IT and Business Insights for SMB Solution Providers

Developing a Disaster Recovery Plan

Information Gathering

  • Determine which senior executive(s) will have overall responsibility for disaster recovery.
  • Have this executive appoint a disaster recovery coordinator.
  • Appoint a disaster recovery team leader for each operational unit, such as the server backup or the telephone system.
  • Convene the disaster recovery planning team and sub-teams as appropriate. Working with senior executives responsible for disaster recovery, the disaster recovery coordinator should identify the following:
    • Scope — the areas to be covered by the disaster recovery plan
    • Objectives — what is worked toward and the course of action that the disaster recovery team intends to follow
    • Assumptions — what is being taken for granted or accepted as true without proof?
  • Set a project timetable and draft project plan, including assignment of task responsibilities.
  • Obtain senior management’s approval for scope, objections, assumptions and project plan.

Conduct the Business Impact Analysis

  • Identify which business departments, functions or systems are most vulnerable to potential threats, what the potential types of threat are, and what effect each identified potential threat would have on each of the vulnerable areas within the organization.

    • Identify functions, processes and systems.
    • Interview information systems support personnel.
    • Interview business unit personnel.
    • Analyze results to determine critical systems, applications and business processes.
    • Prepare impact analysis on interruption on critical systems.


Conduct Risk Assessment

  • Work with the organization’s technical and security person to determine the probability of each functional business units’ critical systems becoming severely disrupted. Document the amount of acceptable risk the business unit can tolerate. For each critical system, the following information needs to be provided:

    • Review physical security. (i.e., secure office, building access off hours, etc.).
    • Review backup systems and data security.
    • Review policies on personnel termination and transfer.
    • Identify systems supporting mission-critical functions.
    • Identify vulnerabilities, such as physical attacks, or acts of God, such as floods.
    • Assess probability of system failure or disruption.
    • Prepare risk and security analysis.


Develop Strategic Outline for Recovery

  • Assemble groups as appropriate for the following:

    • hardware and operating systems
    • communications
    • applications
    • facilities
    • other critical functions and business processes as identified in the Business Impact Analysis step
  • For each of the above systems/processes quantify the following processing requirements:
    • light, normal, and heavy processing days
    • transaction volumes
    • dollar volume, if any
    • estimated process time
    • allowable delays (days, hours, minutes, etc.)
  • Detail all the steps in workflow for each critical business function. (For example, for payroll processing, include all of the steps and the order in which the steps must be completed.)
  • Identify systems and applications:
    • component name and technical identification, if any
    • type (online, batch process, script)
    • frequency
    • run time
    • allowable delay (days, hours, minutes, etc.)
  • Identify all vital records:
    • name and description
    • type (backup, original, master, history)
    • storage location
    • source of item or record
    • ease of replacement by another source
    • backup and backup generation frequency
    • number of backup generations available onsite and offsite
    • location of backups
    • media key, retention period, rotation cycle
    • person authorized for backup retrieval
  • Identify what the minimum requirements or replacement of the critical function during the disruption would be if a severe disruption occurred:
    • type (server hardware, software, research materials, etc.)
    • item name and description
    • quantity required
    • location of inventory, alternative, or offsite storage
    • vendor/supplier
  • Identify if alternative methods of processing either exist or could be developed, quantify processing (include manual processes).
  • Identify person(s) who support the system or the application.
  • Identify both primary and secondary person to contact if system or application cannot function as normal.
  • Identify all vendors associated with the system or application.
  • Document business unit strategy during recovery (conceptually how the unit will function).
  • Quantify resources required for recovery by time frame.
  • Develop and document recovery strategy, including priorities for recovering system/function components, and recovery schedule.


Review Onsite and Offsite Backup and Recovery Procedures

  • Review current records (operating systems, code).
  • Review current offsite storage facility or arrange for facility.
  • Review backup and offsite backup storage policies or create them.
  • Present to functional business unit leader for approval.


Select Alternate Facility

  • Determine resource requirements.
  • Assess platform uniqueness of unit systems (Macintosh, IBM, Oracle, etc.).
  • Identify alternative facilities.
  • Review cost/benefit.
  • Evaluate and make recommendation.
  • Present to business unit leader for approval.
  • Make selection.



Develop Recovery Plan

  • Determine objective — This may have been documented in the information gathering phase. Establish information for each business unit.
  • Plan assumptions.
  • Develop criteria for invoking the plan:
    • Document emergency response procedures to occur during and after an emergency is declared for that business unit, and after the emergency check the building before allowing individuals to enter.
    • Document procedures for assessment and declaring a state of emergency.
    • Document notification procedures for alerting all senior management executives, disaster recovery team members, and business unit executives.
    • Document notification procedures for alerting business unit’s personnel of alternate location.
  • Define role responsibilities and authority:
    • Identify disaster recovery team and business unit personnel.
    • Determine recovery team description and charge.
    • Determine recovery team staffing.
    • Create transportation schedules for media and teams.
  • Create procedures for operating in contingency mode:
    • Create process descriptions.
    • Determine minimum processing requirements.
    • Determine categories for vital records.
    • Identify location of vital records.
    • Identify forms requirements.
    • Document critical forms.
    • Establish equipment descriptions.
    • Document equipment — at the recovery site and in the business unit.
    • Create software descriptions.
    • Determine software used in recovery and in production.
    • Produce logical drawings of communication and data networks in the business unit.
    • Produce logical drawings of communication and data networks during recovery.
    • Produce a list of all vendors.
    • Review vendor restrictions.
    • Determine miscellaneous inventory.
    • Determine communications needs — production and in the recovery site.
  • Document resource plan for operating in contingency mode.
  • Develop criteria for returning to normal operating mode.
  • Develop procedures for returning to normal operating mode.
  • Perform testing and training:
    • Document testing data.
    • Complete disaster/disruption scenarios.
    • Develop action plans for each scenario.
  • Implement plan maintenance:
    • Document maintenance review schedule (yearly, quarterly, etc.).
    • Develop maintenance review action plans.
    • Create maintenance review for recovery teams.
    • Perform maintenance review of team activities.
    • Perform maintenance review/revise tasks.
    • Perform maintenance review/revise documentation.
  • Include appendices:
    • inventory and report forms
    • maintenance forms
    • hardware lists and serial numbers
    • software lists and license numbers
    • contact list for vendors
    • contact list for all staff with telephone numbers for home, work numbers, cell phone, and pager
    • network schematic diagrams
    • equipment room floor grid diagrams
    • contract and maintenance agreements
    • special operating instructions for sensitive equipment
    • cellular telephone inventory and agreement


  • Develop test strategy.
  • Develop test plans.
  • Conduct tests.
  • Modify the plan as necessary.


  • Review changes in the environment, technology and procedures.
  • Develop maintenance triggers and procedures.
  • Submit changes for system development procedures.
  • Modify unit change management procedures.
  • Produce plan updates and distribute.
  • Establish periodic review and update procedures.

The post Developing a Disaster Recovery Plan appeared first on SPC Managed Services Blog for MSPs.

About the Author

Erick Simpson's picture

A Technology Businesses and Channel Growth and Transformation Consultant | Business Process Improvement, M&A and Integration Expert

Co-Founder of one of the first "Pure Play" MSPs in the industry, and creator of the MSP Mastered™ Methodology for Managed Services business performance improvement and the Vendor Channel Maturity Level Index™ that identifies IT channel program maturation for strategic growth, Erick Simpson is a strategic technology business growth and transformation specialist. He is experienced in improving top and bottom-line business performance by increasing operational efficiencies, boosting marketing and lead generation outcomes, accelerating sales velocity, shortening sales cycles and maximizing service efficiencies.

With over 30 years of experience in the IT industry as an Enterprise CIO, MSP, Strategic Coach and Consultant, Erick is a Business Process Improvement Expert with hundreds of successful IT Solution Provider, MSP, Cloud and Security practice business improvement consulting engagement outcomes.

One of the most prolific, recognized and sought-after  business improvement and transformation experts, authors and speakers in the industry, Erick has contributed to numerous industry publications and spoken at hundreds of events.

His published works include "The Guide to a Successful Managed Services Practice"; the definitive book on Managed Services, “The Best I.T. Sales & Marketing BOOK EVER!”, “The Best I.T. Service Delivery BOOK EVER!” and “The Best NOC and Service Desk Operations BOOK EVER!”, along with 50 Best Practice Guides.

Consulting Services for MSPs and Channel Vendors:



ChannelPro SMB Magazine

Get an edge on the competition

With each issue packed full of powerful news, reviews, analysis, and advice targeting IT channel professionals, ChannelPro-SMB will help you cultivate your SMB customers and run your business more profitably.