Scenario ID: SC570


Scenario Description

The company has a well-documented and periodically rehearsed disaster recovery plan


Scenario Detail

Disaster recovery is a business critical activity that all organizations should be undertaking.

No organization knows when it might be hit by a disaster, and preparedness can avoid the devastating impact that some disasters can have. Disasters come in many forms.

There are natural disasters such as major storms, earthquakes, tsunamis and floods.

These can have a very negative detrimental physical impact on businesses such as destroying buildings and killing people.

There are also human caused disasters which can have either a physical impact or an impact to systems or people. Some examples of these include the Gulf of Mexico oil rig explosion, but also major computer viruses unleashed by hackers that can have a crippling impact on IT systems.

There are also terrorist activities that can destroy the buildings that people operate in, or deny them access for some time. While all of these disasters may seem major or unlikely, there are also more day-to-day and ordinary types of disasters, such as fire, flooding, or equipment breakdown that can easily impact any business.


Having a well-documented disaster recovery plan is beneficial for any organization, as all companies face the risk of disaster.

Some may face more risk of different kinds of disasters, but assessing risks and preparing appropriately is an essential activity in creating a disaster recovery plan.

Being prepared for a disaster helps organizations to recover from it much more quickly through being impacted less. Some organizations may not consider themselves to be particularly at risk and so do not bother with a disaster recovery plan, but this is a mistake.

As we have seen from the types of disaster that can occur, it is easy to have some sort of technological problem that can impact on operations. Also, human error can lead to disaster happening, and does, with some frequency, unfortunately.

Additionally, the natural environment can throw environmental challenges a company’s way to create major problems. However, on the other side, customers want to be able to access businesses continually.

If an organization is not up and running providing business as usual then customers simply go elsewhere. These are all important reasons for putting a disaster recovery plan in place as soon as possible.


Setting up a disaster recovery plan first requires definition and understanding of different risks faced.

This needs to be combined with gaining an understanding of what the impact would be to the business if different types of disasters occurred. By going through this process it is possible to see what the essential activities of the business are that have to be kept up and running, or recovered very quickly in the case of disaster.

In assessing risks it may be useful to adopt a “high, medium, low” ranking. For example, away from the coast line a tsunami risk might be indicated as low, but the business might use machinery that can get overheated, and so the risk of fire might be higher.

In creating the disaster plan it is important to ask “What if” questions, such as: “What if this machine got destroyed?” The important part is considering different scenarios figuring out how to recover from them. In the example provided this might be by having the data also backed up daily or hourly (depending on what is relevant) and then importing it as needed in the case of a disaster.

For each “What if?” there should be a solution that helps to recover from the problem. Processes need to be defined and documented so that people know what to do to recover operations as quickly as possible. On that note it is also useful to understand the time that would be taken to recover.


Having a plan in and of itself is no use at all if no one is aware of it and if people forget what the processes are to recover. Additionally, change is a continual occurrence in organizations, so it is necessary to regularly revise the plan to make sure that everything within it is still relevant.

Carrying out a regular run through of the plan will help to identify problems that could impact on rapid recovery of critical systems and processes. Rehearsing ensures that employees are well prepared in the case of disaster. That means if you are hit by a worst case scenario tomorrow then you will be up and running again as quickly as possible.