Do you wake up in a cold sweat, every morning, anxious that today might be that day?

The day you’ve been dreading.

The day you hoped would never happen to your business.

The day that the earthquake hit, the avalanche fell, the river flooded, or a digitally hooded cybercriminal made off with your crown jewels.

No, you probably don’t wake up worrying about that every day. Such levels of anxiety are unbearable. And your experience shows that disasters are, thankfully, rare occurrences. Unless you include coffee spills, printer jams and internet glitches, all of which seem to happen at the ‘wrong’ moment.

We’re all relieved to know that serious disasters don’t strike businesses very often.

But that’s no reason for not having a disaster recovery policy as part of your business continuity planning. Because if the worst should happen, it could be the lifesaver that keeps your business afloat.

Your disaster recovery policy

In simple terms, a disaster recovery policy is a document that sets out your strategy for mitigating the risks associated with a major unplanned event. This could be a natural disaster, a significant cyber-attack or other criminal activity, or some other unpredictable and damaging occurrence. Such as a global pandemic that shuts down entire populations for months at a time. Who expected that?

Such a policy doesn’t just address the risks to people and physical property. It also addresses the intangible, but still very real, risks to data in your systems, to your regulatory compliance, and to your reputation.

The policy is not a business continuity plan or a disaster recovery plan. But it does set out your approach for establishing, testing and maintaining these plans. The policy is the bedrock on which your survival plans are built.

What’s in a disaster recovery policy?

This policy can be a relatively short document. That’s because it’s a summary of your approach to business continuity planning, not the details.

Typically, a disaster recovery policy will include:

Purpose and scope

A clear statement of why the document exists and what business or activities it applies to. Typically, the purpose is to help ensure commercial activities can continue as near normal as possible, and any damage is controlled, and that all necessary actions are taken.

The scope will document all the stakeholders to be considered, including employees, investors, customers, regulatory bodies and any others associated with the business.

Roles and responsibilities

The document defines the various roles required as part of disaster recovery planning and makes it clear who is responsible for oversight of the disaster recovery planning process.

It will set out specific responsibilities, including:

  • Identification of critical business and data assets.
  • Creation of business continuity risk assessment and business impact assessment.
  • Regular reviews of compliance and associated stakeholder risks.
  • Setting up mechanisms for information security planning.
  • Ensuring all employees are provided with the guidance, support and tools to achieve compliance with the policy.

Definitions

The policy will make it clear exactly what is meant by the various elements of recovery planning, including definitions of:

  • Business impact assessment
  • Business continuity strategy and plan
  • Supply chain assurance
  • Business continuity testing

Monitoring and evaluation

Your disaster recovery policy, and all the associated documents, should not be placed on a shelf (physical or virtual) to gather dust. They are vital to the ongoing life of the business and elements of them may be called upon more often than you expect.

Ensuring ongoing compliance with the policy, and a regular review of its appropriateness in the light of business or organisational changes is essential.

The fundamentals of your disaster recovery plan

A policy is, in itself, useless without a detailed disaster recovery plan. Failure to plan is, as they say, planning to fail. This may not be strictly true (who plans to fail?) but failure is much more likely when planning doesn’t occur.

The disaster recovery plan considers the details of your entire organisation – operations, finance, HR, IT infrastructure, premises and equipment.

Planning for the digital aspects of the business is particularly important because these are now fundamental. Most of your processes and data are highly reliant on digital technology, making this an area of significant risk. Specific areas to be addressed include:

  • Data backup and recovery.
  • Risks to data security and integrity.
  • Impact of downtime in any aspect of the digital infrastructure.

Both physical and virtual access to computer hardware and software must be accounted for, particularly in an age of active cybercrime.

How 1RS helps take the dread out of disaster planning

What’s worse than a disaster striking your business?

This is what’s worse: when trouble strikes, you open your disaster recovery plan to discover some of it’s missing, some is out of date, some is inconsistent, and some is just plain wrong. Your route out of difficulty just got harder.

If you have a strong disaster recovery policy, and you stick to it, this shouldn’t happen. But in reality, documents like this often fall between the cracks of what’s still a largely manual process.

This isn’t what happens with our clients. We supply them with a comprehensive set of automated tools for managing governance, risk and compliance (GRC).

Using these tools, they’re able to monitor all their documents and process flows, giving them a single, comprehensive perspective on all their external regulatory and internal policy positions. They can implement controls, tests and alerts to ensure nothing is missed and everything is kept up to date.

Our software tools have been created by risk and compliance experts. They’re designed to meet the needs of today’s fast-moving businesses, from startups in fintech to more established operations.

We take the dread out of disaster recovery planning, by helping businesses build resilience and better manage risk. To learn how we can help you do that, get in touch.