Disaster Recovery Planning

The best way to prepare for a disaster is to avoid the disaster. Therefore, look for any potential problems you can find and correct them. You should address those issues that you can solve and which will provide benefit.

Some items to look for include:

    • Maintain good general housekeeping: Keep areas clean and free of obstructions and fire hazards. Remove any stored paper from common areas and store in restricted areas. Consider implementing a “clean desk policy”. In the same way that a large city phone directory does not burn as easily as loose paper, removing loose paper from desk tops to files at the end of the work day can reduce losses due to fire. This will also help to protect those documents from sprinkler discharge and other incidents.
    • Look for, and eliminate, any obviously overloaded electrical circuits. Employees may have installed non-business electrical appliances such as coffeepots, radios, space heaters and fans. These appliances can cause electrical fires by shorting out themselves or overloading circuits not designed for these appliances. Your facilities or building maintenance staff may be able to help you educate your staff regarding the problems these appliances can cause.
    • Observe physical security procedures in your facility, and encourage increased security when appropriate. Questions to ask include: Is your building open to the public? If you have restricted access, is “tailgating” allowed? If tailgating is not allowed, does it occur anyway?
    • Observe information security procedures regarding computers in your facility, and encourage increased security when appropriate. Questions to ask include: Does your staff have their passwords taped to their monitors? Are your laptop computers secured at the end of the workday? Does your staff leave their computers logged on to the network when they are away from their desks for extended periods such as lunch?

You may not have direct control over some of the above, but you can, and should, encourage those who do have authority to take appropriate action. Consider encouraging security-training sessions where appropriate.

Plan Orientation
The team plan has been developed by the Business Continuity Group to the point that it is almost ready for use. Team Leaders are responsible for part of the plan development process. The documents used in plan development, beside this guide, are the plan development checklist and the team plan. The information gathered in the Plan Development Guide is used to populate the team plan.

At the end of the process the team plan will be the only document you need to retain for use in a disaster.

Plan Development Checklist
The form is a tool to chart the progress in developing your business resumption plan. Each plan segment is listed with the development responsibility. Segments with “*” denote team level development responsibility.

The plan segments are broken out into three development modules listed below. The development tasks for modules one and two should take no more than one to two weeks to complete. Module three includes plan segments that are potentially more complex.

The Business Continuity Group will participate in a development meeting at the beginning of each module. Each plan segment will be discussed in detail. The discussion will include potential sources of information and the expected end result for each segment.

During each of the three development meetings the task duration and objective date will be established for each segment in that module. Development meetings 2 and 3 will also include a review of the completed segments in the previous module.

The final development meeting will be conducted after the plan segments in module 3 have been completed. This meeting will review the completed segments and also walk through a disaster recovery exercise.

The plan segments and modules are listed on the next page. The rest of this guide contains the individual modules and the data collection forms needed to complete each module.


Team Alert Description
Instructions for completing the form:

Following is information that should be included in the Team Alert List for each Team member:

    • Name
    • Home telephone number
    • Pager number, if available
    • Cellular telephone number, if available

For emergency

    • Contact
    • Relation
    • Phone number

For emergencies: “Contact” is the name of the person to call, “Relationship” relates to spouse, parent, son or daughter etc. “Phone” is the number where the person is most likely to be reached.

If team members do not have pagers or cellular phones – leave those entries blank.

Some staff members may be concerned about having their home information published. They may, for example, have an unlisted home number. It is essential that all employees provide a means to be contacted following an incident. These team members must be assured that this information will only be distributed on a “need to know” basis, and that the information will have limited access.

This information is most easily gathered by distributing the attached Team Alert List to the employees for them to complete. Accuracy of the information is most easily assured in this way. The information gathered can be keyed directly to the Team Alert List on page 2 of the plan.

Vendors Description

    • Product or service provided
    • Name of the vendor
    • Address
    • Contact person’s name
    • Contact phone numbers
    • Alternate names and numbers for the vendor
    • Comments

Product or service provided should be a description of the product or service provided to you. Along with “Comments”, this helps to indicate the reason that this vendor should be contacted following the event.

For some vendors, there may not be a specific contact person’s name to list. The “Service Representative on Call” may be appropriate response in some cases. In other cases, a title or department, such as “Sales Representative” or “Service Department” may suffice.

Contact phone numbers should include all possible ways to reach the vendor including fax, cellular, pager, after hours number if different from the normal number and toll-free numbers in addition to the normal number.

Alternate names and numbers should also be listed wherever possible. Alternate names are alternates to the primary contact person’s name, if listed.

Some vendors may not have 24-hour service. If your incident occurred on a Sunday afternoon, you might need to contact the vendor at that time. Discuss your concerns with the vendor representative to determine how to contact them during off-hours. After reassuring him or her that the information will have limited distribution, ask for home telephone numbers if cellular or pager numbers are not sufficient.

Comments can be used for any information significant to this vendor, such as the reason this vendor should be contacted following an incident, instructions the vendor would need or any appropriate notes.

Key Customers Description

    • Product or service you provide to them
    • Customer’s name
    • Address
    • Contact person’s name
    • Contact phone numbers
    • Alternate names and numbers for the customer
    • Comments

List only Key Customers, those who would need and expect personal notification from you. Include those customers who would be offended or take their business elsewhere if they were not contacted. Being pro-active in contacting important customers can go a long way in mitigating losses. Your Sales and Marketing Departments and others who could help in assuring the outside world that you have things under control should be listed here.

Specific information needed for Key Customers is the same as for Vendors.

Other Business Partners or Support Providers

When an incident occurs, you may need to contact some organizations that do not fall into one of the earlier categories. You should create a list of any of those additional entities too. Some of those entities include:

    • Emergency response agencies such as police, fire, utility companies, and the American Red Cross (if your community uses the 911 system, that should be documented).
    • Business Partners (internal and external) that are neither Vendors nor Customers. These could include internal business units who rely on your business unit for information, your management, and internal business units that would support your recovery. Examples include corporate insurance, internal security, facilities, public relations and human resources.

The information needed to contact these entities is the same as for Vendors or Key Customers.

Meeting Place Description
Select a place to meet in case your facility is unavailable. Make sure key people know the location, and have maps if necessary. This pre-defined meeting place will serve as a location for you and your key staff to plan your response to the incident.

In choosing this meeting place, think about any key resources you would need there, and consider its location. Some of the resources and location considerations are:

    • Location: When selecting your meeting place, consider its location relative to your normal work place and to the key staff members you would call together there. The location should not be so far away that staff members would have difficulty getting there. Conversely, it should not be so close to your normal work location that it could be affected by the same incident. For example, following certain incidents, authorities may block off several city blocks around the affected facility. If your meeting place is across the street from your normal work location, you might not be able to get to it in this situation.
    • Alternate Meeting Place: To solve the above issue, it is recommended that you select at least two possible meeting locations. Your primary location could be close to your facility, and be used if access is possible. Your alternate location should be further away, ensuring availability if your primary location is not accessible.
    • Vulnerabilities: When selecting a location for your meeting place, especially for your alternate location, be sure to consider the types of vulnerabilities you have. For example, your meeting place should be inland. If your primary location is near a river, your meeting location should be on high ground. If your primary location is near an earthquake fault, your meeting location should be at a reasonable distance away from that fault line.
    • Communications capability: Since the ability to communicate with others is essential to effectively respond to any incident, make sure that the location you choose has enough telephones for your needs. If you have a cellular phone, you should plan to take it with you to this meeting place as another means of communication, and in the case regular phones are not working.
      If you have a portable/laptop computer with Internet or e-mail capabilities, your meeting place should have the capability to connect that computer as well. Assuming your laptop computer was not in the affected building, you should plan to take that laptop to the meeting place too.
    • Size of the Facility: The location you choose should be big enough for the number of people that expect to congregate there. This is not an alternate place for your staff to work, though, only a place for you and your key staff to discuss your plan of action in response to the event, and to manage your recovery efforts. Therefore, it does not need to be so big that your entire staff can work there if your facility is affected. The alternate work location will come later when your complete Business Continuity Plan is documented.

Types of facilities to consider when selecting a meeting place include:

    • Another company facility
    • A hotel, convention center, or other public facility.

When documenting your meeting place, you should include its name, street address, who to contact to get in, and any security requirements. You should also consider appending a map to the location and a floor plan of the facility if they are not well known to the staff.

Privacy and Trust News


The Rise of Smart Gadgets in the UK

Securing the Internet of Things: The UK's Pioneering Legislation In an era where the proliferation of smart devices continuously reshapes our daily lives, the UK government has taken a significant step to bolster cybersecurity with a groundbreaking new law. As the...

Read More

Helping your business exceed the compliance standard.

Our team of experienced privacy attorneys & certified privacy professionals have a proven track record of delivering privacy frameworks and data privacy solutions, tailored to your business needs.