Create a Right-Sized Disaster Recovery Plan
Close the gap between your DR capabilities and service continuity requirements.
This content requires an active subscription.
Access this content by logging in with your Info-Tech Research Group membership or contacting one of our representatives for assistance.
View Storyboard
Contributors
- Bernard Jones (MBCI, CBCP, CORP, ITILv3), Owner/Principal, B Jones BCP Consulting, LLC
- Paul Beaudry, Assistant Vice-President, Technical Services, MIS, Richardson International Limited
- Yogi Shulz, President, Corvelle Consulting
Note: Additional organizations were interviewed but requested anonymity. In addition, feedback from conducting our DRP workshop (based on the methodology in this blueprint) was incorporated into this research.
Your Challenge
- Traditional Disaster Recovery Plan (DRP) templates are onerous and result in a lengthy, dense plan that might satisfy auditors but is not effective in a crisis.
- Similarly, the myth that a DRP is only for major disasters and should be risk-based leaves organizations vulnerable to more common incidents.
- The increased use of cloud vendors and co-lo/MSPs means you may be dependent on vendors to meet your recovery timeline objectives.
Our Advice
Critical Insight
- DR is about service continuity — that means accounting for minor and major events.
- Remember Murphy’s Law. Failure happens, so focus on improving overall resiliency and recovery, rather than basing DR on risk probability analysis.
- Cost-effective DR and service continuity starts with identifying what is truly mission critical so you can focus resources accordingly. Not all systems require fast-failover capability.
Impact and Result
- Create an effective DRP by following a structured process to discover current capabilities and define business requirements for continuity, not by completing a one-size-fits-all traditional DRP template. This includes:
- Defining appropriate objectives for maximum downtime and data loss based on business impact.
- Creating a DR project roadmap to close the gaps between your current DR capabilities and recovery objectives.
- Documenting an incident response plan based on a tabletop planning walkthrough that captures all of the steps from event detection to data center recovery.
Start here – read the Executive Brief
Read our concise Executive Brief to find out why you should create a right-sized DRP. Review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.
1. Define parameters for the DRP
Determine what would be required to recover from an incident and resume operations.
2. Determine the desired recovery timeline
Set appropriate recovery timeline targets based on business impact.
3. Determine the current recovery timeline and DR gaps
Identify the gap between achievable and desired recovery capability.
4. Create a project roadmap to close DR gaps
Summarize the results of the DRP pilot and create a DRP project roadmap to achieve the desired recovery timeline.
Guided Implementations
This guided implementation is a twelve call advisory process.
Guided Implementation #1 - Define parameters for your DRP
Call #1 - Leverage Info-Tech’s DRP Project Charter Template to clarify expectations.
Call #2 - Determine current DRP gaps through a DRP maturity scorecard.
Call #3 - Document key applications and dependencies.
Guided Implementation #2 - Determine the desired recovery timeline
Call #1 - Define an objective scoring scale to indicate different levels of impact.
Call #2 - Define the criticality of each application.
Call #3 - Identify desired RTOs and RPOs based on business impact.
Guided Implementation #3 - Determine the current recovery timeline and DR gaps
Call #1 - Conduct a tabletop planning exercise based on current capabilities.
Call #2 - Analyze RTO and RPO gaps.
Call #3 - Conduct a high-level risk assessment to identify additional vulnerabilities.
Guided Implementation #4 - Create a project roadmap to close DR gaps
Call #1 - Prioritize each project and establish a project roadmap.
Call #2 - Conduct a tabletop planning exercise to define the desired state.
Call #3 - Complete the DRP and review the DRP roadmap.
Info-Tech Academy
Get Info-Tech Certified
Train your staff and develop a world-class IT team.
New to Info-Tech Academy? Learn more here
Disaster Recovery Planning Course
Close the gap between your DR capabilities and service continuity requirements.
This course makes up part of the Security & Risk Certificate.
Course information:
- Title: Disaster Recovery Planning Course
- Number of Course Modules: 4
- Estimated Time to Complete: 2-2.5 hours
- Featured Analysts:
- Frank Trovato, Research Director, Infrastructure Practice
- Eric Wright, SVP of Research and Advisory
- Now Playing: Executive Brief
Book Your Workshop
Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: Define Parameters for Your DRP
The Purpose
Identify key applications and dependencies based on business needs.
Key Benefits Achieved
Understand the entire IT “footprint” that needs to be recovered for key applications.
Activities
Outputs
Assess current DR maturity.
- Current challenges identified through a DRP Maturity Scorecard.
Determine critical business operations.
Identify key applications and dependencies.
- Key applications and dependencies documented in the Business Impact Analysis (BIA) Tool.
Module 2: Determine the Desired Recovery Timeline
The Purpose
Quantify application criticality based on business impact.
Key Benefits Achieved
Appropriate recovery time and recovery point objectives defined (RTOs/RPOs).
Activities
Outputs
Define an objective scoring scale to indicate different levels of impact.
- Business impact analysis scoring criteria defined.
Estimate the impact of downtime.
- Application criticality validated.
Determine desired RTO/RPO targets for applications based on business impact.
- RTOs/RPOs defined for applications and dependencies.
Module 3: Determine the Current Recovery Timeline and DR Gaps
The Purpose
Determine your baseline DR capabilities (your current state).
Key Benefits Achieved
Gaps between current and desired DR capability are quantified.
Activities
Outputs
Conduct a tabletop exercise to determine current recovery procedures.
- Current achievable recovery timeline defined (i.e. the current state).
Identify gaps between current and desired capabilities.
- RTO/RPO gaps identified.
Estimate likelihood and impact of failure of individual dependencies.
- Critical single points of failure identified.
Module 4: Create a Project Roadmap to Close DR Gaps
The Purpose
Identify and prioritize projects to close DR gaps.
Key Benefits Achieved
DRP project roadmap defined that will reduce downtime and data loss to acceptable levels.
Activities
Outputs
Determine what projects are required to close the gap between current and desired DR capability.
- Potential DR projects identified.
Prioritize projects based on cost, effort, and impact on RTO/RPO reduction.
- DRP project roadmap defined.
Validate that the suggested projects will achieve the desired DR capability.
- Desired-state incident response plan defined, and project roadmap validated.
Module 5: Establish a Framework for Documenting Your DRP, and Summarize Next Steps
The Purpose
- Outline how to create concise, usable DRP documentation.
- Summarize workshop results.
Key Benefits Achieved
- A realistic and practical approach to documenting your DRP.
- Next steps documented.
Activities
Outputs
Outline a strategy for using flowcharts and checklists to create concise, usable documentation.
- Current-state and desired-state incident response plan flowcharts.
Review Info-Tech’s DRP templates for creating system recovery procedures and a DRP summary document.
- Templates to create more detailed documentation where necessary.
Summarize the workshop results, including current potential downtime and action items to close gaps.
- Executive communication deck that outlines current DR gaps, how to close those gaps, and recommended next steps.
After each Info-Tech experience, we ask our members to quantify the real time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this Blueprint, and what our clients have to say.
Client
$ Saved
Days Saved
Testimonial
Cheshire Medical Center
N/A
15
Introduced a good methodology for documenting DR plan and gave insights into what's realistic to expect. Downside is the project was just a kick-off and much work remains!
City of Lethbridge
$30,000
30
Best: The resources provided and experience brought to the engagement. Frank and David were great. Worst: Looking backwards is 20/20; doing this again I would have included a larger distribution of business leaders. Nothing should be changed on the workshop side. It went well.
City of Santa Fe
$328K
30
The facilitator was knowledgeable, flexible, credible and had a proven approach for developing a plan.
Elementis Specialities
$65,617
N/A
The workshop was very useful for Elementis.
Global Partners LP
$13,123
N/A
Best: The methodology and knowledge of the workshop facilitators.
London Health Sciences Centre
$2,501
11
Best: Participant learning of DRP process and also internal workings and processes. Clear methodology and direction to implementing DRP for the organization. A lot learned in a short period of time. Worst: Ensuring the right people were at the table for focus portions of workshop.
Marsh Supermarkets
N/A
90
The sessions went very well. The facilitation was very good. We plowed through a ton of material and my staff walked away with a much better understanding of the process. I would say it was eye opening to them. I can't think of anything that wasn't good, other then I was sick that week. Overall, Frank did a great job!
Messer
$26,247
15
Best: Getting my team all on the same page, all speaking the same language. Worst: The amount of content can be daunting. Not sure we can get to everything we would want to.
Moog Inc.
N/A
N/A
This workshop was to bring the different Moog IT teams together to work on DR within the same framework. There was no day or $ savings. It was arranged to work collaboratively and using the same framework. It was a very good use of our time.
Niagara Health System
N/A
N/A
Best: The Info-Tech team was knowledgeable, experienced, friendly and provided excellent information, feedback and facilitation to get us going. Worst: I would say there really wasn't any related to Info-Tech, but the amount of work remaining for us is quite daunting.
Office of the Ombudsperson
$5,000
90
Brought the C level to the table and spelled out their expectations on what is or is not critical.
Peoples Bank
$26,247
5
Best - excellent consultants with exactly the skillsets and experience we needed. Worst - not enough time to get the full BIA completed, but we're well on our way.
TRAC Intermodal
N/A
15
Too soon to tell dollar value.
Client
Facilitator(s) effectiveness
INFO & materials effectiveness
Overall experience
Understanding of next steps
Testimonial
Rend Lake College
10.0
10.0
10.0
8.0
The workshop has really given us a good springboard to talk with our board and our upper management to indicate where IT is as a whole, things that we need in the future, and possible pitfalls. As a whole, I think we are much better prepared to respond to disasters following this workshop. We had identified critical systems before, but we had not gone to the depth we did in the workshop. We expanded it tenfold. We are better able to articulate the justification for future investment in DR than we were. We're really proud to have hosted this workshop, and just so thankful to Info-Tech for being able to do it for us. We found this workshop to be incredibly valuable in that it was reasonably priced and resulted in a wealth of information and tactics.
Centrastate Healthcare Systems
9.0
9.0
9.0
9.0
Braun Intertec Corporation
10.0
10.0
9.0
The London Public Library Board
9.0
9.0
9.0
9.0
Portage College
8.0
8.0
8.0
7.0
Hartford Community College
8.5
8.0
9.0
9.0
The way that Info-Tech does disaster recovery is to tackle it from a business continuity perspective. I like the way that they did it; it was refreshing and helped me get different members of my team on the big picture. I really like the practical aspect of it. That's where the value is derived. It helped to give me action items that I can also take higher up the food chain. A lot of times in disaster recovery exercises they use scare tactics, something that's highly improbable. I liked the Info-Tech table-top exercise because it is very practical. Rather than saying there's a thermonuclear meltdown, or zombies are coming, we actually took something that could happen; there's a fire in the building, and now they have to shut off gas and electricity. What do we do? For some of the members of the team, it was eye-opening. If we put a couple of key things in place, it makes a huge difference. It was excellent. We had a shortcoming when it came to disaster recovery, and in some cases just business continuity. This helped me to bring it to light with the other members of the team.
Farm Credit Services Central IL
10.0
10.0
10.0
10.0
It turned out to be a great team-building exercise. We were elbow-to-elbow for a week. It's hard to get any team that's in technology to pull up and be strategic, and Info-Tech did a good job of making sure we were there with each other. At the end of it, all my staff were very happy that I put them through the workshop and we felt that we're very well armed for what we need to do. I was pleasantly surprised at the level of expertise, the engagement, the passion we had around the conversation. I just didn't know how much we were able to get from Info-Tech. This was a great start for us. The table-top exercise was exceptionally enlightening. We as a team were engaged with it, joking and arguing at the same time. To see the results, and then have something tangible -- I feel honored to be able to say to my senior staff, "Here's where we're at. Here's why we need to do this." Most people think you just do a DR test once a year and that should be okay. We thought through it; "how would this actually work?" I adamantly give it a 10. You hit a home run. When I saw the presentation that was put together, aligned with everything I wanted to do this year and gave us the roadmap for what we need to be. I just talked to my CFO about it, and he said "Okay!"
Assurance Agency
10.0
10.0
10.0
10.0
Not only was the material relevant, but as we worked through things over the span of the week we figured out what's useful and what's not useful for the next day or the next several hours. It continued to be more and more relevant as time went on. The exercises were nice and methodical. Going through a process like that and having it already laid out not only made it easier and more efficient, but gave us a consistent outcome. The outcome especially after including various groups of people from my team, to business leaders, to interior operational leaders, and so on, helped us to really set a path that was tied to what business needs. From a DR perspective, several of the things that we did over the week pointed out a few extra things my team really needed to do that we hadn't considered yet. I was really happy with the outcome there. There were a few shortcomings in the data center that we'd built in terms of equipment or roles of that equipment that we really hadn't thought all the way through. Those were big because those make our data center even more responsive in terms of being able to get ourselves back online after a disaster.
Tikinagan Child & Family Services
9.0
9.0
9.0
9.0
The Corporation of the City of Timmins
9.5
9.0
9.5
9.0
Madison Dearborn Partners
10.0
10.0
10.0
10.0
Zoological Society of San Diego
10.0
10.0
10.0
10.0
DRP is one of those subjects that's easy to put off. I decided to draw a line in the sand and have the workshop. It's probably the best investment we've made in IT in general in terms of our ability to get a better handle on where we are and where we need to be. One of the things I've been so impressed with Info-Tech about has been that not only do you say "Here are best practices," but "Here are tools to help you get started in emulating those best practices." That's really been helpful for me. Never having done an Info-Tech workshop before, it was an eye-opening experience that really helped us focus our attention where it needed to be focused and left us with a set of tools that we can now pick up and start to advance the ball down the field.
Teva Canada
9.0
10.0
10.0
9.0
Takasago International Corporation (U.S.A)
10.0
10.0
10.0
10.0
