Disaster Planning - Business Continuity Tutorial

Disaster Planning Disaster Recovery Planning and Business Contiuity Planning DRP Sample DRP Template Disaster Recovery Plan Templateis the process an organization uses to recover access to their enterprise operations; software, data, and/or hardware that are needed to resume the performance of normal, critical business functions after the event of either a natural disaster or a disaster caused by humans.

Order DRP BCP TemplateDownload Selected Pages DRP BCP TemplateDRP Customers

While Disaster Recovery and Business Continuity plans (DRP & BCP) often focus on bridging the gap where data, software, or hardware have been damaged or lost, one cannot forget the vital element of work force that composes much of any organization. A building fire might predominantly affect vital data storage; whereas a pandemic or epidemic illness is more likely to have an effect on staffing.

Both types of disasters need to be considered when creating a Disaster Recovery and Business Continuity Plans. Thus, enterprises should include in their DRPs & BCPs contingencies for how they will cope with the sudden and/or unexpected loss of key personnel as well as how to recover their data.

DR/BC Tutorial

What is Disaster Planning ?

Disaster Planning is the process of creating a road map for what to do in a response to a declared disaster or a regional disaster. A disaster recovery plan describes how an organization is to deal with potential disasters.

Just as a disaster is an event that makes the continuation of normal functions impossible, a disaster recovery plan consists of the precautions taken so that the effects of a disaster will be minimized, and the organization will be able to either maintain or quickly resume mission-critical functions.

Typically, disaster recovery planning involves an analysis of business processes and continuity needs; it may also include a significant focus on disaster prevention.

The Disaster Recovery Planning Template (DRP) can be used for any sized enterprise.

The template and supporting material have been updated to be Sarbanes-Oxley compliant. The complete package includes:

  • Disaster Recovery Plan Template
  • Business and IT Impact Analysis Questionnaire
  • Work Plan

With the template is a 3 page Job Description for the Disaster Recovery Manager. The Disaster Recovery Plan Template PREMIUM Bundle contains 11 additional key job descriptions.

Clients can also subscribe to Janco's DRP update service and receive all updates to the DRP Template*.

The DRP template includes everything needed to customize the Disaster Recovery Plan to fit your specific requirement.

Disaster Recovery Planning and Business Continuity Planning Funding

Funding a Disaster Recovery Planning and Business Continuity Planning process can be difficult. The key to funding is presenting a good business case. The steps that you can follow to create the business case are:

  • Conduct a Business and IT Impact Analysis - Knowing the IT and enterprise operational dependencies, mission-critical vs. business critical functions, and discrepancy resources are vital when presenting to management.
  • Conduct a Risk Assessment - What is the probability that something will happen, and what does it mean when it does? Being able to inform management about an enterprise's risk exposure will help give them a clearer picture of the liability of not having a plan.
  • Calculate the cost of downtime - Armed with these figures, management will be able to determine an acceptable amount of downtime and data loss. The cost of downtime includes items like lost sales, loss of market share, employee productivity, enterprise reputation, and even customer confidence.
  • Position Disaster Recovery Business Continuity as a competitive necessity - Positioning Disaster Recovery Business Continuity in this way helps to illustrate downtime as an opportunity for competitors to capture market share. Conversely, uptime allows your firm to seize market share from competitors. Most enterprises have some sort of Disaster Recovery Business Continuity plan, including off site storage and data replication. So “keeping up with the Jones's” is crucial in establishing this argument.
  • Define multiple options - Management does not respond well when presented with a problem or just a single solution; they want alternatives. While making it clear that doing nothing is not an option, having multiple solutions is vital.
  • Define Metrics - Metrics should be tied to the Business and IT Impact Analysis and the Risk Assessment marked by business process criticality, Recovery Time Objective (RTO ) and Recovery Point Objective (RPO), and the supporting operational budgets. Define what IT must have to succeed in attaining the desired level of Disaster Recovery Business Continuity preparedness. Such information will also aid in determining the cost of the overall plan itself.
  • Define non-catastrophic risks - It is important that management not only understands that risk exists, but also that they are aware of the forms it can take. While earthquakes and tornadoes do pose a threat, disruptive events often come in the form of much more commonplace events. Things like power outages and IT failure tend to be the causes for downtime. Making management see that the “disaster” in disaster recovery covers a lot more than natural disasters is beneficial to IT 's cause.
  • Combine Disaster Recovery Business Continuity with mandated requirements - Marry the notion of disaster recovery with other IT initiatives such as Sarbanes-Oxley, HIPAA, and PCI-DSS. Here the emphasis is on the idea that some Disaster Recovery Business Continuity technologies, like Virtualization, can aid in initiatives such as server consolidation. The concept of Disaster Recovery Business Continuity investment as a means of helping the data center improve efficiency and reduce cost is a powerful one.

Basics for Disaster Planning and Business Continuity Planning

Planning for business and IT disruptions requires an understanding of the essentials of each of these elements:

  • Keep people working with business as usual

Planning for employees, business partners and customers makes up the most critical aspect of business recovery planning, Janco Associates says. Depending on the nature of the outage, you may need to figure out how and where people can continue working. For a brief period of time, everyone may need to work remotely, but you will need to have these contingency plans ready, along with automatic notification to tell employees to work at home.

  • Make accommodations for facilities

Facilities make up an important part of business recovery planning. According to the U.S. National Fire Protection Agency, 35 percent of businesses that experience a major fire are out of business with three years. So, if having everyone work at home is not the best option for your business, recovery vendors can provide interim workplaces such as prefabricated mobile offices or buildings designed specifically for use in times of crisis.

  • Secure information before the event

Data can make or break a business. According to the U.S. National Archives and Records Administration, 80 percent of companies without well-conceived data protection and recovery strategies go out of business within two years of a major disaster. Backup tape and storage testing services can help ensure that critical data will be available after a major outage. Ideally, says Janco Associates, backups should be performed off site, preferably at a facility far away from everyday operations. “The best way to protect the information for a small business is to use a remote data backup facility, which actually transmits the data either overnight or at scheduled times to a remote site where it is stored. ”

  • Prepare alternate networking routes

Can you keep networks open - or restore them quickly? What happens if you don't have local area network (LAN) or wide area network (WAN) connectivity for an extended period of time? Or phone connections and e-mail? In the worst-case scenario, your business may not have access to any of these vital services. LAN and WAN contingency plans can include services such as remote data access so critical information can be managed and administered from any location. A fail over system for e-mail is also highly recommended, who note that keeping in touch with partners and customers can make all the difference in remaining in business. These solutions can be activated in seconds, but keep in mind that these systems need to be in place prior to an outage.

  • Keep technology up-to-date and aligned with recovery plans

Keep tabs on how technology is applied within your organization. This can be as simple as making sure a security patch has been correctly applied. Otherwise, recovery plans can be easily derailed when new software and hardware is added or upgraded without testing the potential consequences of changes to business technology. That's why experts like Janco Associates recommend routine system checkups, as well as longer-term business continuity and resilience planning services. “Resilience is the ability to take a blow and keep on going,” they say.

  • Regular checkups provide the best results

Janco Associate recommends business recovery plans be tested at least semi-annually.
“Plans go out of date very quickly,” he says. “Exercise your plan at least once every six months. People find that's when they realize what they really need to do to improve their plans.

Cost of No Plan

A plan for disaster recovery and business continuity that helps operations get up and running quickly or keeps them up and running with a minimal loss of data, information and productivity is a necessity. Tools and technologies are available to help mitigate various forms of disaster and to help keep downtime to a minimum.

Even if organizations do have a business continuity and disaster recovery plan in place, they can still face problems. Often that plan does not reflect real-world costs.

Nearly every aspect of business today is expected to be available continuously without interruption, regardless of the circumstances. When a disaster strikes - whether a natural disaster or technological failure - enterprise management expect operational services and technologies to still function.

Most organizations need to place a high value on being prepared for disasters of any kind because the practical ramifications of failing to do so can be very high indeed:

  • Lost revenue: Even the loss of a single mission-critical service, such as e-mail or web connectivity, can cost some companies millions of dollars in revenue. Avoiding this downtime with a business continuity and disaster recovery plan in place is a clear benefit.
  • Customer confidence: When a company experiences an interruption in services or suffers a loss of data, customers can lose confidence in that firm's viability in a crisis and its ability to meet their needs and protect their personal information.
  • Compliance penalties and fines: Government regulated businesses found to be in a state of noncompliance could be subjected to lawsuits, fines and penalties.
  • Staff confidence and effectiveness: As technology becomes an even greater part of business operations, users have come to rely more and more on services and technologies to do their jobs. When those services or technologies become unavailable, even for short periods of time, users suffer major productivity losses.
  • In addition to the direct costs of lost productivity, long-term damage can result in low staff morale and confidence in the organization, extending the monetary damages well into the future, even after services have been restored.

ISO 27031

The ISO Standard defines the Information and Communication Technology (ITC) Requirements for Business Continuity (IRBC) program that supports the mandate for an infrastructure that supports business operations when an event or incident with its related disruptions affects the continuity of critical business functions. This includes security of crucial data as well as enterprise operations.

The ISO standard centers around fours areas; Plan, Do, Check, and Act.

Plan Do Check Act Cycle

    • Plan - Establish a Disaster Recovery Business Continuity policy with objectives, metrics, and processes relevant to managing risk and improving the enterprise's Information and Communication Technology ability and readiness to operate at the level defined within the parameters of the enterprise's overall disaster recovery and business continuity objectives.

    • Do - Implement and operate the Disaster Recovery and Business Continuity policies, procedures, controls, and processes.

    • Check - Assess and monitor the performance metrics as defined within the Disaster Recovery and Business Continuity policy metrics and communicate the results to the management of the enterprise. This process can be done via an audit, a test of the plan, or an actual execution of the plan via a post event analysis session.

    • Act - Modify the Disaster Recovery and Business Continuity policies, procedures, and metrics based on the "Check" (audit, test, or execution of the plan) in order to improve the Disaster Recovery and Business Continuity Policy.

Metrics for Disaster Recovery Planning and Business Continuity Planning

Benefits of DRP Metrics

Metrics present information on performance in objective terms. In order for that to happen there needs to be awareness training for what is expected when the Disaster Recovery Business Continuity Plan is activated. Metrics help focus on issues that management needs to know.

For example, if the Disaster Recovery Business Continuity plan indicates a recovery time objective (RTO) of six hours and the true recovery based on testing is 24 hours, it needs to be communicated so that It can be put into people's objectives (i.e. responsibilities) and measured.

Part of the process in creating an accepted enterprise-wide Disaster Recovery and Business Continuity plan is to create metrics and expectations that meet the strategic objective of the enterprise.

There are two components that are critical for this process: Service Level Expectations and Recovery Time Standards.

Service levels Expectations

There is an expected service level that the business relies on to assess the 'up time' required for specific business functions. Information Technology (IT) has this responsibility. The IT group may be an internal organization or an outsourced one. On at least an annual basis or when service level contracts are established and/or renegotiated, service levels are set for various activities, such as metrics, billing, etc.

Application 'up time' is based on normal production processing throughout the day/week/month and is gauged a success or failure by the percentages that are agreed upon. These are normal production expectations of service delivery.

Recovery Time Standards

When there are disruptions in the service and the expected service levels are at risk, another metric standard is used: recovery time. The standard defines the allowable time between when the clock starts and stops for the disaster recovery and business continuity processes. If 0-4 hours recovery time is acceptable, then disaster recovery and business continuity should be started at least one to two hours prior to the maximum recovery (four hours).

Service level expectation versus recovery time standards

Recovery times are closely monitored during recovery process. Working in a framework which understands roles and responsibilities not only allows management to understand the difference between service levels and recovery times, but solidifies the involvement and value with our IT with the business units that it serves.

Sample Metrics for the Disaster Recovery Business Continuity Plan and Implementation Process

  • Total number of applications supported from the computer facility - The breath of the potential for Disaster Recovery Business Continuity requirements
  • Percent of total applications covered by a Disaster Recovery Business Continuity strategy - Could include hot sites, high availability systems, quick ship requirements, etc.
  • Number of Disaster Recovery Business Continuity test hours scheduled each year - This is the total scheduled test time in a one-year period
  • Percent of total Disaster Recovery Business Continuity scheduled test time actually used each year - Could be under or over 100%, and can be reported as a cumulative metric throughout the year
  • Number  of months since the last Disaster Recovery Business Continuity Plan “Maintenance Cycle” - Ideally, this should not exceed three to four month.

Pandemic Disaster Recovery Planning and Business Continuity Planning

In disaster planning when a pandemic occurs the data center exists but people often are in separate locations. The Disaster Planning and Business Continuity Planning processes need to make the user and business operating experience is as similar as possible so that the work environment is the same in the remote site (often home) as in the office.

A key requirement is to increase remote access capabilities in addition before the pandemic occurs the following planning needs to take place:

  • Define necessary staff levels for critical business processes
  • Identify who can work remotely and who has to be in the office
  • Validation of vaccinations for key staff members
  • Identify the lights out processing issues for computer operations staff
  • Identify the network and remote access capacity requirements - what percent of workers do you need to be on the system for the enterprise to continue to operate
  • Train and test of users and IT staffs in how to operate from remote locations
    • Require key employees to work from remote site at least once a month
    • Validate broadband capacity to remote sites (home users)
    • Have copies of disaster plan available in remote site
  • Put in place process for the synchronization of OS system patches and VPN updates - if the workstations are not used frequently disable the auto update features for security updates but maintain a process to see that they workstations are up-to-date.

  • Define specific requirements for security and PCI-DSS when the disaster plan is activated for a pandemic.

  • Define change management and version control processes to be used and how they will be controlled during the pandemic.

Once the disaster plan has been activated for a pandemic a central source for information on who is infected, immune, and unavailable needs to be developed and maintained accurately. In addition, staff members who re working in the office and data center environments should be isolated if at all possible so they do not become infected. This may require a quarantine of these employees based on the severity of the pandemic.

Cloud Backup and Recovery

Outsourcing TemplateIn this age of business operations, software applications and electronic data are the life blood of the enterprise. When they are unavailable due to a disaster or outage, business is slowed or stopped altogether. In the short term, outages result in data loss, employee and customer frustration and lost revenue. The long term penalties of an outage can affect a business for a lifetime; lost records, transactions and accounting files can even put a business at risk of regulatory violations.

Protecting business means protect ongoing access to functional applications, servers and data; traditionally that means backing up data. However, backing up the data is only part of the equation. If you can't restore the data, the backup effort is useless. If a business relies on tape backup alone, restoration is easy only for the simplest failure, and only if everything goes perfectly. If a hard disk fails and all the backup tapes are good and the staff is practiced at doing the repair and restore, then you might be able to simply buy a replacement part and get things up within a couple of hours - though the data will be from last night's backup. If the problem is more complicated and involve s a replacement server for instance, you will probably need a day or two to get new hardware in place before you even begin to recover.

The right way to evaluate the quality of your system and data protection is to evaluate the Recovery Time Objective (RTO) and Recovery Point Objective (RPO). These metrics define how long you think it will take you to get back online and how current the data has to be.

The best way to ensure a fast recovery is to have replacement equipment standing by at an off-site location with the necessary software and configuration to quickly transfer users and data. The best practice includes a remote data center with servers, storage, networking equipment and internet access.

Restoring to this remote data center from backup tapes will likely take too long, assumes that the tapes were not affected by the original problem and still leaves the risk of only recovering old data. Instead, replication software can be used to keep the backup systems constantly updated.
A four hour RTO and RPO requires:

  • Off-site hardware and infrastructure to run servers and applications
  • Data updates to the DR site more often than every four hours; preferably real-time
  • Continuous updates of the application and OS configuration (without this, recovery may fail after a patch or an upgrade).
  • A method to deal with any hardware differences between production and recovery environments

DRP and BCP Best Practices

A best practice for disaster planning and business continuity is a technique, method, process, activity, incentive, or reward that is believed to be more effective at restoring the operation of an enterprise after a disaster or enterprise interruption event occurs. The idea is that with proper processes, checks, and testing, a desired outcome can be delivered with fewer problems and unforeseen complications. Best practices can also be defined as the most efficient (least amount of effort) and effective (best results) way of accomplishing a task, based on repeatable procedures that have proven themselves over time for large numbers of people.

  1. Focus on operations - people and process that drive the enterprise are the primary issues that DRP and BCP are controllable. Implementing a planning and recovery environment is an ideal time to define an approach based on ITIL best practices that will address the process and people issues effectively.

  2. Train everyone on how to execute the DRP and BCP - People are the front line when it comes to supporting the enterprise. A staff that has not been properly trained in the use of the DRP and BCP when an event occurs will we hindrance. Everyone must have the knowledge and skills to provide the right support. This not only helps reduce downtime, it also delivers better performance and a faster ROI through better and wiser use of IT assets.

  3. Have a clear definition for declaring when a disaster or business interruption occurs that will set the DRP and BCP process into motion - There needs to be a clear processes for allocating resources based on their criticality and availability requirements. This will define the “rules of the road” for who does what and when while minimizing the factors that can negatively impact enterprise operations.

  4. Integrate DRP and BCP with change management - Changes are inevitable in any sizable environment. It is difficult to keep up with the flood of new applications, technologies, and new tools. That is why it is essential to design, implement, and continuously improve change and configuration management processes.

  5. Focus on addressing issues BEFORE they impact the enterprise - When you are aiming to operate at the speed of business, after-the-fact fixes do not make the grade. These days, you need to anticipate trouble and head it off before it happens. It is important to identify risks across people, process, and technology so that appropriate countermeasures can be implemented. You should also make sure that vendors provide an appropriate level of support including proactive features such as critical patch analysis and change management support.

  6. Validate that all technology is properly installed and configured right from the start - a technology solution that is properly implemented in terms of its hardware, firmware, and software will dramatically reduce problems and downtime in the future. Proper initial configuration can also save time and reduce issues with upgrades, hot patches, and other changes.

  7. Monitor the processes and people to know what critical - many of today's enterprises are experiencing a capacity crisis as they reach the limits of reduced budgets, older facilities and legacy infrastructures. Space is tight. Power and cooling resources are over-burdened. Implementing new solutions in inefficient environments may limit their ability to recover from an event. An assessment that examines and analyzes the enterprises environment's capabilities and requirements can provide valuable information to help improve efficiency.

Help and Service Desk disaster recovery and business continuity best practices

  1. Focus on operations - people and process that drive the enterprise are the primary issues that DRP and BCP are controllable. Implementing a planning and recovery environment is an ideal time to define an approach based on ITIL best practices that will address the process and people issues effectively.

  2. Train everyone on how to execute the DRP and BCP - People are the front line when it comes to supporting the enterprise. A staff that has not been properly trained in the use of the DRP and BCP when an event occurs will we hindrance. Everyone must have the knowledge and skills to provide the right support. This not only helps reduce downtime, it also delivers better performance and a faster ROI through better and wiser use of IT assets.

  3. Have a clear definition for declaring when a disaster or business interruption occurs that will set the DRP and BCP process into motion - There needs to be a clear processes for allocating resources based on their criticality and availability requirements. This will define the “rules of the road” for who does what and when while minimizing the factors that can negatively impact enterprise operations.

  4. Integrate DRP and BCP with change management - Changes are inevitable in any sizable environment. It is difficult to keep up with the flood of new applications, technologies, and new tools. That is why it is essential to design, implement, and continuously improve change and configuration management processes.

  5. Focus on addressing issues BEFORE they impact the enterprise - When you are aiming to operate at the speed of business, after-the-fact fixes do not make the grade. These days, you need to anticipate trouble and head it off before it happens. It is important to identify risks across people, process, and technology so that appropriate countermeasures can be implemented. You should also make sure that vendors provide an appropriate level of support including proactive features such as critical patch analysis and change management support.

  6. Validate that all technology is properly installed and configured right from the start - a technology solution that is properly implemented in terms of its hardware, firmware, and software will dramatically reduce problems and downtime in the future. Proper initial configuration can also save time and reduce issues with upgrades, hot patches, and other changes.

  7. Monitor the processes and people to know what critical - many of today's enterprises are experiencing a capacity crisis as they reach the limits of reduced budgets, older facilities and legacy infrastructures. Space is tight. Power and cooling resources are over-burdened. Implementing new solutions in inefficient environments may limit their ability to recover from an event. An assessment that examines and analyzes the enterprises environment's capabilities and requirements can provide valuable information to help improve efficiency.

Are you Prepared for a Disaster?

According to an AT&T Survey of 100 Chicago firms (revenues <$10M), 81 have DR plans, but only 43% have fully tested their plans within the last 12 months and 12% admitted they have never tested their business continuity plans.

Next to personnel, data is your most irreplaceable asset. Networks, application hosting platforms, and end user computing environments can be replaced quickly. However, without your customer lists, product catalogs, inventory, financial records, and other operational data your business cannot recover.

A disaster recovery is a response to a declared disaster or a regional disaster. It is the restoration or recovery of an entire Agent computer. A disaster recovery plan describes how an organization is to deal with potential disasters. Just as a disaster is an event that makes the continuation of normal functions impossible, a disaster recovery plan consists of the precautions taken so that the effects of a disaster will be minimized, and the organization will be able to either maintain or quickly resume mission-critical functions. Typically, disaster recovery planning involves an analysis of business processes and continuity needs; it may also include a significant focus on disaster prevention.

The Disaster Recovery Planning Template (DRP) can be used for any sized enterprise.   

The template and supporting material have been updated to be Sarbanes-Oxley compliant. The complete package includes:

  • Disaster Recovery Plan Template
  • Business and IT Impact Analysis Questionnaire
  • Work Plan

With the template is a 3 page Job Description for the Disaster Recovery Manager. The Disaster Recovery Plan Template PREMIUM Bundle contains 11 additional key job descriptions.

Clients can also subscribe to Janco's DRP update service and receive all updates to the DRP Template

The DRP template includes everything needed to customize the Disaster Recovery Plan to fit your specific requirement.

Why Recovery Plans Fail

In a survey of 253 enterprises that had to activate their recovery plans Janco has identified the reasons why recovery is not successful.

Why DR and BC plans fail

The most common issue and occurring in 62% of all recovery plans are errors in the plan itself. This is often due to the plan not being kept up to date (47%) and the unavailability or inaccurate passwords (34%).

Additional reasons for failures are:

  • Insufficient backup power - 22%
  • Communications not in place - 18%
  • Personnel not trained - 17%
  • System priorities not identified - 14%
  • Recovery not documented - 13%
  • Event not identified - 12%

Communication with the Media

How information is disseminated can make or break an enterprise after an event has occurred. It is difficult if not impossible to undo incorrect or "bad" information once it is out there in the age of 7 x 24 news coverage and the Internet.

A crisis event is any situation that threatens the integrity or reputation of your company. These situations can be any kind of accident, fire, flood or man made disaster that could be attributed to your company. It can also be a situation where in the eyes of the media or general public your company did not react to one of the above situations in the appropriate manner.

If handled correctly the damage can be minimized. One thing to remember that is crucial in an event is tell it all, tell it fast and tell the truth. If you do this you have done all you can to minimize the situation. When a situation arises the first thing you should do is contact your CEO and the chief of your public relations department. The sooner you get those two organizations involved the sooner you can implement this plan.

Once a disaster has occurred, your company needs to communicate with its employees, associates, suppliers, customers, shareholders, investors, and other stakeholders. Here are factors that need to be considered:

  • Is your CEO an effective media spokesperson?

    Just because someone is a CEO does not mean that they will be an effective media spokesperson. It might be the way they look on camera or some physical issue that would not present the enterprise in the best light.

  • Is your CEO the right spokesperson?

    The number one priority for a spokesperson in a crisis is to communicate information clearly and effectively to those affected by it. If the event is an Information Technology failure, like a security breach, the CIO might be better suited to communicate the problem. Put forward the one most relevant and most able to communicate with clarity.

  • Does the event involve loss of life?

    If your organization is at the heart of a crisis where people have been killed, it is almost certain that your top executives will face the media. In these circumstances a message from the very top is essential - not to do this will be seen as cold and uncaring.

  • Will the event cause any permanent damage to the enterprise's on-going operations?

    At the start of the event, before all the facts are know, it is easy to over-estimate the scale of a crisis. You need to make a cold, hard assessment of the gravity of situation - from an external perspective, in order to properly assess its seriousness. Be very wary of putting your CEO forward in all but the most serious of crises. Once you set the benchmark for CEO visibility, he/she will be expected to appear for all future crises of a similar magnitude. Pitch the benchmark too low and he/she could be doing nothing but media interviews for the next three years.

Disaster Planning Risk Assessment


A major part of the disaster recovery planning process is the assessment of the potential risks to the organization which could result in the disasters or emergency situations themselves. It is necessary to consider all the possible incident types, as well as and the impact each may have on the organization's ability to continue to deliver its normal business services.

Risk Score

This can be complex and demanding. To assist in this risk assessment process Janco has provided a number of tools. the Exhibit on the right is one such example.

There are many potential disruptive events and the impact and probability level must be assessed to give a sound basis for progress. To assist with this process the following list of potential events has been produced:

Types of Disaster

Environmental Disasters

  • Tornado
  • Hurricane
  • Power Grid Failure
  • Flood
  • Snowstorm
  • Ice Storms
  • Earthquake
  • Electrical storms
  • Brush Fire
  • Forest Fire
  • Structure Fire
  • Sink Holes
  • Landslides

Man Made Disruptions

  • Terrorist Attack
  • Sabotage
  • War
  • Theft
  • Arson
  • Labor Disputes

Equipment or System Failure

  • Internal power failure
  • Air conditioning failure
  • Cooling plant failure
  • Equipment failure

IT Failures and Security Breaches

  • Cyber crime
  • Loss of records or data
  • Disclosure of sensitive information
  • IT system failure

The Disaster Recovery / Business Continuity Template includes a threat and vulnerability assessment tool to aid you in classifying the risks enterprises face.

Disaster Clean up How To

You have had a disaster and now you are starting to look at the "mess" that you have. What do you do to clean things up? Some tips on disaster recovery and business continuity clean up are:

  • Wet objects (electronic) - Disconnect from the power source and do not turn it on. In the case of disk drives or other electronic storage devices - inventory all of them and label them. Create a log of all objects recovered, actions taken, and location. Have a disaster clean-up specialist be the one who looks at what can be recovered.

  • Wet objects (non-electronic) - Rinse with clear water or a fine hose spray. Clean off dry silt and debris with soft brushes or dab with damp cloths. Try not to grind debris into objects; overly energetic cleaning will cause scratching. Dry with a clean, soft cloth. Use plastic or rubber gloves for your own protection.

  • Drying Objects - Air dry objects indoors if possible and use portable fans to move the air. Sunlight and heat may dry certain materials too quickly, causing splits, warping, and buckling. If possible, remove contents from wet objects and furniture prior to drying. Storing damp items in sealed plastic bags will cause mold to develop. If objects are to be transported in plastic bags, keep bags open and air circulating.

  • Mold Prevention and Cleanup - Exposure to molds can have serious health consequences such as respiratory problems, skin and eye irritation, and infections. The use of protective gear, including a respirator with a particulate filter, disposable plastic gloves, goggles or protective eye wear, and coveralls or a lab coat, is therefore essential. In order to inhibit the growth of mold and mildew you must reduce humidity. Increase air flow with fans, open windows, air conditioners, and dehumidifiers. Moderate light exposure (open shades, leave lights on in enclosed areas) can also reduce mold and mildew. Remove heavy deposits of mold growth from walls, baseboards, floors, and other household surfaces with commercially available disinfectants. Avoid the use of disinfectants on historic wallpapers. Follow manufacturers' instructions, but avoid splattering or contact with objects and wallpapers as disinfectants may damage objects.

  • Broken Objects - If objects are broken or begin to fall apart, place all broken pieces and detached parts in clearly labeled, open containers. Do not attempt to repair objects until completely dry or, in the case of important materials, until you have consulted with a professional conservator.

  • Paper Materials - Documents, books, photographs, and works of art on paper are extremely fragile when wet; use caution when handling. Free the edges of prints and paper objects in mats and frames, if possible. These should be allowed to air dry. Rinse mud off wet photographs with clear water, but do not touch surfaces. Wet books and papers should also be air dried or kept in a refrigerator or freezer until they can be treated by a professional conservator.

  • Office Furniture - Furniture finishes and painting surfaces may develop a white haze or bloom from contact with water and humidity. These problems do not require immediate attention; consult a professional conservator for treatment. Textiles, leather, and other "organic materials will also be severely affected by exposure to water and should be allowed to air dry. Shaped objects, such as garments or baskets, should be supported by gently padding with toweling or unlinked, uncoated paper. Renew padding when it becomes saturated with water. Dry clean or launder textiles and carpets as you normally would.

  • Art Work - Remove wet paintings from the frame, but not the stretcher. Air dry, face up, and away from direct sunlight.

  • Metal Objects - Rinse metal objects exposed to flood waters, mud, or silt with clear water and dry  immediately with a clean, soft cloth. Allow heavy mud deposits on large metal objects, such as sculpture, to dry. Caked mud can be removed later. Consult a professional conservator for further treatment.

Why is the Disaster Recovery Business Continuity Plan Out of Date?

Over 30% of all Disaster Recover Business Continuity Plans are not current according to data gathered by Janco

There are plenty of partial, outdated, or ineffective disaster and business continuity plans out there - why is it so difficult to get it right?

  • Data collection - How do you collect the data for the disaster and business continuity plan in the first place? There is no one single source for everything you need, particularly if you are trying to integrate relevant external information such as support dates, power consumption, etc. Every vendor delivers this information in different formats, different frequencies, and different vehicles - ranging from data sheets to websites to release notes.
  • Data inconsistency - How do you handle the inherent inconsistencies in data? For example, OS version numbers are often conflicting; vendors change their product names or renumber versions over time, etc. Normalizing the data (making it adhere to consistent rules and categories) is a cumbersome task and the accuracy and consistency of the data needs to be reassessed at every step.
  • Categorization - If you want to categorize the information in the disaster and business continuity plan, you have to create the taxonomy (or hierarchical categorization) for the industry data. This alone is a significant task, there are many ways to slice and dice the universe of technology products, and no standards have been defined within the IT industry to define this information in a consistent manner.
  • Manageability - Any extensive technology disaster and business continuity plan is a large and complex data store. A spreadsheet is insufficient for storing and managing rich structured data for thousands of products and vendors. The disaster and business continuity plan should be able to track and maintain the complex relationships between technologies and categories (parent/child relationships, one-to-many mappings, and so on). Developing an appropriate, extensible data store is a complex undertaking.
  • Maintenance - As soon as you have finished the disaster and business continuity plan, you have to start updating it. The Information Technology industry is constantly changing, which means that your work is never done. If you go through a massive effort to produce a disaster and business continuity plan for a single business function, the value of that investment is lost if you cannot keep it up to date.

Managing the loss of a facility

Statistics tell us that facility floods are the fourth most common cause for an organization to abandon its facility and invoke its off-site recovery process. In reality what is described in this statistic as a flood, is more often than not an escape of water or liquid, which is considerably different to a flood: and impacts of both to a facility differ significantly.

In Janco's opinion it is imperative that business continuity professionals consider the temporary loss of their facility due to a flood or escape of water as a ‘high risk' and develop a disaster recovery business continuity plan to meet the requirements to deal with this type of incident.

Janco's observations of organizations rallying support from staff to attend an alternative recovery site are peppered with business resumption success and staff morale negativity. In some instances it became apparent that staff felt a real sense of loss, which was not sympathetically dealt with by management. Concerns about managing the impacts on personal lives and daily routines caused by the relocation to the recovery site are also common.

It's apparent to me that to keep morale high and retain staff throughout the work around, efforts to restore the lost facility must be concentrated so that staff can return to the facility as quickly as possible.

Many organizations simply do not have the luxury of being able to move to an alternative recovery site following a physical. In these cases disaster recovery plans should include the external expert support of a specialist company that will aid the internal recovery and incident team to mitigate against secondary damage, administer triage to the affected areas and expedite the correct equipment, methods and manpower to restore their facility as quickly as possible to a suitable working environment, so that service can be resumed.

Speed of response is vital: in order to reduce the level of disruption and physical secondary damage; and to limit the time in which function is lost. Dealing with an incident within the first few hours may reduce the total time of the disruptive event by weeks.

Such specialist responders will be on 24/7 standby to attend the client site; within say four hours of an incident. The responder will have a snapshot of the site in advance of an incident. This will drive the incident management plan which addresses the physical site incident needs to deal with the following questions precisely: 'How is the incident reported and to whom?' and ‘Who will be required to respond?'

These questions, answered accurately, will in some circumstances negate the requirement to invoke a third party recovery center and reduce the disruption surrounding the impact of the incident.
Make sure that you consider out-of-hours disaster response as well as the time when the facility is in use. In many cases we have learnt at our clients' peril that the person who discovers an incident, such as a leak in the ceiling on the second floor in the accounts department, was the out-of-hours cleaning technician supplied by an external contract cleaning company; and who, sadly, was not privy to the emergency procedure, in fact neither was his/her boss who he/she called and informed about the problem.

In this situation the organization is at high risk, largely due to the good intentions of others who make attempts to help: and inadvertently make matters worse.

It could be argued that the probability of a facility incident may be low, the risks and associated impacts are very high and making sure that an incident plan is created should be a priority. The plan needs to address emergency responses in dealing with the disruption, care and consideration of staff, communication and associated contingency's as a bare minimum.

The plan needs to pre-engage the correct resources, expertise and capability to assist you and your team in dealing with the incident.

Further ramifications to consider may be damaged documents, IT equipment, and critical process equipment to name just a few of the essential items that may need to have to be restored, so that operationally you can resume.

Seldom do we find an organization that has a property restoration specialist, document restoration specialist or IT restoration specialist within their talent pool and so these services need to be found in advance: this is the only way that your company can ensure that it will have priority response following an incident. This is important because, as is often the case, organizations are sometimes one of many in one location that have been affected by the same event at the same time, be it a storm, water mains flood in the street or wide area incident such as a river flood. The importance of pre-engaging your team is vital to the success of your incident management and your facility recovery.

Getting the Help Desk Back On-Line

Proper DR BC planning required for a successful recovery

When a disaster occurs business users are faced with many technical issues that prevent them from successfully functioning. A first step in the recovery and business continuity process is to get the help/service desk functioning. The support organization is a critical factor in business continuity planning and needs to have the structure, processes, and tools in place to ensure that:

  • Staffing

A major business continuity event will likely require the mobilization of more than a skeleton on-call group. Up-to-date contact information for all staff must be maintained and be accessible by support management from remote locations.

  • Notification

Notification processes and tools, whether automated or manual, must be tested in advance to provide an indication of their effectiveness. Knowing what percentage of technicians are able to respond to an incident is a basic requirement.

  • Operational infrastructure

Key networks, communication channels, databases, servers and systems must be brought online as quickly as possible.

  • Databases and servers

If business continuity planning includes changes to end user access methods, changes to security or server location settings, or any other systemic changes that might affect end users, the likely workaround for these issues should be pre-populated in a support knowledge base. Ideally, this information will be accessible by the end users themselves. However, as a minimum, it must be both available and accessible by those providing technical support.

  • Status reporting

Most business resumption plans include the sequential resumption of key business services. Informing the support organization of the current state of the business infrastructure, expected future actions, and unexpected issues that arise will allow them to convey this information to expectant business users, reducing uncertainty and allowing for better business planning.

Explosion, Terrorist Attack, or Random act of Violence

What to Do After an Explosion, Terrorist Attack, or a Radom Act of Violence

After an explosion, terrorist attack, or other random act of violence there can be a second event that cause as much damage as the first so care should be taken and the following steps should be taken:

  • Since one event can be followed by another, stay alert. There may be more danger yet to come.
  • For protection, consider crawling under a table or desk and remain there for at least 60 seconds.
  • Stay away from windows, mirrors, overhead fixtures, filing cabinets, bookcases, and electrical equipment.
  • If an evacuation is ordered, go to a designated place. Make sure all staff and others in your facility are accounted for. Do not forget handicapped people who may need your help in exiting. Do not move seriously injured persons unless they are in obvious, immediate danger (building collapse, fire, etc. ). Avoid known problem areas (where there are gas lines, fire hazards, etc. ). Once out, keep as far away from the building as possible.
  • Open doors carefully. ; Watch for falling objects.
  • Do not use elevators.
  • Do not use matches or lighters. Sparks might trigger explosions.
  • Avoid using telephones and hand radios. Electrical sparks or signals could trigger other bombs.

The Disaster Recovery Business Continuity template can be purchased as an individual item or bundled with job descriptions and or the Security Manual Template. The options are:


Disaster Recovery Business ContinuityDisaster Recovery Business Continuity Standard Edition

Disaster Recovery Business Continuity Template (WORD) - comes with the latest electronic forms and is fully compliant with all mandated US, EU, and ISO requirements.

  • Fully editable Disaster Recovery Business Continuit template
  • Disaster Recovery Business Continuity Audit Program - Compliant with ISO 27031,  ISO 22301, and ISO 28000
  • Disaster Recovery Manager Job Description
  • Manager Disaster Recovery & Business Continuity Job Description
  • Application Inventory and Business Impact Analysis Questionnaire
  • Incident Communication Plan and Policy with BEST PRACTICES for
    • News Conferences
    • Media Relations
  • Social Network Checklist
  • Included with the template are Electronic Forms which have been designed to lower the cost of maintenance of the plan. Electronic Forms that can be e-mailed, completed via a computer or tablet, and stored electronically including:
    • LAN Inventory, Location Contact Numbers, Off-Site Inventory, Personnel Locations, Plan Distribution, Remote Location Contact Information, Server Registration, Team Call List, and Vendor Contact Information
    • Added Bonus - Safety Program Electronic Forms -- Area Safety Inspection, Employee Job Hazard Analysis, First Report of Injury, Inspection Checklist - Alternative Locations, Inspection Checklist - Office Locations, New Employee Safety Checklist, Safety Program Contact List, and Training Record

Disaster Recovery Business ContinuityDisaster Recovery Business Continuity Premium Edition

  • Disaster Recovery Business Continuity Template

  • 20 Job Descriptions (WORD)

    Chief Information Officer - CIO, Chief Security Officer - CSO, Chief Compliance Officer - CCO, Chief Mobility Officer - CMO, VP Strategy and Architecture, Director Disaster Recovery and Business Continuity, Director e-Commerce, Director Media Communications, Manager Disaster Recovery, Manager Disaster Recovery and Business Continuity, Disaster Recovery Coordinator, Disaster Recovery - Special Projects Supervisor, Manager Database, Capacity Planning Supervisor, Manager Media Library Support, Manager Record Administrator, Manager Site Management, and Pandemic Coordinator

Disaster Recovery Business ContinuityDisaster Recovery Business Continuity Gold Edition

  • Disaster Recovery Business Continuity Template - Full template with all of its attachements.

  • 281 IT Job Descriptions including all of the job descriptions contained in the Premium edition.

With this offer you save almost 50% from the base price of these two very popular products

DR BC SecurityDisaster Recovery Business Continuity & Security Manual Templates Standard Edition Includes

  • Disaster Recovery Business Continuity Template
  • Disaster Recovery Business Continuity Audit Program
  • Security Manual Template
  • Business and IT Impact Questionnaire - 21 pages
  • Threat and Vulnerability Assessment Form

DR BC SecurityDisaster Recovery Business Continuity & Security Manual Templates Premium

  • Disaster Recovery Business Continuity Template
  • Security Manual Template
  • 25 Job Descriptions
    • Chief Information Officer - CIO; Chief Compliance Officer - CCO; Chief Security Officer - CSO;VP Strategy and Architecture; Director e-Commerce; Database Administrator; Data Security Administrator; Manager Data Security; Manager Database; Manager Disaster Recovery; Manager Disaster Recovery and Business Continuity; Pandemic Coordinator; Manager Facilities and Equipment; Manager Media Library Support; Manager Network and Computing Services; Manager Network Services; Manager Site Management; Manager Training and Documentation; Manager Voice and Data Communication; Manager Wireless Systems;Capacity Planning Supervisor; Disaster Recovery Coordinator; Disaster Recovery - Special Projects Supervisor; Network Security Analyst; System Administrator - Unix; System Administrator - Windows

DR BC SecurityDisaster Recovery Business Continuity & Security Manual Templates Gold

  • Disaster Recovery Business Continuity Template
  • Security Manual Template
  • 281 Job Descriptions which includes all of the job descriptions in the premium edition

"Best of Breed - Best Practices Disaster Recovery Planning / Business Continuity Planning, Security Policies, IT Job Descriptions" according to the IT Productivity Center

Order DRP BCP TemplateDownload DRP BCP Selected Pages