution and these range from security to cost-prohibitive pricing. more

  • The IT Manager's Survival Guide

    As an IT manager, maintaining physical fax servers and infrastructure is not a high priority. However, fax capability remains a business need simply because chances are your industry is dependent on its security. What if there was a way to reduce the amount of time spent handling fax complaints and maintaining physical servers? And this way took into account security, cost savings, and freed up your IT resources. Would you be interested? more