The IT Disaster Plan: “What Do I Need?”

Well, after finished the draft on book #4, completing a newsletter for the TIEMS organization and working on some marketing initiatives for StoneRoad (and Madaemen, a division of StoneRoad), I can finally get back to a few blog/article postings.  Enjoy…


Having been in the industry for many years (17 and counting) I get asked quite a few questions; from what is BCM (get that one allot) to how do I get started?  I’m happy to help with answers and try to provide a knowledgeable and suitable response, tailored to the person(s) asking.  Recently, I was asked by a friend what his company needed for an IT Disaster Plan?  Well, I could be sarcastic and say ‘you’ll need technology’ though I didn’t think that would go over well.  I decided to take a different approach and first find out how far along his company was on the BCM/DR road.  Turns out, not very far at.

I started asking a few basic questions to help gauge where they were.  I could tell my his initial question that the company wanted to start building an IT Disaster Plan immediately, skilling many of the other BCM program development components that help lead to the proper development of the IT DR plan.  This occurs for many corporations, where they jump into the solution building before they even know what the solution should be or why they are building the solution and for what the solution supports.  Kind of like trying to do a puzzle without knowing what the picture is.

Not to recreate out entire conversation, here are some of the questions I posed to him – to take back to the office – to help determine what the company should / shouldn’t consider.

  1. What are your critical      processes/services/departments? – If you      don’t know this, what are you building for?
  2. What is your critical data?      – For many, not all data is critical.       Is development data (dummy data) critical?  Probably not.
  3. When do you need it?      – If you don’t know when you need your data (and services/process) up and      running, then you’re really in trouble because you don’t even know when to      restore/recovery IT, let alone what you need to do it.
  4. How much can you loose?      – This is the question ain’t it?       What’s it gonna cost for me (the company) to be off-line and how      long can I suffer loosing money?
  5. What’s the Maximum      Acceptable Outage (MAO) for systems/services to be off-line?      – How long I can tolerate an outage will help determine what I need to      have in place for backup, restoration and recovery equipment/resources.
  6. What’s core to your      business? – You’ve got to know what is core to the      business so that your key/core service/product/system is highlighted as      the topIT DR      priority.
  7. What’s you’re current backup      strategy? – Always good to know where you stand in the      present day, as it helps determine where you’ve got to go in the      future.
  8. What is your current Recovery      Time Objective (RTO)?  Recovery      Point Objective (RPO)? – Where did the numbers come from?  Who decided on what they are?  You might know the RPO based on your      current situation but that doesn’t mean it’s acceptable.  All to often business units believe data      will be available first-thing, when that’s not the case at all.  They also don’t realize that there is      the possibility of lost data because an entire day’s work can potentially      be lost.
  9. Who is determining what is      critical to the company; business users, IT Management or Senior/Executive      Management? – Let’s face it, if the Sr. Execs haven’t told      you what’s important to the company, then you better find out cause you      might be on different playing fields with different expectations before      you ever get started.
  10. What were the results of      your Business Impact Analysis (BIA)? – This      is key and ensures that the final findings are agreed-to by the executive;      otherwise the BIA findings are just the results of each individual      department, which may not be in line with what executives believe to be      critical/key/important to the company.       If they valid the findings, you’ve got your marching orders for the      next steps.  If they don’t agree      with them, you’re going back to square one to find out where the      discrepancies are (i.e. inter-dependencies, identified core processes in      line with corporate strategy and direction…).


We talked more but these were some of the key questions I touched upon.  The lastone – #10–was actually the first question asked.

He then asked a 2nd question; “How do we know if we should use a vendor or not?”  The context related to a decision on when to utilize a vendor DR Site

Really, there’s only one answer; what were the results of your BIA?  When you know the answers you can then move on to answer the other questions need that will inevitably be asked:

  1. Do we need an IT DR strategy      at all? – Based on the BIA results, what is our current      capability?
  2. Can we do it internally?      – Do we have the resources available to build/configure an appropriate      restoration/recovery strategy?
  3. Do you have the      facility(ies) if we go internally? – You      may have multiple locations and one of them has a floor that is completely      empty…could this become the alternate IT location?  You’ll need to investigate but it’s an      option.
  4. What’s the cost to do it      internally? – Again, it’s the main question; how much will      it cost the corporation to put an acceptable strategy in place?
  5. What resources (physical      & financial, employees) to we need to meet the RTO?      – Based on what the corporation currently has available (and current      restoration/recovery strategy in place) what would be need to ensure that      the RTO’s can be met?
  6. What are our options if we      go external? (I.e. cold, warm, hot site configurations)      – Investigate your options, as to what vendors to speak to and determine      what is needed to meet the RTO’s.       You may only need a warm sit over a hot site depending on the BIA      findings and current (internal) configurations.


Building an IT Disaster Recovery Plan or as I like to call it, a “Technology Recovery Plan (TRP)” can’t just happen without proper inputs.  You can’t build a house for someone without knowing what they need and want, so how can you build anIT DRplan without knowing what’s required and why?  You can’t.  What’ll happen is that a restoration/recovery strategy will be developed – at considerable cost – and yet it won’t meet the needs of the organization.  It can over-deliver and exceed the need but then you’ve spent allot of money you didn’t have to.  It’s better to build what you need – with the ability for it to grow – rather than building something in the dark that won’t meet any requirements.   Then the re-work begins and it’s like starting over; again, by spending more money, which you may not have.

Well, when we finished out conversation my friend said he had lots to take back to his boss.  The last time I spoke to him they were deciding on the BIA…  Hmm, wonder if they need some help with that? 😉

(C) Stone Road Inc (2012)


 “Heads in the Sand: What Stops Corporations From Seeing Business Continuity as a Social Responsibility” and “Made Again Volume 1 – Practical Advice for Business Continuity Programs” and “Made Again – Volume 2.”

by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3

Available at, &


2 thoughts on “The IT Disaster Plan: “What Do I Need?”

  1. I handled the DR plan for a company I was working for during Y2K (and about 5 years after) we used a vendor for offsite storage. It amazes me that a company would NOT have a DR plan in place. Even when I had my own small business I kept a backup of my computer and data in a separate/safe location

    • It surprises me too. After 17+ years I still can’t fathom why a corporation believes it doesn’t need any sort of DR/BCM/ERM plan in place. Yet still…

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s