A Disaster Recovery Plan (DRP) is a part of the Business Continuity Plan (BPC) and it covers general procedures for a business disaster recovery.
The main steps in creating a Disaster Recovery Plan are:
- Assessing the potential threats that the organization is exposed to;
- Estimating the possible impact of a materialized threat;
- Establishing preventive, corrective and detection measures;
- Aligning the time coefficients that have to be achieved in the recovery process (Recovery Time Objective – RTO, Recovery Point Objective – RPO) to the values established through the High Availability strategy (part of a BCP).
The risk factors any business is exposed to may include: floods, fires, hurricanes, explosions, earthquakes, military conflicts, terrorism, temporary and total electricity interruptions, telecommunications or internet problems, viruses, hackers, human error, and so on.
A company must also prepare for recovery, in addition to the main preventive measures, that must be taken:
- Development of an internal backup strategy and an off-site storage strategy;
- Creation of an information infrastructure with redundancy in case of any key component failure;
- Elimination of single points of failure;
- Development and implementation of a security system in order to protect the company’s information against external (hackers, viruses) and internal (employees, industrial and commercial espionage) attacks;
- Installation of equipment such as Surge Protectors, UPS, power generators.
A Disaster Recovery Plan should answer these questions:
- Who is the person or team in charge of developing corrective and recovery actions for a disaster event?
- What actions should be implemented in order to return to normal functioning?
- How to communicate the materialization of a threat inside and outside the organization, so as to have the support of internal human resources, as well as business partners (suppliers, customers, intermediaries)?
- How long should each step of the recovery process last?
According to some studies, most companies spend between 2% and 4% of the IT budget on disaster recovery planning in order to avoid bigger losses should the IT infrastructure fail or should the organization data sustain severe damages.
Among the organizations that have suffered as a result of a major disaster, 43% failed to recover, 51% were closed down within the next 18 months and only 6% survived.