Last week, I wrote “Disaster Recovery is about the information or technology systems that support business functions. It is a component of Business Continuity (BC), which plans to keep all aspects of business functioning during disruptive events.” We also learned together the critical need for DR.
But what really needs to be in the plan? Twelve questions begging to be answered:
1. What are the potential interruptions?
The key is to list all the ways in which business function could lose support, prioritize the likeliest, and address each with a plan. Today, cyber-attack is an increasing threat, and should be in the top of your list.
2. What are all the possible impacts?
A Business Impact Analysis (BIA) evaluates financial, safety, legal and public relations effects, and addresses to ensure the maintenance of confidentiality, integrity and availability.
3. Who calls for the DR to be enacted, and who is called when it is enacted?
A DR Plan spells out expectations of the roles and responsibilities for C-Suite Executives and the employee chain in the event of disruption. The chain of communication must be established as to who calls for DR enactment, and then who is called: What employees must come in and how they are to be contacted, with all contact information at hand.
4. Who updates the DR Plan?
Technology change, systems change and application changes, which are frequent, may all affect the effectiveness of the DR Plan. Who communicates the updates? Who adjusts the DR Plan and communicates the changes?
5. How often will you test the DR Plan and run drills?
Data breaches happen. It’s rare that a job will be lost over it, or a company’s reputation hurt over it. The damage is done on how well the company responded to it. Failure to respond properly leads to loss of employment and reputation. The only way to respond professionally is to have an exhaustive plan and to ensure that it works!
6. Who is responsible for hardware and software inventory?
Make sure the vendor technical support, contract and contact information is readily accessible in the event of a disruption.
7. What is your Recovery Point Objective (RPO) and your Recovery Time Objective (RTO)?
RPO is the maximum period in which data might be lost from an IT service. It answers the question, “How much time can we tolerate having to recover or rewrite lost content?” That determines your backup frequency. RTO addresses the target time to recover IT and business activity.
Prioritize plans based on what needs immediate recovery, what is acceptable to be recovered within a business day and what can be recovered within a few days.
8. What is your communication plan?
In the event of a disruption, Who needs to know What by When and by Whom? This also includes a statement prepared that will be accessible on your public platforms, and a plan on how and when customers receive initial communications and updates.
9. Where do you go if you can’t go to the office (or usual place of business)?
The DR Plan should address alternative worksite options, including telecommuting. Employees will need to know how to access systems from the alternative sites, and IT will need to ensure that compliance requirements are being observed.
10. Are all your vendors and contractors prepared to help?
The DR Plan must ensure that Service Level Agreements are in place, addressing how vendors and contractors are to help and the timeliness by which they are committed to respond.
11. Do you have operations and procedures in place to protect and access sensitive information?
12. Who is in Second Chair?
If a key employee is not available during a disruption, who knows what they do in order to perform their responsibilities in a crisis?
I hope you never have to enact your DR Plan. But I am available to make sure you have addressed all the key components for your business, and that you not only have a plan, but that it works and that you know how to use it.
What other questions do you have about DR Plans that I can help you with? Please comment below so that others can learn with you.