What Is a Disaster Recovery Plan?
A disaster recovery plan (DRP) is a plan to restore a critical business process or system to operation after a disaster. The DRP can be used to respond to a wide range of disasters, which include weather events, such as hurricanes, tornadoes, and floods; natural events, such as earthquakes; and fires from any source.
The DRP can also be used to rebuild systems after hardware or software failures. If a critical system crashes, operations stop. Although this isn’t as big a disaster as an earthquake, it is a disaster for this system.
Disaster recovery occurs after a disaster. It will bring a system back into service after it has failed. The specific steps and procedures for disaster recovery are documented in the DRP. One or more DRPs are included in the BCP.
Disaster recovery planning may be described by many terms, but they all mean essentially the same thing. Instead of the term disaster recovery planning, the following terms may be used:
- Contingency planning
- Emergency management procedures
- Business resumption planning
- Corporate contingency planning
- Business interruption planning
- Disaster preparedness
When working with DRPs, understanding several DRP-related terms is important. These include:
- Critical business functions (CBFs)—CBFs are any functions considered vital to an organization. These vital functions must be restored in the event of a disruption to protect the assets of the organization. If the CBF fails, the organization will lose the capability to perform critical operations necessary to meet its obligations and even continue to survive. Individual information technology (IT) systems and services support CBFs.
- Maximum acceptable outage—Maximum acceptable outage (MAO), also called the maximum tolerable downtime (MTD), is the maximum amount of time a system or service can be down before it affects the organization’s objectives or survival. The MAO directly affects the required recovery time because a system must be recoverable before the MAO time is reached.
- Recovery time objective—Recovery time objective (RTO) is the time when a system or function must be recovered to avoid unacceptable business consequences. The RTO is equal to or less than the MAO. For example, if the MAO is 10 minutes, the RTO is 10 minutes or less. Unlike the MAO, the RTO does not necessarily impact the survivability of the business.
- Business impact analysis—A business impact analysis (BIA) is a study that identifies the CBFs and MAOs, the impact to the business if one or more IT functions fails, and the priority of different critical systems.
- Business continuity plan (BCP)—A BCP is a comprehensive plan that helps an organization prepare for different types of emergencies. Its goal is to ensure that mission-critical functions continue to operate even after a disruption or disaster happens. The BCP includes a BIA and one or more DRPs.
- Minimum business continuity objective—The minimum business continuity objective (MBCO) is the minimum level of services that is acceptable to an organization to meet its business needs and objectives during a disaster.
Every organization that has a critical mission needs to plan for disasters. If the operations that support the mission stop, the business stops. Unless an organization can do without critical business systems for any period of time, it needs a DRP.
The time to plan for a disaster is before the disaster, not during it. Once the disaster occurs, it’s too late to determine which systems are critical, which critical systems are more important than others, and which methods are the best to restore and recover the most important systems.
However, if the BCP identifies the critical systems and the DRP provides details on how to recover these systems, the organization is ready to respond. Without the DRP, the organization may not be able to recover.
Most DRPs include a purpose statement to help identify the goals of the DRP, which are often multiple. These include:
- Saving lives—The protection and safety of personnel is always important. If any steps are required to protect personnel, the DRP will identify them. These steps include what to do to prepare for an impending disaster, such as a hurricane, and what to do as it is occurring and after it has passed.
- Ensuring business continuity—The DRP includes procedures to restore CBFs if a disaster occurs. The purpose of these procedures is to ensure that mission-critical operations continue to function during and after a disaster.
- Recovering after a disaster—The DRP addresses processes to recover the organization after the disaster has passed, which include normalizing any CBFs moved to an alternate location and normalizing noncritical functions.
DRPs are often divided to reflect different phases of a disaster. One phase identifies the steps and procedures to restore CBFs as soon as a disaster strikes, which may include moving CBFs to an alternate location. Another phase identifies the steps and procedures for normalizing operations. This phase returns operations to the original location. A single DRP can address each of the phases.