How to Test a Disaster Recovery Plan for Small Businesses

mark-516277_960_720

Forrester data from March 2015 shows that 63% of SMBs, globally, consider purchasing or upgrading their disaster recovery or business continuity capabilities to be a high or critical priority. Top drivers behind the need to improve disaster recovery capabilities are regulatory and legal pressures (38%), fiduciary responsibility to various stakeholders (37%), the cost of downtime (32%), and a requirement to stay online and competitive 24x7 (29%). Despite these trends, however, 14% of SMBs don’t have disaster recovery budgets in place. And, without funding, disaster recovery quickly slides to the bottom of the to-do list. That’s why our SMB clients frequently ask us how they can better plan for a disaster and test their disaster recovery plan. Here’s what we advise.
  

First of all, determine the levels of disaster scenarios to consider testing

1.) An important file is lost. Can you restore it in a timely and effective fashion?

2.) Your organization’s server fails. Can it be virtualized? Replaced?

3.) There is a biohazard that has made the office inaccessible. Can all employees work remotely?

4.) Your office burns down. Can you function?

5.) The worst of all possible disasters: The entire city where your office is located is struck by              disaster. Are you out of business?

Review each department in your organization separately.  Ask how long they can afford to be “out of business” and what resources they would need to get up and running. Create your overall plan to take into consideration the specific risk factors for each department.
 

Next, plan to test the scenarios.

Industry standards suggest that you test your plan for a failed server situation twice a year and for a Level 4 disaster scenario (your office burns down) once a year. Note that as the severity of the simulated disaster situation increases, the more downtime the test will require. Of course, when you have a quicker way to recover from a disaster (backup systems in place, server virtualization methods, etc.), the less downtime a simulated disaster will require.  Consider hardware and consulting costs — as well as the cost of downtime — before you decide which testing level is best for your organization. After this evaluation, if you find that the cost of testing (dollars and downtime) is an issue, consider testing only the most common disaster scenarios — server failure and file loss.
 

Finally, test your scenarios.

Once you have a detailed disaster recovery plan in place, you want to make sure it is effective when the time for tests has come and gone.

1)  First, with the help of external consultants and/or your internal IT team, plan the disaster recovery test with the full knowledge (and acceptance) that it will require downtime. Then, comprehensively communicate this to all employees and clients.

2)  Ensure that you have an executive-level user involved in the testing scenario so that you have someone on the “front lines” who can evaluate the test from a business continuity perspective. A CEO or several department heads would work.

3)  Next, as you are conducting the test, keep a detailed log of everything that does not go as planned (as well as the solutions that worked well). This way, the test will inform the plan’s revisions.

4)  Finally, when your test is complete, review your log and incorporate any suggestions to modify your plan (and, if necessary, your technology) so you are ready for the next test.

The recent data is scary. SMBs recognize the importance of disaster recovery, but their budget allocations don’t align with stated concerns. Disaster recovery testing is not the place to try to save money, especially when you consider the fact that 30% of organizations never recover after a major disaster. When designing and testing a disaster recovery plan for your organization be specific and be comprehensive. It could be what keeps you in business.