How to Build a Disaster Recovery Plan for Better Business Continuity

Within days of the tragic terrorist attack on the World Trade Center, business disruptions began rippling outward from New York City. Trucks delayed at the Canadian and Mexican borders led to shut-down assembly lines at Ford Motor Company. The Toyota factory in Indiana couldn’t make cars because parts weren’t coming in from Germany with air traffic shut down.

September 11, 2001 was a watershed event that forced many business leaders to “wake up” and admit that disasters can and do have widespread and lasting impacts globally. Over the decades that followed, disaster recovery became less about reacting to a crisis and more about ongoing risk management.

As John Liuzzi, National Director of Business Continuity at Southern Glazer’s Wine & Spirits, shared, professionals in his field no longer see disaster recovery and business continuity as administrative or compliance issues but as an integrated part of the business. Liuzzi says, “It’s about threat intelligence, disaster recovery, and crisis management that’s all seamless.”

A single human error can spur disruptive events from your supply chain to the front of the house. The longer your business stays out of service, the greater the loss to your people, systems, physical assets, and your company’s reputation.

From navigating a national tragedy to local demonstrations or a sudden blackout, a well-executed disaster recovery plan is your key to coming away with as few scratches as possible. Let’s break down what that could look like for your business.

What Is a Disaster Recovery Plan?

A disaster recovery plan (DRP) is a documented strategy for returning to normal operations quickly after an unexpected incident. The purpose is to provide specific instructions for actions to take before, during, and after any disaster. A comprehensive DRP should address all types of disasters, including human-instigated and natural, internal and offsite, accidental and intentional.

The range of potential disaster scenarios covered by a DR plan includes:

• Malware or ransomware
• System outages
• IT infrastructure failure
• Fires
• Floods
• Equipment failures
• Building damages
• Power outages
• Terrorism
• Violence
• Civil Unrest
• Citywide or regional issues
• Health crises

What’s included in a disaster recovery plan?

The exact structure depends on your business, but a disaster recovery strategy typically begins with risk analysis and includes plans for emergency operations, data backup and recovery, redundancy and backup systems, communications, and incident recovery—all supporting the goal of preserving business continuity.

While business continuity and disaster recovery go hand in hand, they’re not interchangeable. A DR plan is more focused than a business continuity plan and does not necessarily cover all contingencies for business processes, assets, human resources, and external partners.

Disasters Are an Ongoing Threat to Business Continuity

Businesses lose a lot to disasters each year—especially catastrophic events such as floods and hurricanes. In 2022, the world suffered $313 billion in losses from natural disasters. But catastrophic events can also be driven by humans. Security breaches are one example of a common and costly human-made disaster, and they can lead to business downtime amounting to about $4.5 million per incident.

Whatever the reason—products aren’t available, stores can’t open, data centers fail, or your teams can’t get to work—everybody suffers. Your company sacrifices revenue, employees miss out on wages, and customers are left unserved. And once that cycle sets in, it can perpetuate itself.

If your business is located in an area susceptible to specific weather events, you absolutely need to plan for natural disasters. For example, plan for hurricanes in southern coastal areas, blizzards in snow-prone areas, or wildfires in the western and southwestern United States.

New market expansion or rapid team expansion can pose an added risk to business recovery, thanks to new processes, equipment, sites, and relationships. But even when it’s business as usual, all it takes is a cyberattack, an unexpected storm, or a chewed-through cable to cause the type of incident that could derail business operations.

If your organization’s disaster recovery plan is nonexistent, outdated, or a glorified checklist, now is the time to review, revise, or create a plan for disaster recovery solutions—before you need it.

Build Your Comprehensive Disaster Recovery Plan in 6 Steps

1. Assess risks and vulnerabilities

The first step is a risk assessment to uncover the threats you’re up against. A threat assessment and business impact analysis (BIA) will help you identify potential disasters and understand the possible consequences.

Take inventory of each functional area of the organization, your sites, people, physical and digital assets, key suppliers, and partners. Document your business’s internal infrastructure and data management to facilitate rebuilding after a disaster, and prioritize components based on their importance to business continuity.

2. Create your team

Decide who will create, update, and execute the plan. This disaster team will spearhead recovery and communication efforts during a crisis.

Assign specific tasks to your disaster recovery team members and document responsibilities, with one person as team leader. Ensure the disaster management team includes representation from each business function and align recovery tasks to each business unit so every department is included.

3. Establish clear objectives and priorities

Define the goals and objectives your recovery efforts will accomplish. Determine what the plan will and won’t cover, and establish critical questions to answer like, “Where do we relocate people or migrate systems?” and “Which applications and infrastructure must be restored immediately in case of a disaster?”

Based on your business impact analysis, define recovery time objectives (RTO) for applications, hardware, equipment, and other critical systems within the business. Recovery point objectives (RPO) are another key metric to establish the maximum allowable data loss in the event of a disaster impacting information systems.

Expressed in seconds, minutes, hours, or days, your RTOs define the acceptable time since the last data recovery point and should be calculated based on their importance. In other words, how long before an outage could a data recovery take place before the business would be impacted negatively?

4. Create a communication plan

During a fire, flood, or other disaster, seconds count and connectivity is the key to maximizing your time. Your crisis communication plan can make the difference between “crisis averted” and catastrophic consequences. In devising a disaster recovery communication plan, prioritize these steps:

Identify key audiences: Determine who will need information during and after a disaster, such as employees, customers, suppliers, city officials, and local first responders. Keep contact information up to date so you can get in touch quickly.

Pro tip: An emergency mass communication system can even help you group audiences that may need different information at different times. By organizing contact groups in advance, you lose no time sending critical messages to ensure people’s safety and mitigate operational disruptions.

Instill a Culture of Preparedness in Your Organization

Ideally, disaster recovery is more than a checklist or an annual compliance exercise. “It has to be built into your organizational DNA.” said Liuzzi. He goes on to say that your chances of success are higher when you “make it part of the business, not separate” and shares some of his best practices for disaster recovery.

Monitor for ongoing threats

As the world’s largest wine and spirits distributor, Southern Glazer’s needs to be alert 24/7 to manage its complex global supply chain. With ongoing threat intelligence, they are the first to know about all types of external risks—upcoming storms, wildfires in impacted areas, demonstrations, or geopolitical upsets. When contextual risk intelligence is built into your emergency preparedness, you’re not spending excessive time and resources monitoring and filtering through potential threats.

Nurture internal and external relationships before an incident happens

As Liuzzi attests from experience, running a successful business continuity program is about being prepared and building a culture where preparedness is not an afterthought. Part of building this level of safety culture is creating partnerships before an incident happens. For example, you could join an industry-specific safety organization. Support local fire, police, and emergency services departments at their events and work with them for company training.

Internally, nurturing a culture of emergency preparedness might look like:

• Proactively providing access to resources like emergency kits and online tools for employee preparedness
• Engaging employees in ongoing training, drills, and testing
  Promoting company values that include situational awareness and company resilience
• Running disaster recovery tabletop exercises as part of a safety meeting
• Partnering with your global security operations center (GSOC) and other org-wide teams to optimize backup and recovery plans
• Winning buy-in from executive stakeholders by tying the value of business continuity to the data they care about

Optimize Your Business Continuity & Disaster Recovery Strategies

You can’t always avoid disasters, but you can prepare for them. A disaster recovery plan helps you recover what is lost (data, physical property, or something else) and get back to running smoothly as soon as possible. More importantly, educating your teams and building ongoing support for disaster recovery and continuity programs will go a long way in helping your organization respond quickly and effectively in an emergency.