We are your reliable technology partner.

How to Create an Effective Disaster Recovery Plan

What is a Disaster Recovery Plan?

A disaster recovery plan is a documented and repeatable plan that enables the business to recover operations as quickly as possible. 

What is a disaster recovery plan in information technology (IT)? It is a document outlining the response procedures that lower the impact of IT service interruptions by ensuring swift recovery of operations that protect data and service availability.

Why is a Disaster Recovery Plan Important?

The purpose of a disaster recovery plan is to ensure the business can recover from an unexpected event that causes their IT services to be interrupted and ensuring they have operational processes in place until IT services are brought back online. A good disaster recovery plan minimizes risk and the disruption caused by disasters.

The common misconception is that the disaster recovery plan covers only IT, but in actuality, it also must consider the business. The purpose of a company disaster recovery plan is to minimize the business disruption that IT service interruptions cause and then develop the disaster recovery plan to ensure that services are recovered based on their priority to the organization.

This means the business needs to work with IT to establish their tolerance for the downtime of critical services and/or to identify those that must always be available. The disaster recovery plan then spells out the recovery procedures for each type of disaster so they may be executed rapidly.

The benefits of this plan are wide-ranging:

  • Lowered revenue loss due to faster recovery of revenue-generating operations
  • Faster system/service recovery times
  • Customer and investor confidence in the company enabling it to retain its reputation
  • Increased ability of operational groups to recover on their own, whether the interruption affects only their group or an entire region
  • Cost efficiency gained by having a plan and contracts in place versus a last-minute scramble for solutions
  • Access to business-critical data during and after a disaster
  • Ability to continue operations in the face of complete chaos

A company disaster recovery plan will prioritize the IT services provided based on their criticality to the business. There are three primary elements to the plan:


Pre-disaster planning activities ensure redundancy is available in the event of a disaster and that staff are able to quickly failover. This ensures required hot-sites, data backups, and staff procedures are in place, and that required teams are available when there is a disaster and know what to do. Planning activities also identify those


Leveraging the concepts of resiliency and redundancy. Continuity ensures the business can operate throughout the disaster. For business-critical or customer-facing digital services, this may mean the use of virtual data centres with services replicated across them for complete continuity, even at reduced performance levels or manual failover via hot-sites for less critical systems.


Vulnerability management systems that scan the enterprise and identify known vulnerabilities based on the NIST cyber security threat database. When integrated with service management tools, these systems can use the CMDB to open prioritized remediation tasks depending on the risk to the environment.

Disaster Recovery Plan vs Business Continuity Plan

Business continuity plans (BCP) and disaster recovery plans are very tightly related, but they are not the same thing. A business continuity plan contains an assessment of risks to the business and the type of response needed for each, ensuring the business is able to continue operations in the face of a disaster of any size or type.

The best disaster recovery plan uses the business continuity plan as an input for creating the BCP disaster recovery plan, or the documented disaster recovery plan that IT will use to protect business services.

Disaster Recovery PlanThe business continuity plan provides critical information for the creation of this plan. As it is based on an inventory of all critical business functions and how long the business can tolerate their unavailability, the BCP disaster recovery plan will identify:

  • The services that can never be down (where virtual operations add resiliency)
  • The critical business systems and how long they are able to be unavailable after a disaster
  • The less critical systems and servers that could be recovered once the critical area are made available

For this reason, many consider the business continuity plan to be the proactive pre-work that the business does to set up the BCP disaster recovery plan and then the disaster recovery plan spells out the procedures to be used when disaster strikes.

Another distinction that is made is that the business continuity plan ensures all business operations to be able to function regardless of the type of event, while disaster recovery plans focus on the recovery of IT supplied systems and services. Even though it may be more focused on IT, having a company disaster recovery plan means that IT is prepared to support the business regardless of the threat that comes to pass.

There are distinctions between the plans, but they are also a bit circular: the business continuity plan feeds information to IT that is used to create the disaster recovery plan. The disaster recovery planning process provides feedback to the business continuity plan concerning the pre-disaster budget needed to carry out preparations and the required operational budget needed in the event a disaster occurs.

Business Continuity Plan

Disaster Recovery Plan

  • Inventory of events that could impact the business’s ability to continue operations
  • Risk assessment for all areas of the business
  • Business impact analysis for each risk
  • Prioritized list of business services, with an analysis of availability needed or downtime that can be tolerated
  • Creation of mitigation plans to address each risk identified within required recovery times
  • Documentation of the disaster recovery teams and their contact information
  • Contract inventory/vendor listings
  • Documentation of each area’s disaster recovery plan
  • Inventory of all IT systems and services and the response required by the business
  • Plan for achieving resiliency for systems that cannot be down
  • Plan for achieving service restoration for all other services, in order of priority and including the timing needed
  • Procedures for data backup and/or replication to ensure data can be recovered
  • Documented disaster recovery team members and the activities they will perform in the event of a disaster
  • Business requirements for planning activities are needed to ensure the plan can be executed

While the business continuity plan provides inputs to the disaster recovery plan, the recovery plan also provides inputs or requirements to the business continuity plan. The business continuity plan provides the information IT needs to formulate the disaster recovery plan. In contrast, the IT disaster recovery plan identifies the budget needed to respond to the BCP as part of the preparation and any ongoing costs that will be incurred if disaster strikes.

Steps in Creating the Plan

As mentioned earlier, there are three common elements of a disaster recovery plan: preparation, continuity, and recovery, but a number of steps are within each of the elements.


The disaster recovery planning process is the most important element of building a disaster recovery plan as it identifies the work to be done prior to encountering an issue to ensure recovery can be achieved within the tolerable limits set by the business. Disaster recovery planning will cover several steps:

Identity the Disaster Recovery (DR) planning team

The team will create the strategic vision for the planning effort and understand the plan thoroughly as it evolves. They will perform all the planning tasks to follow and maybe part of the DR team that recovers services.

Identifying potential risks

Using the business continuity plan risk register, IT inventories the potential impact on IT systems and services, building an IT risk register that aligns with business priorities.​

Understand or perform a business impact analysis

For each of the systems and services, identify the type of response needed: resiliency or recovery. The difference between the two is that business-critical services that cannot tolerate downtime, like customer-facing sales websites, require resiliency: the ability to continue operations no matter what type of disaster is encountered. Other, less critical services may tolerate being down for 4 hours, one day etc. This needs to be catalogued according to criticality.

Creating a service/system inventory

The inventory is a list of IT systems and services built according to the business impact analysis.

Determine and implement preparations needed

The creation of the plan is only part of the work needed before an interruption occurs. The backup of data centres, hot sites or resilient, virtual data centre designs will all need to be planned and implemented to carry out the plan. This includes obtaining the budget needed and incorporating the new designs into the daily work of IT teams to ensure they are ready when needed.

Ensure data protection

The creation of the plan is only part of the work needed before an interruption occurs. The backup of data centres, hot sites or resilient, virtual data centre designs will all need to be planned and implemented to carry out the plan. This includes obtaining the budget needed and incorporating the new designs into the daily work of IT teams to ensure they are ready when needed.

Document the plan

The final plan needs to be fully documented, down to the procedural level and both the DR Team contact lists and system recovery documents need to be rigorously maintained. Many organizations leverage their change management process to ensure the documentation stays current.

Train the DR team and staff

The plan won’t execute itself, so all DR team members need to be trained, rehearsed and repeatedly drilled in execution to ensure they can carry out the plan. All staff need to be trained in building evacuation, safety and check-in processes and communication regarding preparations needs to be continual.

Test, rehearse and test some more!

Everyone needs to be prepared, but the effectiveness of the plan needs to be assessed regularly, improvements documented and added to the plan.


When an event occurs, continuity is the execution of the disaster recovery plan so the organization may continue to operate. The highest priority is ensuring the highly critical services are available before moving into general recovery.


The final element of the disaster recovery plan is restoring all remaining services to an operational state so the business can function indefinitely.

Risk of Having No DR Plan

Disasters will occur whether the business and IT organizations plan for them or not. There will be significant business interruption with no plan, to the level of total business failure in some cases. The risk of no disaster recovery plan is that the business will lose money, staff productivity and reputation.

The risk of not testing disaster recovery plans is as bad as the risk of not having a plan. If the staff are untrained in the plan’s execution, recovery times will be prolonged, causing revenue loss and reputation loss at the same level as having no plan.

Not having a disaster recovery plan results in these common risks, regardless of the type of event:

  • Business interruption
  • Customer and investor loss
  • High recovery costs
  • Data loss

Disaster Recovery PlanIn addition to high recovery costs, there is also the possibility that the business won’t be able to recover at all or will limp along for a period of time and risk failing after attempts to stabilize. Disasters are growing all the time: disaster recovery used to be about whether events, fire and building or utility issues. Today businesses also need to be protected against cyber-attacks, acts of terrorism, as well as the more common weather and utility interruptions. The scale has also grown from some of the more destructive issues; a terrorism attack can impact an entire region or country.

Not having a company disaster recovery plan often means a business not having a future. Even if the plan only addresses the most critical business systems, every company needs a plan to ensure they are able to recover business activities when disaster strikes because it will. At CG Technologies, we can work with you to create an effective business continuity plan. We also offer a range of supporting services; contact us to find out more.

Leave IT to us

With over 25 years of experience delivering exceptional services to 100’s of companies in the Greater Toronto Area (GTA), CG Technologies are confident we can deliver the same benefits to your organization – keeping you secure, delivering reliable and trusted IT solutions and expertise. Our industry-leading strategic IT consulting and IT solutions will allow you to focus on what matters most – your business.