Recovery strategies

A disaster recovery strategy should start at the business level and determine which applications are most important to running the organization. The RTO describes the target amount of time a business application can be down, typically measured in hours, minutes or seconds. The RPO describes the previous point in time when an application must be recovered.

Recovery strategies define an organization's plans for responding to an incident, while disaster recovery plans describe how the organization should respond.

In determining a recovery strategy, organizations should consider such issues as:

  • Budget

  • Resources -- people and physical facilities

  • Management's position on risks

  • Technology

  • Data

  • Suppliers

Management approval of recovery strategies is important. All strategies should align with the organization's goals. Once disaster recovery strategies have been developed and approved, they can be translated into disaster recovery plans.

Disaster recovery planning steps

The disaster recovery plan process involves more than simply writing the document.

In advance of the writing, a risk analysis and business impact analysis help determine where to focus resources in the disaster recovery planning process. The BIA identifies the impacts of disruptive events and is the starting point for identifying risk within the context of disaster recovery. It also generates the RTO and RPO. The RA identifies threats and vulnerabilities that could disrupt the operation of systems and processes highlighted in the BIA. The RA assesses the likelihood of a disruptive event and outlines its potential severity.

Business Continuity Planning

A good business continuity plan should clearly state the business' essential functions in writing. The document should identify and prioritize which systems and processes must be sustained and provide the necessary information for maintaining them.

A business continuity plan should include the following information:

  • Employee contact list

  • Key supplier/vendor information

  • Key contacts

  • Prioritized list of critical business functions

  • Recovery locations

  • Copies of essential records

  • Critical telephone numbers

  • Critical supplies list

  • Inventory of the company's equipment/machinery/vehicles

  • Invntory of the company's computer equipment and software

  • List of communication venues

  • Disaster response plan