Disasters come in all shapes and sizes. It\u2019s not just catastrophic events such as hurricanes, earthquakes and tornadoes, but also incidents such as cyber-attacks, equipment failures and even terrorism that can be classified as disasters.\nCompanies and organizations prepare by creating disaster recovery plans that detail actions to take and processes to follow to resume mission-critical functions quickly and without major losses in revenues or business.\nWhat is disaster recovery?\nIn the IT space, disaster recovery focuses on the IT systems that help support critical business functions. The term \u201cbusiness continuity\u201d is often associated with disaster recovery, but the two terms aren\u2019t completely interchangeable. Disaster recovery is a part of business continuity, which focuses more on keeping all aspects of a business running despite the disaster. Because IT systems these days are so critical to the success of the business, disaster recovery is a main pillar in the business continuity process.\n\nThe cost of disasters\nEconomic and operational losses can overwhelm unprepared businesses. One hour of downtime can cost small companies as much as $8,000, midsize companies up to $74,000, and large enterprises up to $700,000, according to a 2015 report from the IT Disaster Recovery Preparedness (DRP) Council.\n Zetta \nAnother survey from disaster recovery service provider Zetta showed that more than half of companies surveyed (54%) had experienced a downtime event that lasted more than eight hours over the past five years. Two-thirds of those surveyed said their businesses would lose more than $20,000 for every day of downtime.\nRisk assessments\u00a0identify vulnerabilities\u00a0\nEven if your company already has a disaster recovery plan of some sort, it may be time for an update. If your company doesn\u2019t have one, and if you\u2019ve been handed the task of coming up with one, don\u2019t jump in feet first without doing risk assessment. Identify vulnerabilities to your IT infrastructure and where things could go wrong. A prerequisite is knowing what your IT infrastructure looks like.\nKnowing where things could go wrong doesn\u2019t mean that you start creating worst-case scenario plans. In a recent blog post in the Disaster Recovery Journal, authors Tom Roepke and Steven Goldman suggest that naming the worst-case scenario in business continuity planning can be dangerous by drawing attention away from other significant threats:\n\n\u201cThe natural tendency is to try to name or define what the worst case scenario is. This becomes a fatal flaw because it shapes the entire planning effort thereafter, even if it is at a subconscious level. So when we insert a named scenario - pandemic, earthquake, cyber-attack, etc., -- we automatically start thinking and planning in terms of response\/recovery for that specifically and subconsciously defined incident. When this occurs we not only tend toward a tunneled view in our planning efforts, but we are also in danger of increasing our risk and exposure. This is because there will be a hyper-focus on only one or two specific areas in what we think is the worst-case scenario, and not the actual event.\u201d\u00a0\nSource: The \u2018Worst Case Scenario\u2019 Myth\n\nThe key, Roepke and Goldman suggest, is to focus on \u201cmanaging the crisis, restoring business critical functions and recovering all while communicating with your stakeholders.\u201d\nWhat is a disaster recovery plan?\nType \u201cdisaster recovery plan template\u201d into Google and dozens, if not hundreds, of templates will appear. Use those to get started and modify towards your business or organization.\nThe plan itself should include the following:\n\nStatement, overview and main goals of the plan.\nContact information for key personnel and disaster recovery team members.\nDescription of emergency response actions immediately following a disaster.\nDiagram of the entire IT network and the recovery site. Don\u2019t forget to include directions on how to reach the recovery site for personnel that need to get there.\nIdentifying the most critical IT assets and determining the maximum outage time. Get to know the terms Recovery Point Objective (RPO) and Recovery Time Objective (RTO). RPO indicates the maximum \u2018age\u2019 of files that an organization must recover from backup storage for normal operations to resume after a disaster. If you choose an RPO of five hours, then the system must back up at least every five hours. The RTO is the maximum amount of time, following a disaster, for the business to recover its files from backup storage and resume normal operations. If your RTO is three hours, it can\u2019t be down longer.\nList of software, license keys and systems that will be used in the recovery effort.\nTechnical documentation from vendors on recovery technology system software.\nSummary of insurance coverage.\nProposals for dealing with financial and legal issues, as well as media outreach.\n\nBuilding a disaster recovery team\nThe plan should be coordinated by IT team members responsible for critical IT infrastructure within the company. Others who need to be made aware of the plan include the CEO or a delegated senior manager, directors, department leaders, human resources and public relations officials.\nOutsde the company, vendors associated with disaster recovery efforts (software and data backup, for example) and their contact information should be known. Facility owners, property managers, law enforcement contacts and emergency responders should also be known and listed within the plan (and updated frequently as names or phone numbers change).\nOnce the plan is written and approved by management, test the plan and update if necessary. Be sure to schedule the next review period and\/or audit of the disaster recovery functions. Update, update, update as events transpire (large or small). Don\u2019t just put the plan in a desk drawer and hope that a disaster doesn\u2019t occur.\nA disaster has happened\u00a0\u2013 now what?\nIf a disaster has occurred, it's time to start your incident response. Make sure that the incident response team (if it\u2019s different from the disaster recovery planning team) has a copy of the disaster recovery plan.\nIncident response involves assessing the situation (knowing what hardware, software, systems were affected by the disaster), recovery of the systems, and follow-up (what worked, what didn\u2019t work, what can be improved).\nWhat's next? Cloud or recovery-as-a-service\nLike many other enterprise IT systems that have moved to the cloud, so has disaster recovery. Benefits of the cloud include lower cost, easier deployment and the ability to test plans regularly. However, this could come with increased bandwidth needs or degrade a company\u2019s network performance with more complex systems.\nA 2016 Gartner report identified more than 250 providers of DRaaS offerings. Of course, you probably don\u2019t want to review 250 companies and their offerings, so here\u2019s a good place to start: Mike Smith, founder and president of AeroCom, and an IDG Network Contributor, offered up a report analyzing about 20 different DRaaS providers. Here\u2019s another recent writeup of some top DRaaS companies to watch.\nAnalyst firm Forrester Research also has a take on the DRaaS market. It evaluated the 10 most significant players in the market in its Forrester Wave report (available for $2,500).