How to write a Disaster Recovery Plan

All organisations experience disruptions, whether that’s from a cyber attack, IT failure, weather event or something else, and they need to be prepared. The longer it takes to address an issue, the more the costs will spiral and the harder it will be to recover.

A Disaster Recovery Plan gives organisations a process for responding to a variety of incidents. Along with business continuity planning, it’s an essential strategy for managing the ever-increasing risk of disruption.

Why you need a disaster recovery plan

A Disaster Recovery Plan is effectively a form of insurance; you are spending money preparing for a scenario that you hope never occurs. The costs might seem high initially, but when disaster strikes (and it will), an effective plan could be the difference between a bad day at the office and your organisation going out of business.

Writing your plan

Geoffrey H Wold of the Disaster Recovery Journal provides a ten-step template to creating a disaster recovery plan:


Obtain top management commitment

Disaster recovery planning requires a lot of resources and input from the whole organisation, so you need to make sure top management is on board. They will allocate a budget and set aside the necessary help.

Establish a planning committee

Top management will then appoint a handful of employees to lead the planning process. This planning committee should contain representatives from all areas of the organisation, with the operations manager and data processing manager acting as key members.

Perform a risk assessment and business impact analysis

The planning committee’s first action should be to prepare a risk assessment and BIA (business impact analysis). This will identify the threats facing the organisation, the likelihood of them occurring and the damage each one can cause. The organisation won’t be able to plan for every threat, so the team needs to decide which ones pose the biggest problems.

Establish processing and operations priorities

You must evaluate and prioritise the effects of each threat on each department. Some areas of your business will need to be restored urgently or will take time to fix, so they must be tackled first.

Determine recovery strategies

The next step is to determine how you will restore affected processes and operations. You don’t need detailed procedures at this point, only broad strokes for the best methods of addressing affected parts of your organisation.

Collect data

Before you can turn your recovery strategies into a fully fledged plan, you must collect information on how every department operates and what processes need to be followed in the event of each identified disruption. You’ll need contact details of regulators, power providers and key members of staff; data breach notification checklists; inventories; insurance policies; and data flow maps, to name a few things.

Organise and document a plan

Now that you have all the necessary information, it’s time to document your disaster recovery plan. You’ll need a plan for each threat that you face, but the framework will be the same in most instances: you’ll always need to identify and address the source of the threat, secure the physical premises, ensure staff are safe, find a temporary solution and then begin recovery.

Develop testing criteria and procedures

All organisational plans must be tested regularly to ensure nothing has been overlooked. But first you need to develop criteria to assess whether a test is successful. Your biggest concern will be whether your organisation actually recovers, but you should also assess, for example, whether the recovery happens within an acceptable timeframe and how much data you retain.

Test the plan

With the criteria in place, it’s time to perform the test. This will give you answers to questions you identified in the previous step, but you might also identify problems that you weren’t aware of. Any problems discovered in your test should be documented and addressed as soon as possible.

Obtain approval

The final step is to submit the plan to top management. They are ultimately responsible for all policies and procedures, so your plan can’t go into operation until it’s been approved.

You can find out more about the ways you can prepare for disaster by reading Disaster Recovery and Business Continuity.

Thejendra BS’s guide is full of advice from his experience working for organisations across the globe. You’ll learn how to establish disaster recovery and business continuity plans, and discover the major causes of IT failures that you need to prepare for.