Top Five Steps for SMB’s to Prepare for IT Disasters

You read about it every day. The disasters that strike and hit the IT systems of small and medium-sized businesses. These range from natural disasters like floods, tornadoes and the likes to simple power surges that cripple and kill servers everywhere. Not to forget the threat of viruses, malware and hackers waiting to kill your server systems.

Follow the five steps below to get a solid disaster prevention and recovery in place:

  1. Validate the need
  2. Analyze the business impact of disaster events
  3. Calculate the ROI
  4. Plan your strategy
  5. Test the plan

When it comes to disaster prevention and recovery, the old saying ‘plan for the worst and hope for the best’ is a good starting point. It’s not more though as it’s not sufficient when you think of business critical information and data.

IT disaster prevention and recovery

Validate The Need

Potential loss of data is one of the biggest concerns and risks for SMB’s today. The typical strategies to overcome these risks are diligent data backups which will ensure that data loss is kept to a minimum and business continuity as well as disaster recovery are possible.

Corporate computer systems like servers and laptops typically contain a lot of data, a lot of it confidential, that is critical for the ongoing business operations. In today’s business environment this is hardly enough as it’s not only about backing up data anymore so it can be restored but also about rapid recovery of a system as a whole including applications, etc. that is needed.

Analyze the Business Impact of Disaster Events

The analysis of the business impact of a disaster event is the cornerstone of a disaster recovery plan. The analysis will specify the priority order of the systems that need to be recovered.

The place to start is to identify the most crucial systems and processes. Then gauge the impact that an outage of these systems and processes has on the business overall. Try to rate these on a number scale, e.g. from 1 to 10. The systems and the processes with the highest level of disruption have the highest priority and need to be recovered/restored immediately. These impact priorities are different for any organization and thus can’t simply be copy/pasted from anywhere.

The analysis will have a prioritized list of systems and processes which will tell you what do restore first. You might want to address the following questions when you create your analysis:

  • What are the systems, applications, networks, facilities, etc. that are essential to perform the most important business aspects?
  • Who are the key people responsible for these functions/business processes?
  • How important are these functions to the organization? Think of this as in health of company, reputation, finances, etc.
  • What supporting assets are needed to perform these functions?
  • What other dependencies (outside vendors, connectivity, etc.) are necessary to perform these functions?
  • How long can each of these functions be unavailable?

Calculate the ROI

Now that the possible risks have been identified and prioritized it is necessary to calculate the return on investment (ROI). This will allow to justify the investment necessary to reduce operational impact of disaster events. The formula to calculate this ROI is pretty simple:

ROI = (Benefits – Costs)/Costs

The benefits are in the most simple equation your loss of revenue/profits while your business is down. Break that value down to a specific hourly number. Take for example a legal office with 10 attorneys that charge $200 per hour and work 10 hours per day. That would mean that full day with no revenue generated is worth $20,000.

The cost on the other hand is the implementation cost of your DR solution as well as additional costs. These costs can be soft costs (lost reputation) as well as hard costs like rent, salaries, etc.

In a simple scenario you might have to purchase a DR solution that will cost you $10,000. Your benefits are $20,000 per day:

ROI = ($20,000 – $10,000)/$10,000 = 1

This means that if you recover within one day of a disaster you achieve a positive ROI. If you typically have more than one day downtime due to disaster per year you will make a real profit by implementing such a DR solution!

Plan Your Strategy

With all this information you have at hand you are now ready to create a disaster recovery plan. The plan will formulate the recovery sequence and prioritize your assets in order to allow you to keep your business operational. The plan also needs to include the tactical details, e.g. whom to contact, how to start a specific restore, etc. that are necessary to execute the plan quickly and without fail.

It should specifically address the following items:

  • Specify any necessary information access
  • Describe in detail the prioritized recovery procedures
  • Document the overall recovery process and each process by itself in detail

Test The Plan

At this time you have a solid plan to recover from a disaster with minimal downtime. However, it’s only theory. You will have to actually test the plan by simulating disasters. These tests should be done regularly as they will not only prove that the plan works but also will highlight changes that need to be planned for updated business processes, etc.

Testing the plan also means that involved staff will be a lot more confident in their capability to overcome a disaster as they have performed the necessary tasks before. A plan will not be worth anything if your employees don’t know the plan or have to start reading it in the event of a disaster!

You want to run through the plan with key staff members about once a quarter. At that time you don’t have to really perform all the recovery steps but you should play them through. At least once a year you should have a live test where you perform all necessary steps to recover from a disaster.


Technology that we use and that we are dependent on is not flawless. Your IT infrastructure can break at any time and you need to be able to recover as fast as possible and needed. A managed IT provider is capable to develop a DR plan with you and put the necessary DR devices like BDR’s in place that will allow you to recover from disaster as quickly as necessary for your organization.

Image courtesy of on Flickr @