How to Write a Simple Disaster Recovery / Business Continuity Plan

Every organization relies on information - customer records, key documents, e-mail, financial systems, and other essential data - to function. Even a small nonprofit organization with low IT sophistication would be at a standstill, should access to their Raiser's Edge donor database be lost for an extended period.

Without access to such mission-critical information, business operations stop, and through the corresponding loss of productivity, loss of revenues, or reputational risk, the future of a business or organization could be at risk.

But how likely is it that your business will be impacted by a catastrophic event? According to an analysis of The Hartford's small business claims, four out of 10 small businesses are likely to experience a property or general liability claim in the next 10 years. Of those claims, one out of four will be due to damages caused by fire or flood.

Developing a comprehensive approach for data backup, recovery, and continuity systems is critical to small and mid-sized businesses. They protect against data, application, and systems loss from disasters small and large. But business owners can become overwhelmed by the magnitude of needing to develop a disaster recovery / business- continuity plan (commonly known as DR / BOP). So, grab a piece of paper, and let's get started ...

First, let's identify the internal stakeholders within the organization that will need to be part of your recovery team. Participants often include senior management, department heads, and key operational department members, such as members of your IT team, or accounting department. For each, document their contact information, including their work, home, and mobile phone numbers, business e-mail, and alternate (personal) email addresses.

Next, let's identify the business partners that will be needed to assist with recovery efforts. This contact list may include your building owner, property-management company, power company, IT support partner, telecom provider, site-security company, office-supply vendor, office-furniture dealer, HVAC vendor, locksmith, key suppliers, commercial insurance agent, and property and casualty insurance agent. For each, document your point of contact, their work number, fax number, cell number, e-mail address, and your account number with each vendor organization.

Speaking of insurance, the next section of your plan should include a summary of applicable insurances. Be sure to include your policy name, coverage type, coverage period, the amount of coverage, the person internal to your organization responsible for managing the policy, and the next renewal date.

Now that we've identified stakeholders and insurances, let's turn our attention to business operations. In the recovery process from a catastrophic event, IT is going to be a key component to a timely recovery. Your IT resources are going to need a few critical pieces of information to expedite recovery. First, assuming your primary place of business is unusable, identify your DR location. This could be at a secondary office location, at a "buddy business" with whom you've contracted to serve as each other's DR location, at a third-party vendor's DR location, or another predetermined location. Get these relationships defined if you have yet to establish a designated DR location.

Next, identify the key software applications that your organization leverages, and list them out in order of priority. Your IT staff should then be included in your analysis to determine from where those applications are served - whether they be on internal servers, or through cloud services, and a recovery plan should be developed for each.

A common pitfall to avoid is defining all of one's software as equally and vitally important. Management should define three recovery time objectives with common recovery-time targets, often consisting of within one day, three days, and seven days, respectively. Management can then work with team leaders to prioritize and assign each application to one of the three classifications, better defining the order of IT recovery priorities.

Much like insurance, a DR/BCP is only helpful if done in advance of a catastrophic event. In addition, it only remains relevant if examined, tested, and modified on a regular basis to ensure it can be relied upon should an unexpected event occur. Therefore, be sure to schedule semi-annual reviews of your plan, and verify for accuracy and relevance. Lastly, store a copy of your plan off-site - the plan does no good if it's not accessible during a disaster!

Many business owners dread the thought of a businessimpacting disaster affecting their organization. Having a plan that identifies stakeholders, outlines the location to restore operations, and the priorities of business functions during recovery, helps to make sense during a time of chaos and will help you sleep better at night.