Question to the DL: Do you have a DR template we can use?
Disaster Lady Answer: I do have different templates, but there is a reason that you do not see planners that just post templates out there. It is because there are different types of IT DR Plans. Is it for a large or small organization? Business or government? If you have a government client, then you need to have portions in there regarding their overarching Continuity of Government Plan. If this is a business, do they have the required overarching business continuity plan or crisis management plan? An IT DR plan is a supporting plan to a business continuity plan. If you do not have one then you need to build those business recovery aspects into the IT DR Plan or when you use it, it will run off the rails. Believe me when I say that me and my staff have had to clean up a lot of situations where this has happened.
No matter the type of client, you need to have data from the Business Impact Analysis (BIA) before you create an IT DR Plan – this can be very simple analysis if it is a small organization. It details the business processes, impact to the organization if those processes are not available for certain time periods, and the Maximum Allowable Downtime (MAD). MAD has become bastardized with Recovery Time Objective (RTO) since that is what most folks know so you may see it referred to as business process RTO. However, the RTO has always been a designation for the recovery of IT systems.
The BIA answers the question of “So What?” for the IT systems and lets you know what you are planning against. Without these business requirements, you are throwing spaghetti at a wall and hoping it sticks. You (and your customer) are also statistically 3X more likely to overspend on the IT DR solution without this data. Oh, and don’t even get me started if the client is required to comply with certain regulations such as FFIEC, PCI DSS, HIPAA, etc.
Now, how do you solve their problem you might be thinking? For right now, you can focus on having them give you recovery requirements, doing a high-level risk assessment, and then work on certain technical strategies to stop the bleeding. Let me know if this helps you in any way. We can also set up a time to talk or we can talk through PM and continue the conversation if you would like. Thanks for asking!