Disaster Recovery Planning - Where to start?
Disaster Recovery (DR) Planning is often seen as the responsibility of the IT Team. Whilst the IT Team may well have the largest input to the DR plan, the DR plan itself must be “owned” by the Board. The business has to decide how long it can manage without “normal” operations and how much data it can afford to recreate. These metrics are described as the Recovery Time Objective (RTO) and the Recovery Point Objective (RPO). Reducing both these metrics to zero is possible but can be very expensive. Often a balance will have to be struck.
If you need an RTO of less than an hour and an RPO of zero, then a hosted/cloud solution might be the only option. However, given that the chances of your building suffering a catastrophic loss are quite small, you could probably consider an RTO of 1 to 2 days and an RPO of up to 1 day to be acceptable. In this case there are other options that would be far more cost effective than a hosted solution.
When designing a plan, the usual approach is to indentify the key risks affecting the business and then plan to minimise them. This is a sensible and relatively straightforward approach. However, there will always be situations that could not have been foreseen or complications that will thwart the best laid plans.
The key to a successful DR Plan is to consider its development in multiple phases. Once the business has decided what its target RPO and RTO are, the job is to cover the known risks e.g. utility power failure, telephone line failure, loss of access to your building and loss of internet access. These are fairly “easy” events to address. The key here is to evaluate the chances of each known risk occurring, and then try to balance that likelihood with the steps and costs taken to minimise those risks. As each risk is minimised, the impact on the other risks needs to be re-evaluated.
For example, if your building has no history of utility power failure, then a battery backup may well be sensible. If the utility power supply is unreliable, it may be necessary to consider a generator. If your internet link is very unreliable, then moving to the cloud could be very risky for your business.
Once the identifiable risks have been assessed and minimised it is time to deal with the unforeseeable risks. This can be achieved by identifying teams who have responsibility for specific areas of the business and establishing processes for them to use during an emergency. The teams must be able to cope with key personnel not being available and the processes would provide a framework for areas such as communication and problem escalation, both within the business and externally.
As with many projects, it is important to take a holistic approach which involves the whole business when developing a DR Plan. Additionally, it can be very useful to have an outsider involved in the project to provide a different perspective. NLDC can help here, by applying our years of experience to your project, we can help you to deliver a DR Plan that is suitable for your business.