Business Continuity and Disaster Recovery Checklist

Threats to your business operations come in many forms, from hurricanes and fires to cyberattacks on your company’s network. Conducting a risk assessment and putting a business continuity plan in place now might mean the difference between hours out of operation and days out of operation. Disaster recovery – a company’s ability to save and restore its data – is a critical part of business continuity planning. This checklist can help your company assess its readiness.

Take steps now to prevent and plan for a disaster

  • Assign an employee with sufficient seniority and skill to “own” business continuity and disaster preparation and recovery
  • Conduct a risk analysis, to identify the most likely risks and the impact of each on critical operations
  • Conduct a security analysis, to determine the company’s resiliency for each risk as to critical operations
  • Build and implement a business continuity / disaster recovery plan, and update and train employees on it periodically
  • Appoint and train a business continuity team to lead response efforts
  • Select external business continuity / disaster response partners, including information technology consultants and attorneys, and inform them of their role
  • Discuss disaster preparation with key suppliers and customers
  • Assess network security
  • Assess data backup and recovery systems
  • Assess alternate communications methods for email or phone outages and compromises
  • Assess cash management needs during a disaster, including with the company’s bank
  • Assess insurance coverage, particularly for business interruption
  • Identify alternative operational locations
  • Maintain contact lists of key customers and vendors, and copies of key agreements with each
  • Maintain an inventory of all equipment
  • Identify options for accommodation (hotels, etc.) and provisions (food & drink, etc.) during disaster operations

During a disaster, implement the plan

  • Notify and assemble the business continuity team
  • Implement the business continuity / disaster recovery plan
  • Make appropriate warning, evacuation, or other initial communication to employees
  • Commence physical mitigation, focusing on employee and public safety
  • Commence technical mitigation, focusing on critical systems
  • Implement alternate communications methods
  • Activate redundant or alternate information systems (“failover”)
  • Notify external partners for assistance with containment and remediation (including counsel for attorney-client privilege considerations)
  • Communicate regularly with employees, suppliers, customers, and vendors
  • Notify insurance brokers and carriers
  • Notify law enforcement as appropriate
  • Preserve records of the disaster and mitigation efforts

After a disaster, improve the plan

  • Continue communication efforts, both internal and external
  • Document damages to systems, physical plant, and revenue
  • Bring the day-to-day information systems back online, integrating with your disaster recovery systems (“failback”)
  • Consider any regulatory reporting obligations
  • Assess liabilities and remedies under contracts with suppliers, customers, and vendors
  • Assess insurance coverage
  • Evaluate effectiveness of prevention, mitigation, and backup tools
  • Hold a “lessons learned” meeting of disaster recovery team
  • Revise business continuity / disaster recovery plan as appropriate