Our systems detected an issue with your IP. If you think this is an error please submit your concerns via our contact form.

Infrastructure Operations icon

What is a right-sized disaster recovery plan?

Close the gap between your DR capabilities and service continuity requirements.

  • What is a right-sized disaster recovery plan? It's a concise and effective plan to support IT service continuity.
  • Any time a natural disaster or major IT outage occurs, it increases executive awareness and internal pressure to create a disaster recovery plan (DRP), a specific set of requirements that allow an organization to remain effective in the event of an outage, tailored to an organization’s specific needs.
  • Traditional DRP templates are onerous and result in a lengthy, dense plan that might satisfy auditors but will not be effective in a crisis.
  • The myth that a DRP is only for major disasters leaves organizations vulnerable to more common incidents.
  • The growing use of outsourced infrastructure services has increased reliance on vendors to meet recovery timeline objectives.

Our Advice

Critical Insight

  • At its core, disaster recovery (DR) is about ensuring service continuity. Create a plan that can be leveraged for both isolated and catastrophic events.
  • Remember Murphy’s Law. Failure happens. Focus on improving overall resiliency and recovery, rather than basing DR on risk probability analysis.
  • Cost-effective DR and service continuity starts with identifying what is truly mission critical so you can focus resources accordingly. Not all services require fast failover.

Impact and Result

  • Define appropriate objectives for service downtime and data loss based on business impact.
  • Document an incident response plan that captures all of the steps from event detection to data center recovery.
  • Create a DR roadmap to close gaps between current DR capabilities and recovery objectives.

What is a right-sized disaster recovery plan? Research & Tools

1. Disaster Recovery Plan (DRP) Research – A step-by-step document that helps streamline your DR planning process and build a plan that's concise, usable, and maintainable.

Any time a major IT outage occurs, it increases executive awareness and internal pressure to create an IT DRP. This blueprint will help you develop an actionable DRP by following our four-phase methodology to define scope, current status, and dependencies; conduct a business impact analysis; identify and address gaps in the recovery workflow; and complete, extend, and maintain your DRP.

2. DRP Case Studies – Examples to help you understand the governance and incident response components of a DRP and to show that your DRP project does not need to be as onerous as imagined.

These examples include a client who leveraged the DRP blueprint to create practical, concise, and easy-to-maintain DRP governance and incident response plans and a case study based on a hospital providing a wide range of healthcare services.

3. DRP Maturity Scorecard – An assessment tool to evaluate the current state of your DRP.

Use this tool to measure your current DRP maturity and identify gaps to address. It includes a comprehensive list of requirements for your DRP program, including core and industry requirements.

4. DRP Project Charter Template – A template to communicate important details on the project purpose, scope, and parameters.

The project charter template includes details on the project overview (description, background, drivers, and objectives); governance and management (project stakeholders/roles, budget, and dependencies); and risks, assumptions, and constraints (known and potential risks and mitigation strategy).

5. DRP Business Impact Analysis Tool – An evaluation tool to estimate the impact of downtime to determine appropriate, acceptable recovery time objectives (RTOs) and recovery point objectives (RPOs) and to review gaps between objectives and actuals.

This tool enables you to identify critical applications/systems; identify dependencies; define objective scoring criteria to evaluate the impact of application/system downtime; determine the impact of downtime and establish criticality tiers; set recovery objectives (RTO/RPO) based on the impact of downtime; record recovery actuals (RTA/RPA) and identify any gaps between objectives and actuals; and identify dependencies that regularly fail (and have a significant impact when they fail) to prioritize efforts to improve resiliency.

6. DRP BIA Scoring Context Example – A tool to record assumptions you made in the DRP Business Impact Analysis Tool to explain the results and drive business engagement and feedback.

Use this tool to specifically record assumptions made about who and what are impacted by system downtime and record assumptions made about impact severity.

7. DRP Recovery Workflow Template – A flowchart template to provide an at-a-glance view of the recovery workflow.

This simple format is ideal during crisis situations, easier to maintain, and often quicker to create. Use this template to document the Notify - Assess - Declare disaster workflow, document current and planned future state recovery workflows, including gaps and risks, and review an example recovery workflow.

8. DRP Roadmap Tool – A visual roadmapping tool that will help you plan, communicate, and track progress for your DRP initiatives.

Improving DR capabilities is a marathon, not a sprint. You likely can't fund and resource all the measures for risk mitigation at once. Instead, use this tool to create a roadmap for actions, tasks, projects, and initiatives to complete in the short, medium, and long term. Prioritize high-benefit, low-cost mitigations.

9. DRP Recap and Results Template – A template to summarize and present key findings from your DR planning exercises and documents.

Use this template to present your results from the DRP Maturity Scorecard, BCP-DRP Fitness Assessment, DRP Business Impact Analysis Tool, tabletop planning exercises, DRP Recovery Workflow Template, and DRP Roadmap Tool.

10. DRP Workbook – A comprehensive tool that enables you to organize information to support DR planning.

Leverage this tool to document information regarding DRP resources (list the documents/information sources that support DR planning and where they are located) and DR teams and contacts (list the DR teams, SMEs critical to DR, and key contacts, including business continuity management team leads that would be involved in declaring a disaster and coordinating response at an organizational level).

11. Appendix

The following tools and templates are also included as part of this blueprint to use as needed to supplement the core steps above:

webinar status icon

On Demand

Webinar

Create a Right-Sized Disaster Recovery Plan

Play Webinar

Member Testimonials

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.

9.5/10


Overall Impact

$48,187


Average $ Saved

27


Average Days Saved

Client

Experience

Impact

$ Saved

Days Saved

Niobec Inc

Guided Implementation

10/10

$5,000

5

City Of Fredericksburg

Workshop

9/10

$68,500

32

One of the best parts was getting our stakeholders involved in the process. Sumit's technical expertise and experience working through DR plannin... Read More

University of the Fraser Valley

Guided Implementation

7/10

$1,900

5

Wiss, Janney, Elstner Associates, Inc.

Guided Implementation

10/10

$137K

90

Darin was excellent - a true professional and voice of reason and reality. He helped my team stay on track and deliver a solid DR capability for o... Read More

Stream Realty Partners, L.P.

Guided Implementation

8/10

$34,250

5

Evommune, Inc.

Guided Implementation

9/10

$6,850

18

Texas Trust Credit Union

Guided Implementation

10/10

$32,195

20

I really appreciate Scott’s experience and expertise on this subject. He made it clear and easy to understand.

City of Palm Beach Gardens

Workshop

10/10

$34,250

20

Time consuming for a large portion of staff however will pay off with saving time for all employees in the event of a disaster.

National Arts Centre Canada

Guided Implementation

10/10

$50,000

20

Working with Frank was wonderful, he was knowledgeable, patient and really took his time to walk us through the fundamentals without judgement. It ... Read More

State of New Mexico Early Childhood & Care Department

Guided Implementation

9/10

$13,700

20

Organization of materials that can be tailored to organization size and maturity and can be approached iteratively. Great callouts differentiating... Read More

County of Stafford

Workshop

10/10

$137K

90

Our workshop facilitator, Venkat, was extremely knowledgeable! He added significant value to our discussions and provided us with great recommendat... Read More

Eastern Michigan University

Guided Implementation

10/10

N/A

N/A

Our consultant was wonderful. He was very knowledgeable.

Stream Realty Partners, L.P.

Guided Implementation

9/10

$34,250

10

Lower Hudson Regional Information Center

Workshop

10/10

N/A

20

Venkat proved to be an exceptional consultant for our team. He came well-prepared and rapidly grasped the subtleties of our organization, adapting ... Read More

Solano County, CA

Workshop

10/10

$68,500

20

The workshop was fantastic. It empowered us to establish a robust BIA process that our organization was lacking. I now have the tools to develop a ... Read More

Department of Agriculture Kentucky

Guided Implementation

8/10

N/A

2

The risk assessment techniques were useful in gauging the impact of various scenarios, and the official engagement provided persuasion for other te... Read More

Conseil Scolaire Catholique MonAvenir

Guided Implementation

9/10

$25,000

38

The experience was excellent overall. Darin was very knowledgable and really did a great job of guiding us through the process. We really enjoyed t... Read More

Engie North America INC

Workshop

10/10

$137K

20

Joe Riley was an excellent resource with vast experience and expertise to guide Engie thru the process of identifying Gaps and documenting existing... Read More

Alabama Department of Economic and Community Affairs

Guided Implementation

9/10

N/A

100

It was great working with Scott Houle. He is knowledgeable and patient and made sure that I had all the information necessary to tackle something a... Read More

Firstmac Limited

Guided Implementation

10/10

$1,820

2

Support in classification and risk ranking of our BCP Risks.

Monroe #1 BOCES

Workshop

7/10

N/A

N/A

Facilitator was outstanding and flexible to our needs. As our work was focused on developing a roadmap for a DRP replacement, estimating time and ... Read More

Carver County, MN

Guided Implementation

9/10

$13,700

7

Socan

Workshop

10/10

$100K

10

We found the domain knowledge of the facilitator to be very good which helped us to ask and answer the right questions based on our environment and... Read More

Coachella Valley Water District

Workshop

10/10

$68,500

20

There are no issues or concerns to report. Sumit has proven to be an exceptional consultant, demonstrating a deep familiarity with the specific typ... Read More

First Ontario Credit Union Ltd.

Guided Implementation

10/10

$50,000

20

Darin's wealth of knowledge in the space has been fantastic. It has allowed us to bring in the correct stake holders to understand the needs of the... Read More

Woodbine Entertainment Group

Workshop

8/10

$10,000

20

Very difficult to meet ITRG's back-to-back scheduling requirement for these sessions. Excellent discussions facilitated by Venkat across lines o... Read More

State of Kentucky - Kentucky Transportation Cabinet

Workshop

10/10

$68,500

50

Venkat was a great facilitator and had clearly planned the days well and did preliminary work each night so we would have a very valuable day of wo... Read More

Small Enterprise Finance Agency

Guided Implementation

9/10

$13,700

20

Templates and advise was very useful

MyPath, Inc.

Guided Implementation

10/10

$137K

120

Frank brings excellent experience to the table in relation to our DR and BC Workshops and discussions. We are fortunate to have him facilitating fo... Read More

Lake Simcoe Region Conservation Authority

Guided Implementation

8/10

$5,000

5

Very knowledgeable help and good insights...


Disaster Recovery Planning

Close the gap between your DR capabilities and service continuity requirements.
This course makes up part of the Security & Risk Certificate.

  • Course Modules: 4
  • Estimated Completion Time: 2-2.5 hours
  • Featured Analysts:
  • Frank Trovato, Research Director, Infrastructure Practice
  • Eric Wright, SVP of Research and Advisory

Now Playing:
Academy: Disaster Recovery Planning | Executive Brief

An active membership is required to access Info-Tech Academy

Workshop: What is a right-sized disaster recovery plan?

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Identify DRP maturity, key systems, and dependencies

The Purpose

Identify key applications and dependencies based on business needs.

Key Benefits Achieved

Understand the entire IT “footprint” that needs to be recovered for key applications.

Activities

Outputs

1.1

Assess current DRP maturity through Info-Tech’s Maturity Scorecard. 

  • Baseline DRP maturity status.  
1.2

Identify the applications that support critical business activities. 

1.3

Select 2 or 3 key applications to be the focus of the workshop. 

1.4

Identify dependencies for selected applications. 

1.5

Identify current DR challenges for selected applications. 

  • Key applications and dependencies identified that will be the focus of the workshop and recorded in the BIA tool. 

Module 2: Conduct a BIA to determine acceptable RTOs and RPOs 

The Purpose

Quantify application criticality based on business impact.

Key Benefits Achieved

Appropriate recovery time and recovery point objectives defined (RTOs/RPOs).

Activities

Outputs

2.1

Define an objective scoring scale to indicate different levels of impact. 

2.2

Estimate the impact of an IT outage on cost, goodwill, compliance, health & safety. 

  • Potential impact of an IT outage quantified for selected applications. 
2.3

Define acceptable RTOs/RPOs for selected applications based on business impact. 

  • Applications criticality and recovery priority defined. 
  • Acceptable RTOs/RPOs defined based on business impact. 

Module 3: Determine the current recovery workflow and projects to close gaps

The Purpose

  • Determine your baseline DR capabilities (your current state).
  • Identify and prioritize projects to close DR gaps.


Key Benefits Achieved

  • Gaps between current and desired DR capability are quantified and prioritized.
  • DRP project roadmap defined that will reduce downtime and data loss to acceptable levels.

Activities

Outputs

3.1

Review tabletop planning – what is it, how is it done? 

3.2

Walk through a DR scenario to determine your current recovery timeline, RTO/RPO gaps, and risks to your ability to recover. 

  • Current-state recovery workflow and timeline. 
3.3

Identify and prioritize projects to close RTO/RPO gaps and mitigate DR risks (e.g. unreliable backups). 

  • RTO/RPO gaps identified. 
  • DRP project roadmap to close gaps. 

Module 5: Identify remaining DRP documentation and next steps 

The Purpose

  • Outline how to create concise, usable DRP documentation.
  • Summarize workshop results.

Key Benefits Achieved

  • A realistic and practical approach to documenting your DRP.
  • Next steps documented.

Activities

Outputs

5.1

Review the current-state incident response plan created from the tabletop planning exercise. 

5.2

Use tabletop planning to clarify the desired state and validate that the suggested projects will close your DR gaps. 

5.3

Outline a strategy for using flowcharts, checklists, and a summary document to complete your DRP. 

  • Updated DR project roadmap. 
  • Workshop summary presentation deck. 
5.4

Workshop review and wrap-up. 


What is disaster recovery in IT?

At its core, disaster recovery in IT is about ensuring continual service to your users after an unexpected natural disaster or major outage.

Why do organizations need a disaster recovery plan?

No matter the level of preparedness, no IT department is immune to technological failures, software outages, or the impacts of a natural disaster. A pre-established disaster recovery plan allows IT to focus on resolving critical issues immediately, rather than spending valuable time identifying and prioritizing these issues after an outage.

What are some common issues with disaster recovery plans?

Many disaster recovery policies are designed only for specific outage events, making them difficult to adapt to situations that weren’t planned for in advance. Additionally, traditional templates are often onerous and result in a lengthy plan better suited to appease auditors than for crisis resolution.

What is the right-sized disaster recovery plan for an organization?

A disaster recovery plan (DRP) must be tailored to an organization's requirements to be effective in an outage. When establishing the size and scope of your organization’s DRP, you may consider the acceptable service outage times for major services, plan for common incidents as well as major disasters, and evaluate the disaster recovery preparedness of your vendors.


Create a Right-Sized Disaster Recovery Plan

Close the gap between your DR capabilities and service continuity requirements.

ANALYST PERSPECTIVE

An effective disaster recovery plan (DRP) is not just an insurance policy.

"An effective DRP addresses common outages such as hardware and software failures, as well as regional events, to provide day-to-day service continuity. It’s not just insurance you might never cash in. Customers are also demanding evidence of an effective DRP, so organizations without a DRP risk business impact not only from extended outages but also from lost sales. If you are fortunate enough to have executive buy-in, whether it’s due to customer pressure or concern over potential downtime, you still have the challenge of limited time to dedicate to disaster recovery (DR) planning. Organizations need a practical but structured approach that enables IT leaders to create a DRP without it becoming their full-time job."

Frank Trovato,

Research Director, Infrastructure

Info-Tech Research Group

Is this research for you?

This Research Is Designed For:

  • Senior IT management responsible for executing DR.
  • Organizations seeking to formalize, optimize, or validate an existing DRP.
  • Business continuity management (BCM) professionals leading DRP development.

This Research Will Help You:

  • Create a DRP that is aligned with business requirements.
  • Prioritize technology enhancements based on DR requirements and risk-impact analysis.
  • Identify and address process and technology gaps that impact DR capabilities and day-to-day service continuity.

This Research Will Also Assist:

  • Executives who want to understand the time and resource commitment required for DRP.
  • Members of BCM and crisis management teams who need to understand the key elements of an IT DRP.

This Research Will Help Them:

  • Scope the time and effort required to develop a DRP.
  • Align business continuity, DR, and crisis management plans.

Executive summary

Situation

  • Any time a natural disaster or major IT outage occurs, it increases executive awareness and internal pressure to create a DRP.
  • Industry standards and government regulations are driving external pressure to develop business continuity and IT DR plans.
  • Customers are asking suppliers and partners to provide evidence that they have a workable DRP before agreeing to do business.

Complication

  • Traditional DRP templates are onerous and result in a lengthy, dense plan that might satisfy auditors, but will not be effective in a crisis.
  • The myth that a DRP is only for major disasters leaves organizations vulnerable to more common incidents.
  • The growing use of outsourced infrastructure services has increased reliance on vendors to meet recovery timeline objectives.

Resolution

  • Create an effective DRP by following a structured process to discover current capabilities and define business requirements for continuity:
    • Define appropriate objectives for service downtime and data loss based on business impact.
    • Document an incident response plan that captures all of the steps from event detection to data center recovery.
    • Create a DR roadmap to close gaps between current DR capabilities and recovery objectives.

Info-Tech Insight

  1. At its core, DR is about ensuring service continuity. Create a plan that can be leveraged for both isolated and catastrophic events.
  2. Remember Murphy’s Law. Failure happens. Focus on improving overall resiliency and recovery, rather than basing DR on risk probability analysis.
  3. Cost-effective DR and service continuity starts with identifying what is truly mission critical so you can focus resources accordingly. Not all services require fast failover.

An effective DRP is critical to reducing the cost of downtime

If you don’t have an effective DRP when failure occurs, expect to face extended downtime and exponentially rising costs due to confusion and lack of documented processes.

Image displayed is a graph that shows that delay in recovery causes exponential revenue loss.

Potential Lost Revenue

The impact of downtime tends to increase exponentially as systems remain unavailable (graph at left). A current, tested DRP will significantly improve your ability to execute systems recovery, minimizing downtime and business impact. Without a DRP, IT is gambling on its ability to define and implement a recovery strategy during a time of crisis. At the very least, this means extended downtime – potentially weeks or months – and substantial business impact.

Adapted from: Philip Jan Rothstein, 2007

Cost of Downtime for the Fortune 1000

Cost of unplanned apps downtime per year: $1.25B to $2.5B.

Cost of critical apps failure per hour: $500,000 to $1M.

Cost of infrastructure failure per hour: $100,000.

35% reported to have recovered within 12 hours.

17% of infrastructure failures took more than 24 hours to recover.

13% of application failures took more than 24 hours to recover.

Source: Stephen Elliot, 2015

Info-Tech Insight

The cost of downtime is rising across the board, and not just for organizations that traditionally depend on IT (e.g. e-commerce). Downtime cost increase since 2010:

Hospitality: 129% increase

Transportation: 108% increase

Media organizations: 104% increase

An effective DRP also sets clear recovery objectives that align with system criticality to optimize spend

The image displays a disaster recovery plan example, where different tiers are in place to support recovery in relation to time.

Take a practical approach that creates a more concise and actionable DRP

DR planning is not your full-time job, so it can’t be a resource- and time-intensive process.

The Traditional Approach Info-Tech’s Approach

Start with extensive risk and probability analysis.

Challenge: You can’t predict every event that can occur, and this delays work on your actual recovery procedures.

Focus on how to recover regardless of the incident.

We know failure will happen. Focus on improving your ability to failover to a DR environment so you are protected regardless of what causes primary site failure.

Build a plan for major events such as natural disasters.

Challenge: Major destructive events only account for 12% of incidents while software/hardware issues account for 45%. The vast majority of incidents are isolated local events.

An effective DRP improves day-to-day service continuity, and is not just for major events.

Leverage DR planning to address both common (e.g. power/network outage or hardware failure) as well as major events. It must be documentation you can use, not shelfware.

Create a DRP manual that provides step-by-step instructions that anyone could follow.

Challenge: The result is lengthy, dense manuals that are difficult to maintain and hard to use in a crisis. The usability of DR documents has a direct impact on DR success.

Create concise documentation written for technical experts.

Use flowcharts, checklists, and diagrams. They are more usable in a crisis and easier to maintain. You aren’t going to ask a business user to recover your SQL Server databases, so you can afford to be concise.

DR must be integrated with day-to-day incident management to ensure service continuity

When a tornado takes out your data center, it’s an obvious DR scenario and the escalation towards declaring a disaster is straightforward.

The challenge is to be just as decisive in less-obvious (and more common) DR scenarios such as a critical system hardware/software failure, and knowing when to move from incident management to DR. Don’t get stuck troubleshooting for days when you could have failed over in hours.

Bridge the gap with clearly-defined escalation rules and criteria for when to treat an incident as a disaster.

Image displays two graphs. The graph on the left measures the extent that service management processes account for disasters by the success meeting RTO and RPO. The graph on the right is a double bar graph that shows DRP being integrated and not integrated in the following categories: Incident Classifications, Severity Definitions, Incident Models, Escalation Procedures. These are measured based on the success meeting RTO and RPO.

Source: Info-Tech Research Group; N=92

Myth busted: The DRP is separate from day-to-day ops and incident management.

The most common threats to service continuity are hardware and software failures, network outages, and power outages

The image displayed is a bar graph that shows the common threats to service continuity. There are two areas of interest that have labels. The first is: 45% of service interruptions that went beyond maximum downtime guidelines set by the business were caused by software and hardware issues. The second label is: Only 12% of incidents were caused by major destructive events.

Source: Info-Tech Research Group; N=87

Info-Tech Insight

Does this mean I don’t need to worry about natural disasters? No. It means DR planning needs to focus on overall service continuity, not just major disasters. If you ignore the more common but less dramatic causes of service interruptions, you are diminishing the business value of a DRP.

Myth busted: DRPs are just for destructive events – fires, floods, and natural disasters.

DR isn’t about identifying risks; it’s about ensuring service continuity

The traditional approach to DR starts with an in-depth exercise to identify risks to IT service continuity and the probability that those risks will occur.

Here’s why starting with a risk register is ineffective:

  • Odds are, you won’t think of every incident that might occur. If you think of twenty risks, it’ll be the twenty-first that gets you. If you try to guard against that twenty-first risk, you can quickly get into cartoonish scenarios and much more costly solutions.
  • The ability to failover to another site mitigates the risk of most (if not all) incidents (fire, flood, hardware failure, tornado, etc.). A risk and probability analysis doesn’t change the need for a plan that includes a failover procedure.

Where risk is incorporated in this methodology:

  • Use known risks to further refine your strategy (e.g. if you are prone to hurricanes, plan for greater geographic separation between sites; ensure you have backups, in addition to replication, to mitigate the risk of ransomware).
  • Identify risks to your ability to execute DR (e.g. lack of cross-training, backups that are not tested) and take steps to mitigate those risks.

Myth busted: A risk register is the critical first step to creating an effective DR plan.

You can’t outsource accountability and you can’t assume your vendor’s DR capabilities meet your needs

Outsourcing infrastructure services – to a cloud provider, co-location provider, or managed service provider (MSP) – can improve your DR and service continuity capabilities. For example, a large public cloud provider will generally have:

  • Redundant telecoms service providers, network infrastructure, power feeds, and standby power.
  • Round-the-clock infrastructure and security monitoring.
  • Multiple data centers in a given region, and options to replicate data and services across regions.

Still, failure is inevitable – it’s been demonstrated multiple times1 through high-profile outages. When you surrender direct control of the systems themselves, it’s your responsibility to ensure the vendor can meet your DR requirements, including:

  • A DR site and acceptable recovery times for systems at that site.
  • An acceptable replication/backup schedule.

Sources: Kyle York, 2016; Shaun Nichols, 2017; Stephen Burke, 2017

Myth busted: I outsource infrastructure services so I don’t have to worry about DR. That’s my vendor’s responsibility.

Choose flowcharts over process guides, checklists over procedures, and diagrams over descriptions

IT DR is not an airplane disaster movie. You aren’t going to ask a business user to execute a system recovery, just like you wouldn’t really want a passenger with no flying experience to land a plane.

In reality, you write a DR plan for knowledgeable technical staff, which allows you to summarize key details your staff already know. Concise, visual documentation is:

  • Quicker to create.
  • Easier to use.
  • Simpler to maintain.

"Without question, 300-page DRPs are not effective. I mean, auditors love them because of the detail, but give me a 10-page DRP with contact lists, process flows, diagrams, and recovery checklists that are easy to follow."

– Bernard Jones, MBCI, CBCP, CORP, Manager Disaster Recovery/BCP, ActiveHealth Management

A graph is displayed. It shows a line graph where the DR success is higher by using flowcharts, checklists, and diagrams.

Source: Info-Tech Research Group; N=95

*DR Success is based on stated ability to meet recovery time objectives (RTOs) and recovery point objectives (RPOs), and reported confidence in ability to consistently meet targets.

Myth busted: A DRP must include every detail so anyone can execute recovery.

A DRP is part of an overall business continuity plan

A DRP is the set of procedures and supporting documentation that enables an organization to restore its core IT services (i.e. applications and infrastructure) as part of an overall business continuity plan (BCP), as described below. Use the templates, tools, and activities in this blueprint to create your DRP.

Overall BCP
IT DRP BCP for Each Business Unit Crisis Management Plan
A plan to restore IT services (e.g. applications and infrastructure) following a disruption. This includes:
  • Identifying critical applications and dependencies.
  • Defining an appropriate (desired) recovery timeline based on a business impact analysis (BIA).
  • Creating a step-by-step incident response plan.
A set of plans to resume business processes for each business unit. Info-Tech’s Develop a Business Continuity Plan blueprint provides a methodology for creating business unit BCPs as part of an overall BCP for the organization. A set of processes to manage a wide range of crises, from health and safety incidents to business disruptions to reputational damage. This includes emergency response plans, crisis communication plans, and the steps to invoke BC/DR plans when applicable. Info-Tech’s Implement Crisis Management Best Practices blueprint provides a structured approach to develop a crisis management process.

Note: For DRP, we focus on business-facing IT services (as opposed to the underlying infrastructure), and then identify required infrastructure as dependencies (e.g. servers, databases, network).

Take a practical but structured approach to creating a concise and effective DRP

Image displayed shows the structure of this blueprint. It shows the structure of phases 1-4 and the related tools and templates for each phase.

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostics and consistent frameworks used throughout all four options

Info-Tech advisory services deliver measurable value

Info-Tech members save an average of $22,983 and 22 days by working with an Info-Tech analyst on DRP (based on client response data from Info-Tech Research Group’s Measured Value Survey, following analyst advisory on this blueprint).

Why do members report value from analyst engagement?

  1. Expert advice on your specific situation to overcome obstacles and speed bumps.
  2. Structured project and guidance to stay on track.
  3. Project deliverables review to ensure the process is applied properly.

Guided implementation overview

Your trusted advisor is just a call away.

Define DRP scope (Call 1)

Scope requirements, objectives, and your specific challenges. Identify applications/ systems to focus on first.

Define current status and system dependencies (Calls 2-3)

Assess current DRP maturity. Identify system dependencies.

Conduct a BIA (Calls 4-6)

Create an impact scoring scale and conduct a BIA. Identify RTO and RPO for each system.

Recovery workflow (Calls 7-8)

Create a recovery workflow based on tabletop planning. Identify gaps in recovery capabilities.

Projects and action items (Calls 9-10)

Identify and prioritize improvements. Summarize results and plan next steps.

Your guided implementations will pair you with an advisor from our analyst team for the duration of your DRP project.

End-user complaints distract from serious IT-based risks to business continuity

Case Study

Industry: Manufacturing
Source: Info-Tech Research Group Client Engagement

A global manufacturer with annual sales over $1B worked with Info-Tech to improve DR capabilities.

DRP BIA

Conversations with the IT team and business units identified the following impact of downtime over 24 hours:

  • Email: Direct Cost: $100k; Goodwill Impact Score: 8.5/16
  • ERP: Direct Cost: $1.35mm; Goodwill Impact Score: 12.5/16

Tabletop Testing and Recovery Capabilities

Reviewing the organization’s current systems recovery workflow identified the following capabilities:

  • Email: RTO: minutes, RPO: minutes
  • ERP: RTO: 14 hours, RPO: 24 hours

Findings

Because of end-user complaints, IT had invested heavily in email resiliency though email downtime had a relatively minimal impact on the business. After working through the methodology, it was clear that the business needed to provide additional support for critical systems.

Insights at each step:

Identify DR Maturity and System Dependencies

Conduct a BIA

Outline Incident Response and Recovery Workflow With Tabletop Exercises

Mitigate Gaps and Risks

Create a Right-Sized Disaster Recovery Plan

Phase 1

Define DRP Scope, Current Status, and Dependencies

Step 1.1: Set Scope, Kick-Off the DRP Project, and Create a Charter

This step will walk you through the following activities:

  • Establish a team for DR planning.
  • Retrieve and review existing, relevant documentation.
  • Create a project charter.

This step involves the following participants:

  • DRP Coordinator
  • DRP Team (Key IT SMEs)
  • IT Managers

Results and Insights

  • Set scope for the first iteration of the DRP methodology.
  • Don’t try to complete your DR and BCPs all at once.
  • Don’t bite off too much at once.

Kick-off your DRP project

You’re ready to start your DR project.

This could be an annual review – but more likely, this is the first time you’ve reviewed the DR plan in years.* Maybe a failed audit might have provided a mandate for DR planning, or a real disaster might have highlighted gaps in DR capabilities. First, set appropriate expectations for what the project is and isn’t, in terms of scope, outputs, and resource commitments. Very few organizations can afford to hire a full-time DR planner, so it’s likely this won’t be your full-time job. Set objectives and timelines accordingly.

Gather a team

  • Often, DR efforts are led by the infrastructure and operations leader. This person can act as the DRP coordinator or may delegate this role.
  • Key infrastructure subject-matter experts (SMEs) are usually part of the team and involved through the project.

Find and review existing documentation

  • An existing DRP may have information you can re-purpose rather than re-create.
  • High-level architecture diagrams and network diagrams can help set scope (and will become part of your DR kit).
  • Current business-centric continuity of operations plans (COOPs) or BCPs are important to understand.

Set specific, realistic objectives

  • Create a project charter (see next slide) to record objectives, timelines, and assumptions.
*Only 20% of respondents to an Info-Tech Research Group survey (N=165) had a complete DRP; only 38% of respondents with a complete or mostly complete DRP felt it would be effective in a crisis.
webinar status icon

On Demand

Webinar

Create a Right-Sized Disaster Recovery Plan

Play Webinar

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

MEMBER RATING

9.5/10
Overall Impact

$48,187
Average $ Saved

27
Average Days Saved

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.

Read what our members are saying

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Need Extra Help?
Speak With An Analyst

Get the help you need in this 5-phase advisory process. You'll receive 10 touchpoints with our researchers, all included in your membership.

Guided Implementation 1: Define DRP scope
  • Call 1: Scope requirements, objectives, and your specific challenges.
  • Call 2: Identify applications/systems to focus on first.

Guided Implementation 2: Define current status and system dependencies
  • Call 1: Assess current DRP maturity.
  • Call 2: Identify system dependencies.

Guided Implementation 3: Conduct a BIA
  • Call 1: Create an impact scoring scale and conduct a BIA.
  • Call 2: Identify RTO and RPO for each system.

Guided Implementation 4: Recovery workflow
  • Call 1: Create a recovery workflow based on tabletop planning.
  • Call 2: Identify gaps in recovery capabilities.

Guided Implementation 5: Projects and action items
  • Call 1: Identify and prioritize improvements.
  • Call 2: Summarize results and plan next steps.

Author

Frank Trovato

Contributors

  • Alan Byrum, Director of Business Continuity, Intellitech
  • Bernard Jones (MBCI, CBCP, CORP, ITILv3), Owner/Principal, BJones BCP Consulting, LLC
  • Paul Beaudry, Assistant Vice-President, Technical Services, MIS, Richardson International Limited
  • Yogi Schulz, President, Corvelle Consulting
  • Nicole Paredes, IT Manager, State Toll and Road Authority
  • Troy Clayton, Network Administrator, Aux Sable

Search Code: 76457
Last Revised: December 3, 2020

Visit our Exponential IT Research Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019