DR Plan

How to Create an Effective Business Continuity and DR Plan

In Security by Toby OwenLeave a Comment

DR Plan

We rarely get a warning when disaster is about to strike, be it a natural disaster or a cyberattack. Your best chance at detecting, containing and responding to a disaster of any kind is through a tested and proven plan. An effective business continuity plan and DR Plan provides detailed instructions before, during and after disaster strikes—and can make or break your ability to continue to operate as a successful business.

Your business is unique, and therefore, you should have a business continuity and disaster recovery plan (BC/DR) that’s based on your particular needs. Let’s discuss the steps you can take to prepare for different risks and create a strategy that anyone within your organization can follow.

What is Business Continuity and Disaster Recovery?

2017 was a tumultuous year of disasters, accidents, and cyberattacks. In the U.S. alone, we experienced 16 devastating natural events from Hurricane Harvey to the flood in California. Amazon experienced a 4-hour outage due to human error and it cost customers hundreds of millions of in downtime. These disasters drive home the importance of having a BC and DR plan in place.

Business continuity is the ability of an organization to maintain essential functions during and after a disaster or attack has occurred. Planning for business continuity establishes risk management processes and procedures that aim to prevent interruptions to critical services and quickly re-establish full function. The term disaster recovery refers to having the ability to restore the data and applications that run your business should your data center, servers and other pieces of infrastructure suffer damage. Disaster recovery focuses on your IT.

Together, they form a comprehensive plan that covers essential business functions and essential infrastructure technology.

DR Plan

Why Are Business Continuity and Disaster Recovery Plans Important?

When disaster strikes, the way you respond to the incident and IT redundancies you have in place make all the difference. BC/DR plans are put in place to ensure you stay resilient and operational. Businesses in certain industries, like healthcare, are legally required to have both a BC and DR plan due to compliance regulations. All organizations gain a competitive advantage when they can conduct business with no interruptions—and service reliability builds trust with your customers.

In 2017, the average annual cost for enterprises that experienced a service gap with downtime (and/ or data loss) was $21.8 million. And Gartner studies show that 76% of companies experience an outage each year, which backs up what our experts say—the question is not will an incident occur; the question is when will it occur. According to a 2017 Veeam availability report, a whopping 40% of companies go out of business if they cannot access their data within 24 hours. How would your business fair?

How to Develop Your Own BC and DR Plan

If you need to create a BC/DR plan from scratch or if you already have a plan, but need to refine it, here are the steps you should follow:

Step 1: Gathering Requirements
During this step, you will begin by conducting a BIA or business impact assessment. You will use this assessment to document your business processes and the impact of their recovery, including systems and asset inventory and application dependencies and prioritization. Consider the impact of a system disruption in terms of what part of your operations it supports. Start by asking yourself, what resources are required to resume business processes ASAP? Determine which systems and resources are primary, secondary, and so forth. Example below:

DR Plan

You’ll also need to determine your BIA metrics which notes how much downtime your business can tolerate and how much data you can afford to lose. These are commonly referred to as your RPO and RTO.

Next, you will run a risk assessment to identify all possible points of failure, both manmade and natural. This includes IT operations, compliance and security, vendor vulnerabilities and regional risks such as weather. Your efforts should result in a document that notes not only potential threats, but also their likelihood of occurring and the associated impact.

Step 2: Evaluate BC and DR Solutions
It is time to decide which approach is best for your disaster recovery based on your BIA results, budget and available resources. Some of these approaches include:

  • Backup and recovery. This includes tape, disk, optical or cloud.
  • Cold disaster recovery site. A site that is prepared after a disaster.
  • Warm disaster recovery site. A combination of a cold and hot recovery site.
  • Hot disaster recovery site. Prepared before a disaster has occurred and is always on standby.

If you’re not sure which one is right for you, a BC/DR provider can guide you through the differences. You have the option to develop a plan of your own, or work with a provider. Data center companies, like OnRamp, offer different methods of execution:

  • In-house. You operate your own applications and storage on a server within your own facility.
  • Colocation. You use a server or storage at another location.
  • Managed service provider. You leverage a provider’s services and facilities for your virtual machine, server and storage.
  • IaaS. Managed and stored by the provider’s server, storage and facility.

You may also end up with a hybrid disaster recovery approach and tailor your solutions to each business process. For example, payroll may be able to wait for up to a week for a backup, while real-time replication is required for your customer’s data. For more critical processes, a managed service provider or IaaS may be the best choice.

Step 3: Determine and Communicate Plan
It is your responsibility to communicate your BC and DR plan to your employees. The best way to do this is by creating a runbook, which is a playbook offering step-by-step directions during a disaster. Using the directions you decided upon while creating your plan, your playbook should be a living document that’s updated as procedures change. Ensure the runbook is accessible by all team members and train your team regularly on proper procedures. Within the runbook, include how you as an organization declare a disaster, who should be involved in the process for mitigation and remediation, your priorities for business processes recovery, etc.

Step 4: Test Your Plan
Your business continuity and disaster recovery plan requires testing and validation. It’s essential to test your plan to make sure it’s accurate and working effectively. One of the best times to test your plan is during a transition of responsibility and employee turnover. Sometimes, as transitions happen, the BC and DR plans can fall through the cracks and leave you vulnerable. How often you test your plan is up to you and your business goals—there’s no one right answer. Just remember, the end goal for your BC/DR efforts is to keep your business running smoothly.

For more information about developing a plan of your own, listen to our on-demand webinar online. It goes into further detail about each approach and the necessary steps to take to disaster-proof your business. Feel free to reach out to our experts with any questions or to discuss your options for improving your business continuity.

The original version of this article was first published on OnRamp.

Toby Owen

Vice President of Product Development at OnRamp
With nearly 20 years of experience in hosting, cloud and technology, Toby Owen oversees the product strategy and execution for OnRamp’s portfolio of high security colocation, managed hosting, and private cloud products. Prior to OnRamp, Owen led product and security teams at Cogeco Peer 1, Rackspace, and Wells Fargo.

Connect with Toby Owen on LinkedIn and Twitter (@tobydowen)