A disaster recovery (DR) plan is a bit like an insurance policy: we all know we need one and we all hope we’ll never have to use it. And as with insurance, nobody wants to discover their DR plan doesn’t actually protect them when a disaster hits.
So how can you verify that your DR plan fits your current needs? Follow these seven steps.
1. Plan for failure.
Things will fail during the practice run. That’s the point.
Prepare for this reality. If you don’t, people may feel incentivized to make everything look good rather than making sure everything actually works. So be the champion of failure: when a DR plan doesn’t go as you hoped, remember that you’re actually a hero.
You found a misalignment between your needs and your capabilities. Now, armed with that knowledge, you are empowered to get them back into alignment.
2. Put someone in charge.
I’m sure no one in your company would disagree that it’s important to stress-test your DR plan. And I’m equally sure that no one will do it if you don’t explicitly assign it. People are busy. And while DR is important, it’s rarely urgent — until it is.
So put someone in charge of leading DR stress-testing. This person will have to:
- Keep track of changing business needs as they relate to DR: are the RTO and RPO still valid? Do you need to update those and retool? Did you acquire a new business that now has to be accounted for?
- Schedule regular tests.
- Oversee the tests.
- Update your DR solution as needed — maybe a key database will be missing. Maybe there will be stuff you can get rid of.
- Update your DR plan to accommodate the new solution.
That last item is crucial: the whole point of testing is to identify parts of the plan that no longer fit your business needs. Be sure your new head of testing understands this; it’s easy for a “failure” during a test to feel like a personal failure. In reality, though, testing failures are wins because they let you prevent real-world failures.
3. Look at your current DR plan.
Before letting your eager new testing lead launch their first stress-test, take some time to review the DR plan you have in place, especially if it’s more than a year old.
If the plan doesn’t align with your current business needs (e.g., if the latest app you’ve rolled out isn’t even mentioned), make updates.
The goal is to create a DR plan that will meet the needs of the entire business as it exists today. You’ll want to collaborate with leaders outside IT to determine:
- Which apps and functionalities need to run.
- Which hardware must be online.
- What dependencies flow from the above.
Ideally, you’ll walk away from these conversations with RTOs and RPOs that, in the event of a disaster, accommodate everyone’s needs.
Remember: complexity leads to fragility. Aim for a plan that offers adequate coverage while staying as lean as possible.
4. Establish guidelines for real-life DR.
Any strong DR plan must include conditions that trigger it.
Common triggers include:
- Time: For example, you’ll give your team five hours to attempt to fix a problem before you failover.
- Functionality: Can certain parts of an app go down without triggering your DR plan? In other words, are there non-essential functions that your business can temporarily live without?
- Seasonality: For both of the above, are there times of the day, week, month, or year when the trigger changes? Do you have busy seasons or busy seasons for certain functionalities, like pop quizzes?
There’s no need to reinvent the wheel. These guidelines should be based on the larger business needs you’ve been considering all along. That means you’ll want to verify your triggers with other stakeholders in the company.
You should also enlist non-IT employees to help out during stress-tests. Someone from each department should be in charge of testing the functionalities they depend on — and someone should be in charge of testing from a user’s perspective. Let people know what you’ll need from them.
If you want to really turbo-charge your testing, do it without one or two key people (selected at random). That replicates real-world conditions when someone is always unavailable.
5. Stick a dollar sign on stress-testing your DR plan.
Everyone says teaching art and music is important, but they’re often the first to go under financial strain. In the business world, disaster recovery plans often suffer the same fate.
When you talk to the C-suite about DR stress-testing, frame it in terms of dollars and cents: how long can your business afford to be down?
Guide your leadership here, helping them calculate potential revenue losses from each minute of downtime for various business functionalities. And don’t forget to mention the potential reputational hit that even relatively minor downtime can cause if handled wrong.
You’ll also need to provide insight into the many types of DR solutions and the various costs of each. Finding the right fit based on your financial analysis will help ensure that you craft a recovery plan that fits just right.
6. Get the C-suite on board.
Remember when I suggested collaborating with non-IT leaders? The best way to get them to take your request seriously is to get leadership on board. Without leadership’s buy-in, you’ll likely struggle to convince other company leaders to prioritize your important (but again, non-urgent) request.
Tip: Focus on the positives instead of using scare tactics. Rather than saying, “We won’t be able to service orders,” try, “We’ll sign more customers because their orders will actually go through.”
If your C-suite already understands the importance of having a business continuity plan, make sure they’re on board with the importance of testing it.
7. Plan your practice tests strategically.
Scheduled downtime is a normal part of doing business. It’s also an ideal time to conduct a DR stress-test. When something goes wrong, you can easily roll back to production and reevaluate, recalibrate, and update your plan.
Stress-testing the whole business
Business continuity is a whole-business effort. That means every department must participate in your DR plan and be accounted for. The plan and testing schedule you develop should depend on the needs, budget, and risk tolerance of your business as a whole.
While there’s no single method that works for everyone, the first step will always be to actually take that first step. If you feel overwhelmed along the way, Deft can help. We handle the DR operations for small companies to Fortune 500s — we’d be happy to discuss doing the same for you.
