Earthquake. Windstorm. Cyberattack. Disaster can come from any direction, and there is no way to predict a disaster or to prevent one from occurring. Disaster can strike at any time, and small businesses are particularly vulnerable to the ensuing disruption of their operations.
Although we cannot predict or prevent disaster, it is possible to develop disaster recovery plans. A disaster recovery plan is essential for every business, regardless of size, to mitigate loss, to minimize the impact, to protect critical assets and to help ensure a business continuity plan.
What is a disaster recovery plan?
A disaster recovery plan documents the procedures to follow in the event of a disaster so that the entire team can immediately begin to recover and resume operations. In this article, we will outline the steps owners or managers can follow to develop an effective disaster recovery plan for their business.
Identify Potential Disasters
The first step in creating a disaster recovery plan is to identify the potential disasters that are applicable to the business. Every region has a history of recurring natural disasters, such as hurricanes, earthquakes or flooding. In addition to natural disasters, some small businesses are also vulnerable to man-made disasters, such as arson, terrorism, power outage or cyberattack.
Rank the Likelihood of Potential Disasters
Once potential disasters have been identified, the next step is to assess the likelihood and impact of each type of disaster. A business in Los Angeles faces essentially zero risk of a hurricane, but a very significant risk from earthquake. For a business in Miami, that situation is reversed.
In any region, research the records of major fires, storms and flooding. History confirms what has happened in the past with regard to catastrophic weather events or seismic activity, and history is the best guide to how likely it is to happen again.
Bear in mind that while each natural disaster has a regional probability, a man-made disaster, such as terrorism or cyberattack, can happen anywhere.
Talk to an Insurance and Risk Management Specialist
Rank the Impact of Potential Disasters
Evaluating the impact of a likely disaster will require the owner or manager to think through a worst-case scenario for each type of disaster.
- Which employees are willing and able assist with an emergency response plan?
- What physical damage could impact vehicles, inventory, business records and customer data?
- In a flood, what would water incursion do to the building, equipment and furnishings?
- In an earthquake, how would the business respond to an order to stay out of the building?
- How will sales and other important records be brought up to date after a cyberattack?
- What if the primary location is intact, but key elements of the supply chain are lost?
Prioritize Business Operations
The next step in creating a disaster recovery plan is to prioritize the operations of the business. This involves a gap analysis that ranks each function and determines which are considered essential to the continuation of the business.
For example, a small business may prioritize customer service, shipping and payroll processing during disaster recovery, while assigning a lower priority to design, inventory management or advertising.
Determine the Maximum Tolerable Downtime (MTD)
Once critical functions are identified, the next step in a business impact analysis is to determine how long each function can remain out of operation before there is serious harm to the business. This is known as maximum tolerable downtime (MTD). For example, if five days without shipping would begin to have a negative impact, then the MTD for the shipping function is four days.
With an understanding of MTDs for critical operations, the plan can include specific recovery objectives.
Determine Recovery Time and Recovery Point Objectives
Recovery time objectives (RTOs) are targets for how much time is needed to restore a system or process. For example, after a flood at the main location, the business will need a minimum of eight hours to put customer service back online at an alternate location.
Recovery point objectives (RPOs) sound similar, but they refer to the key points at which the business must complete a recovery element. For an example of recovery point objective, it must take no more than 12 hours to have customer service back online and capable of scheduling orders.
In the confusion that may follow a disaster, RTOs and RPOs can provide small business owners and their teams with recovery strategies to make sure they are investing in the right recovery procedures, driving the business continuity plan forward to recovery.
Essential Elements of a Disaster Recovery Plan
With potential disasters identified and critical functions prioritized, the owner or manager is ready to outline a disaster recovery plan. Effective disaster recovery plans should include the following elements:
- Emergency Response Procedures: Document all procedures for shutting down operations, evacuating the building, dealing with injuries and re-entering the building to assess damage. Assign responsibilities to key people, make it clear who will handle each task and identify a backup for each function.
- Emergency Communications Plan: Maintain a database with contact details of employees, customers and vendors who will need to be notified of the disaster and positive business continuity plans, as well as updates on the state of the business. The business recovery plan should put special emphasis on communications strategy with major clients.
- Data Backup and Recovery: Disciplined data backup is a habit that must be established before disaster strikes. IT resources and alternate systems for data recovery and accounting re-start should also be identified in the action plan.
- Alternate Work Locations: All employees should have a plan in place for how and under what circumstances they are to work from home. Operations that require team attendance should be able to move to alternate locations where work can continue if the primary work location is inaccessible.
- Vendor and Supplier Relations: Critical vendors and suppliers should be involved early in the development of the disaster recovery plan. They will appreciate the opportunity and will have valuable input into plans for emergency communication, logistics and contingencies.
- Financial Recovery: Sufficient coverage with property insurance can mitigate risks to property, and business interruption insurance policies can support recovery from disaster. Along with property values and lost income, consider the indirect costs of downtime.
- Government Help: For information about government support for disaster preparedness and recovery, visit this Small Business Administration link: resources for disaster survivors.
When Data is Critical
Backup systems are important disaster recovery tool for every business, but for those businesses with high volumes of transaction and customer data storage, backups can make all the difference between coming back or going under.
Data-intensive businesses need full backups of databases, as well as incremental backups of daily changes. One of the simplest backup options is a portable drive, taken off site and stored in a fire-proof safety deposit box. Cloud backups are convenient and provide an extra layer of protection against data loss.
Finally, smaller businesses with limited IT resources should consider disaster recovery as a service (DRaaS). These cloud-based solutions and other third-party services provide data backup, replication and recovery.
Train for Disaster
Creating a disaster plan is only the first step. All employees must be trained on their roles, responsibilities and expected actions in response to a disaster.
Test the Plan
To test a disaster plan, the business owner can declare a simulated disaster, asking employees to respond just as they would in a real emergency. Simulations are an excellent way to identify gaps in protection or weaknesses in documented procedures. All participants in a simulation should be encouraged to offer constructive criticism of existing protocols or new ideas to make the action plan stronger.
Review and Update Annually
Finally, an effective disaster plan should be reviewed at least annually. Changes in the business will make some procedures obsolete. Staff turnover will require new assignments for some responsibilities. Growth may require updated insurance policies. New tools may alter the primary objectives of the plan. Review the disaster plan with the management team, key employees and with an experienced insurance advisor.
Key Takeaways
- Disaster planning is essential for every business of every size.
- Identify which types of disasters potentially threaten the business.
- Rank the likelihood and probable impact of potential disasters.
- Prioritize each process to identify the critical operations.
- Determine a maximum tolerable downtime (MTD) for each operation.
- Determine recovery time and recovery point objectives.
- Develop the essential elements of a disaster recovery plan.
- Train the team to know their roles and responsibilities.
- Test the plan to identify gaps and weaknesses.
- Review and update the plan at least annually.
The Bottom Line
No business, large or small, should operate without a comprehensive disaster recovery plan. No business can foresee disaster or avoid the impact when disaster strikes. But any business can mitigate the risk and minimize the impact by developing an effective disaster recovery plan, training the company team to execute the plan and reviewing the plan with an experienced insurance advisor.
