Top 10 Key Factors When Creating a Disaster Recovery Strategy

Juan Ignacio Oller Aznar

Join us for this quick review where we take a look at the top 10 key factors to consider for an SME when creating a disaster recovery strategy.

Creating, implementing and maintaining a truly effective disaster recovery strategy requires careful planning and resource management.

If you want to make sure that your business is ready to survive a catastrophic systems failure, you will need a detailed contingency plan, the right processes and infrastructure and well-trained, prepared employees. And obviously, all of this needs to be in place long before a disaster strikes.

Investing in a well-designed Disaster Recovery (DR) solution will not only protect your critical assets but also guarantee business continuity and resilience against external threats.

NOTE: If you’re interested in what the regulatory framework looks like for Disaster Recovery, take a look at ISO/UNE/22.301 “Business Continuity Management Systems”.

Key factors when creating a disaster recovery strategy

At Jotelulu, we just love a list! So, here are the top 10 key things that all small businesses should be thinking about when creating their disaster recovery strategy:

Alignment within the business
Risk assessments and impact analyses
Cost of the solution compared to the available budget
Dependencies and coordination
Definition of recovery objectives
Procedures, documentation and standards
Choosing the right technology
Training and raising awareness
Testing and validation
Continuous improvement

As you can see, they cover quite a broad range of topics. So, without further ado, let’s take a look at each of them in more detail!

Alignment within the business

I’m not going to dwell on this first item too much because it’s fairly straightforward. It’s just plain common sense. Before you start doing any work on your DR strategy, you need to remember that the IT department is not the centre of the universe (even if sometimes it might feel that way). The IT department exists to facilitate the rest of the company’s business operations.

That means that, before you do any work on your DR strategy, it’s important to meet with senior management and all other departments to establish what is most important to them. You need to have a clear idea of what is critical to the business, what absolutely cannot tolerate any downtime and what has priority when recovering the company’s systems.

Risk assessments and impact analyses

When creating a disaster recovery strategy, risk assessments are absolutely vital. These assessments will help you to identify the specific risks that could impact your business so that you can then develop suitable strategies to mitigate them. Even for a small business, there will be a wide range of potential risks. These will include hardware or software failures, human error, intentional acts of sabotage, natural disasters and, of course, cyberattacks.

We already addressed this topic in a previous article. So, if you’d like to learn more, check out Risk and Threat Assessment for SMEs.

In addition to risk assessments, it is also important to carry out a Business Impact Analysis (BIA). This is a process that aims to determine how different disasters will affect the business, taking into consideration the company’s finances, operations and reputation.

Cost of the solution and available budget

With any project, cost is one of the most delicate topics. It will almost certainly be one of the most important factors that determines exactly what solution you end up adopting, and the most complete solution is often the most expensive. Creating a disaster recovery strategy is no exception, and depending on the way your business is organised, you may not have a big enough budget for the solution you want.

When considering the cost of your chosen DR strategy, you will not only need to consider the cost of implementation but also the cost of maintaining it going forward. Then, once you have a clear idea of your options, the best approach is to carry out a cost-benefit analysis.

Your initial costs are likely to include staff costs (hours worked, consultants fees, etc.) and infrastructure costs, such as the cost of buying new hardware, licences and cloud service providers.

On top of all this, you’ll also need to consider any additional security costs. It’s all good and well having a carefully thought-out DR strategy, but a security breach could render the whole thing useless.

We took a look at this subject recently on our blog. To find out more, check out What is the Real Cost of Not Investing in Security?

Dependencies and coordination

Systems and processes are almost never floating around working in isolation. In most businesses, there are countless interdependencies between the elements that make up the organisation.

If you want to create an effective DR strategy, you’ll need to review all of these interdependencies to ensure that they are correctly identified and documented. Only that way will you be able to recover your business processes in an efficient and coordinated manner.

But this isn’t just limited to your internal processes. You will also need to think about how you interact with your business partners and suppliers. You’ll also want to make sure that each of them is involved in your DR strategy or at least has a compatible one of their own so that there are no weak links in the chain.

And last but not least, management needs to be 100% involved. Without support from senior management, the whole project will be a complete waste of time.

Definition of recovery objectives

If you’ve already had some experience or training on running IT projects, you’ll know that most projects suffer some kind of setback at some point. In fact, there are studies that say that only around 20% of projects run without a hitch.

Anyone who has studied methodologies like PMP, ACP or Scrum will know that this normally happens because of poor resource management or poorly defined objectives. This is why, when creating a DR strategy, you need to have clear objectives before you even start the project. These are the very foundations upon which everything will be built.

To establish your recovery objectives, you’ll need to have a good understanding of your business’s resources and services and the way that they are connected and depend on each other. There are two main objectives that you need to determine:

Recovery Time Objective (RTO).
Recovery Point Objective (RPO).

The Recovery Time Objective (RTO) is the maximum time that the business can wait to restore critical processes in the event of a disaster. The Recovery Point Objective (RPO) is the maximum amount of data loss that the business can tolerate, which can be measured in days, hours, minutes or even seconds.

NOTE: For more information on this topic, check out our blog article titled Disaster Recovery: What Are RPO, RTO, WRT and MTD, and Why Are They Important?

Procedures, documentation and standards

In the field of operational management, there is a model called the PPT strategy. This stands for People, Processes and Technology and is based on the notion that when all three of these things work together correctly, operations will also run smoothly. This model is also relevant to the field of knowledge management. In the case of DR, it’s the processes that ensure that your team knows what it needs to do at all times.

key factors disaster recovery strategy — Image – People, Processes and Technology

To start with, will need clearly defined procedures that leave no room for ambiguity or error. They should be easy to understand and help your team to carry out their roles even in a stressful situation. These procedures should include cover matters such as chains of communication, recovery procedures, workarounds, etc.

The most effective way of presenting these procedures tends to be either a step-by-step guide or a checklist. Checklists can be used to either trigger a specific measure in response to a given event or use to record that each necessary step in the procedure has been completed.

It is also a good idea to have detailed documentation for everything related to your DR strategy. This includes backup and recovery plans, escalation procedures, hardware and software settings, definitions of roles and responsibilities and any documentation required for regulatory compliance, such as ISO 27.001, ISO 22.301, ENS, Cobit, etc.

Obviously, in the case of regulatory compliance, you’ll need to consider what industry standards and regulations apply in your country.

One area of regulatory compliance that is particularly important is that related to personal data protection. If your business handles any personal data at all (which it almost certainly does), you will need to make sure that this data is always backed and encrypted, both when stored and when being shared, and has suitable access controls to protect against attacks or exfiltration.

Choosing the right technology

When creating your DR strategy, choosing the right technology will be absolutely crucial. You should carefully assess the available tools and technology, depending on your available budget, and also take into consideration any applicable legislation or regulations.

Before you decide on the right solution for your business, you will need to think about what model you want to use for your backup and replication infrastructure. This will be key for making sure that you can create backups efficiently and restore your data as quickly as possible when required.

Something else to consider is automation. If your budget allows, you could implement some automated tools to increase efficiency and reduce the chance of human error.

Lastly, although you might think that Jotelulu is a little biased, you’ll need to decide whether you want to use a cloud-based or on-premises solution. Of course, you could opt for a hybrid solution, which might give you a better balance between availability and cost. When making this decision, the most important facts to consider will be cost, speed of recovery and, of course, security.

Training and raising awareness

Earlier, we referred to “People, Processes and Technology”. Well, we looked at processes and we talked about technology; now it’s time for the people.

In fact, this is something that I bang on about fairly regularly because it doesn’t just apply to disaster recovery or security. Whatever the process or project, it’s really key to make sure that your staff are properly trained. If you have well-defined processes, this is a great start. But if your employees fully understand their roles and responsibilities, they will be much more efficient and agile in the event of a disaster.

In addition to training your technical staff, you should also look to run awareness-raising sessions among your other employees. This way, your workforce will be fully aware of the importance of disaster recovery and business continuity, thereby developing a more responsible culture within the company.

Testing and validation

Any plan should have a series of checks and balances, and disaster recovery is no different. When creating your DR strategy, you must include some control elements to check that everything has been planned, implemented and maintained correctly.

At the most basic level, you should carry out regular reviews of your DR strategy. This means making sure that any ongoing activities are running smoothly and that all employees fully understand their roles in the event of an emergency. If you can, it’s a really good idea to test your strategy in full. Ideally, this should include simulating a real disaster and executing your data recovery plan. However, given how complex this can be, it might be more convenient to trial certain processes separately. Regardless of how you test your strategy, it’s a great way for your employees to practise their roles. This will leave them much better prepared when disaster strikes.

Running tests of your DR strategy also gives you the chance to check that your recovery procedures meet your RTO and RPO. That way, if you’re falling short of your objectives, for whatever reason, you can issue corrective actions before a real disaster situation occurs.

Lastly, it’s a good idea to implement some form of monitoring system to detect any issues or failures in your DR infrastructure so they can be resolved swiftly.

Continuous improvement

I know some of you might be a bit bored of hearing this because I mention it in almost every article. The main responsibility of any sysadmin, technician or manager is to make sure that they perform better each day. “What doesn’t evolve, goes extinct”. If this maxim applied to the dinosaurs, who lived in a much less changing world, imagine how relevant it is for us!

To make sure that your DR strategy is constantly improving, you should regularly assess new threats. If you ever have to execute all or part of your DR strategy, record any lessons learnt, suggest changes and update your strategy accordingly.

You should be constantly asking yourself, “What is good?”, “What could improve?”, “What needs to change?”. The answers to these questions will give you all you need to make some meaningful improvements to your strategy.

Lastly, we’re particular fans of the Deming Cycle, which consists of the following stages:

Plan.
Do.
Check.
Act.

Conclusion

As I’m sure you’ll agree, these top 10 key factors when creating a Disaster Recovery strategy are really very straightforward. They’re equally valid for large businesses or SMEs and may very well one day play a decisive role in whether you can survive a serious emergency. I should stress once more, that it is really important for management to be fully behind this kind of initiative. It requires a lot of time, both for planning and execution. Management will have to support you to make sure that you get it right. Only that way will you be fully prepared when the unthinkable happens.

If you would like to learn more about security, take a look at these other articles on our blog.