Your Essential Disaster Recovery Plan Checklist

October 27th, 2021

You can operate your business without a comprehensive disaster plan, but it’s a dangerous option. In our data-driven, work from anywhere world, security breaches are on the rise. And if you’re not prepared for downtime, either due to a hardware failure, malicious act, or natural disaster, you could lose money, trust, and even your business.

We know that IT disaster planning can feel overwhelming. That’s why we created this easy-to-use disaster recovery plan checklist. (And if you have more questions, reach out to our expert team. We’d love to dig into the nerdy details with you.)

You Can’t Afford to Ignore Your Business Continuity Plan

There are all sorts of terrifying statistics out there about the cost of downtime and data breaches. In a 2021 report, Veeam estimated that most downtime incidents last at least 79 minutes, and cost the average business $1,410.83 per minute.) While we don’t like scare tactics any more than you do, there’s a hard truth here:

Your business can’t afford to lose $111,455.00 due to downtime.

And this number doesn’t include softer losses, like reductions in your customers’ trust, employee confidence, or your brand’s reputation.

Unfortunately, many organizations have significant gaps in their disaster recovery systems. 39 percent of small and medium-sized businesses didn’t have an established disaster recovery plan in 2019, according to the Ponemon Institute. In these cases, an unexpected hardware failure or ransomware attack could lead to prolonged downtime and catastrophic financial losses.

The COVID-19 pandemic admittedly accelerated digital transformation, but many businesses still have significant gaps in their disaster recovery plans. Veeam reported that 80 percent of businesses have an identified availability gap—meaning they cannot recover applications as fast as they would need to after an outage. Another 76 percent have a protection gap because they are not backing their applications and data up as frequently as they should.

If you’re not sure where to start, that’s okay. The checklist below will guide you through the essentials of a well-built disaster recovery plan.

1. Determine Your Ideal RTO, RPO, and Recovery Objectives

The first step in your DR plan is determining your recovery time objective (RTO), your recovery point objective (RPO), and performing a business impact analysis.

  • RTO: an established timeframe in which operations should resume
  • RPO: the amount of data that can be lost before your business is significantly harmed

However, to do this, you must identify critical systems and infrastructure.

Risk Assessments and Identifying Critical Systems

Some businesses are more vulnerable during a disaster than others. As you evaluate your recovery process, consider how much risk your organization is willing to take on. Do you work with sensitive information or operate in a highly regulated industry? Would a data breach open your organization up to liability?

Consider all your risk factors and assess how an outage or data breach would affect your business operations. Then, based on your unique business needs, current backup solution, and future DR scenarios, create a disaster recovery and preparedness strategy that is realistic, cost-effective, and agile.

Be practical about these assessments. While your gut reaction might be, “I can’t afford any lost data or downtime,” that’s not realistic. Prioritize your critical data and applications and look for ways that you can create efficiencies.

For example, if you have data sets that are rarely used or updated, you might not need to fully replicate them in a virtual machine. Instead, a practical and effective disaster recovery plan might include archiving or backing up this data in a way that maximizes your DR budget.

You should also inventory all your hardware, software, and cloud resources, so you can efficiently identify which things you can afford to lose, and how much time it may take for you to recover the essential data before resuming operations as usual.

RELATED: Data Privacy vs. Data Protection: What That Means in 2021

2. Plan for Remote Work, Even Before Disaster Strikes

Suppose a disaster occurs. Where would your team work? Do they have access to the applications and information they need? Does everyone have reliable internet and the necessary tools? What if a key stakeholder is decommissioned—can you reassign tasks and permissions easily?

Sometimes, companies talk about “hot sites,” where employees and other stakeholders have access to all their applications and data, and “cold sites,” where these tools are unavailable. In our modern, “work from anywhere” environment, this seems like an outdated approach.

When you have a comprehensive, cloud-driven disaster recovery plan, your team should be able to log in to their virtual machines from any device and from any location. You can also seamlessly transition permissions and address your changing reality with a few clicks.

However, you can’t access the cloud if you’re offline. While you can’t plan for every catastrophic event, consider including out-of-state or out-of-area stakeholders in your disaster recovery plan, so they can leap into action in these cases. (You should also consider maintaining copies your data on multiple server banks, including some that are outside your hometown.)

Look for High Availability Solutions

The CIA triad (confidentiality, integrity, and availability) goes beyond disaster recovery. After all, disaster recovery typically kicks in once your IT infrastructure has failed. Nonetheless, it’s important to consider here.

High availability systems create redundancies and reduce the number of single points of failure. This might include multiple power sources, redundant storage, multiple data centers, load balancing, and “self-healing” solutions. Together, these tools can make your cloud and disaster recovery systems more scalable, agile, and secure.

Ideally, your cloud infrastructure and environments should include high availability. (That’s why we don’t give our clients a choice—all our disaster recovery and cloud solutions include high availability and you cannot opt out.)

RELATED: Lessons Learned From the Colonial Pipeline Hack (and Other Data Breaches)

3. Build Your Recovery Team

Now that you have some tips on organizing the “what” of a recovery plan, it’s just as important to determine the “who.” Apply the same practices in delegating the roles each person should play in the event of data loss. For example, who has the access to secure systems and who can authorize others to access it? Which department should handle which tasks to restore operations?

Your disaster recovery team might include:

  • IT professionals, including in-house experts and outside partners
  • Hardware experts and technicians
  • Customer service specialists, especially if you are a B2C company and you’re concerned about data privacy and breaches

For many businesses, it makes financial sense to partner with IT and disaster recovery experts, like our team, instead of hiring everyone in house. Your IT team has many daily concerns, and might not have the industry insight and expertise that disaster recovery and cloud solutions specialists have. And, diversifying the recovery team’s locations and experiences can add extra layers of protection if your security systems are breached or your hardware fails.

4. Implement a Communication and Testing Plan

You can have the best disaster recovery plan in the world, but if you don’t socialize it and train people, it will be useless. Now is the time to clearly communicate your disaster recovery plan, train the necessary stakeholders, and test your systems.

Just like your DR solutions, you should create redundancies in your team. Cross-train people so that they pivot and take on additional roles or responsibility in case someone else is not available.

You should also regularly test your DRaaS solutions. Testing lets you look for flaws in your plan and keeps your plan at the top of your team’s mind. (If you need help with testing, let us know. We regularly help clients simulate outages, perform risk assessments, and identify missed opportunities within their existing recovery strategy.)

And if the unthinkable happens, you will need both external and internal communication and crisis management plans. Whether your company is a small business or a major corporation, you’ll need to communicate with clients, vendors, suppliers, the public, and employees. Keeping these groups informed on the status of your outage will put them at ease while you’re dealing with the situation.

One approach would be to have pre-written statements that you can post on your website, across social media platforms, and send via your CRM, including contact information, the steps you are taking to protect them, and what people can expect.

Do You Have a Comprehensive Disaster Recovery Plan?

Complete Our Disaster Recovery Checklist and Find Out


Virtual Systems: Helping Businesses Protect Their IT Infrastructure

In today’s ever-changing IT landscape, you need a partner who can help you protect your business’ applications, data, and productivity. Our team creates customized disaster recovery plans that reflect the organizations’ unique needs, budgets, and priorities. Whether you are looking to replicate your data virtually or need an agile data backup system, we can help.

Virtual Systems is your trusted cloud-first IT solutions partner. We help businesses “level up” on security and protect their hard-earned reputations. Whether you’re looking to “set it and forget it,” or you’d like the ability to customize and manage your backup and recovery plan, our team can help make that happen.

To learn more contact us at 844-2-VIRTUAL.


Cost of a data breach, 2019. Ponemon Institute. Retrieved from

Russell, D. & Buffington, J. (n.d.) “2021 Data Protection Report.” Veeam. Retrieved from:

Leave a Reply

Let's Talk