In my previous post, I wrote about disaster recovery measures necessary to protect the organization from the after-effects of any possible disaster. Once the need is felt and understood, the next step would be to plan and execute these measures.
The question is, how do we go about doing it? Many CIOs that I know take considerable time to take necessary steps because a large portion of their available time is often consumed by their day-to-day tasks and by attending to emergencies. The organization then runs the risk of badly losing out in case there is any mishap.
What is disaster recovery planning (DRP)?
Disaster recovery planning (DRP) is the process of developing in advance, the facilities, plans, and procedures, that enable an organization to respond to a disaster by being able to resume critical business functions within a defined time frame, to minimize loss, and to restore affected areas of business. DRP is a part of the larger, more extensive practice called business continuity planning (BCP).
The primary objective of a business resumption plan is to enable an organization to survive a disaster and to re-establish normal business operations. In order to survive, an organization must ensure that critical operations can resume within a reasonable time frame.
Therefore, the goals of a business resumption plan should be to identify weaknesses to implement a disaster prevention program, to minimize the duration of a serious disruption to business operations, to facilitate effective co-ordination of recovery tasks, and most importantly, to reduce the complexity of the recovery effort.
Elements of DRP
The main elements of DRP are given below.
Policy statement: Defining the goal for the plan and a business impact analysis. This is where, I feel, many people slip; I have often found people talking of a DR site and on-line replication without even assessing the tolerance of business to a few hours of shutdown.
Preventive steps: It is important to make a list of all the possible failures and examine steps that can be taken to ensure that such failures could be prevented. This may even include measures like a dual power line to the data center, redundant servers, data back-ups (at remote sites), storage replication, two data centers in the same campus but apart with equipment distributed etc. Larger important measures need to be planned well.
Recovery strategies: This deals with the question ‘what and by when to recover’. Here we talk of Recovery Point Objective (RPO) and Recovery Time Objective (RTO).
RPO refers to the age of the data you want the ability to restore to in event of a disaster. For example, if the RPO is eight hours, systems should be restored in the state they were in no longer than eight hours ago. This helps in defining the back-up or data replication strategies. RTO is the number of hours or days that management has put on resuming a business process or a system; in short this describes the time needed to get back to normal work.
Plan development: All the measures and steps including the infrastructure, back-up devices, processes and recovery steps need to be planned and documented so that the process is uniformly understood by all. Plans would then be run and tested.
Plan buy-in and testing: DR plans would not be effective if people are not aware of what is to be done in the event of a disaster. So awareness and training sessions are of utmost importance. It is a good practice to carry out drills so that the real recovery process is enacted and is a real world exposure.
Maintenance: It is not end of the story if we install a DR solution ― it has to be maintained on an ongoing basis. As the business grows there would be changes to our technical landscape, additions to capacities and realignment of business priorities, thus necessitating a review of our plans. Therefore, plans need to be examined and changed to reflect the current business realities.
DRP, hence, is a well thought of exercise and assumes the significance of a strategic plan designed to protect companies operations from disasters.