How to formulate a disaster recovery plan

What do you think of when you hear the word ‘disaster’? Perhaps it is an earthquake, or a wildfire, or maybe a global pandemic. Have you considered the word disaster in the context of your business? Every year, thousands of businesses face disasters in the form of cyber-attacks or hardware failure. These disasters can disrupt day-to-day business or, in some cases, can put a company out of business entirely.

In business, it is always a good idea to plan for every eventuality. Disasters can strike at any moment and can take various forms. An effective disaster recovery plan will give organisations a process to follow when the unexpected occurs, to ensure as little disruption as possible; the longer an issue is left, the more expensive it becomes. Gartner estimates the average cost of downtime is £4,300 per minute which equals to more than £230,000 an hour.

Free Download: The Ultimate Guide To Staying Safe Online

Failure to implement an effective and well-tested disaster recovery plan means you are unnecessarily exposed if a disaster were to occur. This would not only impact on your finances, business reputation can be severely impacted, and some not survive an incident – according to one survey, 25% of businesses do not open after a disaster.

How to formulate a disaster recovery plan

What is a disaster recovery plan?

A disaster recovery plan is a set of procedures and tools used to recover from disruption to a business’ IT resources. Essentially, it acts as a form of insurance by helping to anticipate technology downtime, then creating contingencies and workarounds that minimise the potential consequences of these likely risks.

While initially the costs may seem high, when a disaster strikes, having one in place could make the difference between just experiencing a bad day in the office, or your company going out of business. Below are five steps to ensure an efficient strategy when formulating a disaster recovery plan.

STEP 1: Assess any potential risks

The first step in disaster recovery planning should be to complete a risk assessment to assess any potential risks. Any event, both natural and man-made, that interrupts access to computer systems, apps or data should be considered as a risk. Some examples of these include:

  • Fires
  • Water pipe breaks
  • System failures (hardware and software)
  • Accidental errors
  • Malicious errors

Business risk analysis should be also be completed alongside the risk assessment. This is where the likelihood of each risk occurring, and the damage each one can cause is identified.

You won’t be able to plan for every threat, which is why the team dealing with the DR planning will need to decide which pose the biggest problems. The key is not to try to defend against every danger, but to have a detailed picture of the potential risks, an understanding of their probability, the consequences if occurred, and how long it takes to recover from them.

STEP 2: Audit all IT resources 

If you want to return to ‘normal’, you need to know what your organisations ‘normal’ is. Take time to go through all the IT resources you have in place, both hardware and software, make a detailed inventory of them and then a note of all the essential parts which keep your business operating.

By creating an inventory of all of the IT resources your business network includes, as well as the data each of these holds and how essential they are, it will be easier to streamline your recovery process. As a result, backing up and recovering information or resources in the future will be more efficient should a disaster strike.

STEP 3: Set recovery objectives 

Now that you have identified your risks and their damage, as well as the state of your IT resources when operating at normal, you need to set recovery ‘objectives’ or ‘goals’. Setting these are essential if you want an effective disaster recovery plan.

The best way to do this is to set a recovery point objective (RPO) and a recovery time objective (RTO) for each key resource, and if necessary, each key component. An RPO is the recovery window – how long you in which you must recover, and an RTO sets how far back you need to go when recovering data.

For each IT resource, metrics will differ, making it harder to reconcile them all at once. For example, if you’re an organisation with large volumes of significant valuable data, you may struggle with a short RTO, so data recovery would need to be tiered. Less important parts of this data that aren’t accessed all the time may be given lower priority as a result – assigning longer recovery time and not prioritising frequent backups.

These metrics, in turn, end up being tied into further measures that ensure resilience and availability. For example, for businesses that are reliant on their customers who are less tolerant of downtime, contingency plans, such as staff working from home using cloud-based applications may be included.

STEP 4: Establish roles and responsibilities in response plan

When everyone knows what to do in response to a major incident, your disaster recovery plan will be more effective. Therefore, you should ensure every employee in your organisation knows their role to play in the plan.

Company intranets are good places to document any disaster recovery information as all employees whether they’re office based or remote based can inform themselves. In addition to documenting, appropriate training should be given to all employees – and it should not be a one-time thing. To have the most effective DR plan, employees will be regularly trained on any changes to ensure as minimal disruption when the unexpected occurs.

Beyond this, you should form a DR response team that includes experts not just from IT to cover all areas in the organisation. For example, those from HR, legal and business operations. This team need to be aware of how they can communicate in a disaster and should always take part in any DR exercises, so they are familiar with the role they play when disaster strikes.

STEP 5: Test the plan

The worst thing a business can do is formulate a disaster recovery plan, then leave it. The most effective DR plans are ones that go through a continuous process of being tested, reviewed and updated.

“Firms may have written plans and procedures, but they may not be practical or widely known and aren’t actually then applied in a crisis,” comments Samuel Ingrey, a disaster recovery specialist at PA Consulting.

“Firms need a clear decision-making structure and playbooks that have been agreed and refined through practice and testing, and easy-to-understand approaches like a gold, silver and bronze command structure. These are of more practical use to firms during a disaster than a detailed 100-page manual.”

Testing your plan is the best way to expose any weaknesses or problems you weren’t already aware of. Anything learnt from the testing phrase needs to be documented and addressed as soon as possible. From this, teams can feed the knowledge back into other stages of the DR planning process which helps to fine-tune the plan as they go.

If you don’t test, you know whether your plan is resilient enough to perform well under pressures or if it even works at all.


These days, technology plays a substantial role in ensuring business operations stay up and running. Unfortunately, because of this reliance, a short-term problem can quickly evolve into a long-term operational and financial disaster if a disaster recovery plan is not put in place effectively or at all.

Our five steps start you at the beginning of the DR planning process by getting you to complete a full risk assessment and business risk analysis, then gradually guide you onto other key areas of the process such as auditing, setting objectives and testing. If you are not tech savvy and don’t feel confident in complete these steps yourself, many IT providers offer DR as a Service (DRaaS) which helps with the creation and management of DR plans. For businesses where IT is not their main area of business, we highly recommend it. Not only will the help give you peace of mind you have an effective plan in place that has been formulated by professionals, but it will free you up to focus on more important areas of business.

The entrust IT Group have over a decade of experience in helping businesses formulate disaster recovery plans. We also have a number of solutions which have acted as part of many businesses DR plans. For example, our cloud backup is usually chosen because data remains safe should your office be at risk from disasters such as fires, flood or employee theft.

In the current climate, organisations are facing a growing number of threats through widespread work-from-home practises. As a result, defences are being challenged and weaknesses are being exposed more than ever before. Formulating a disaster recovery plan has never been more important. Please get in touch with a member of the team on 0330 002 0045 or email if you think you could benefit from our help.

New call-to-action

Subscribe Here!

Recent Posts

Posts by Tag

See all