Although specific disaster recovery plan formats may vary, the structure of a disaster recovery plan should include several features:
Goals
A statement of goals will outline what the organization wants to achieve during or after a disaster, including the recovery time objective (RTO) and the recovery point objective (RPO). The recovery point objective refers to how much data (in terms of the most recent changes) the company is willing to lose after a disaster occurs. For example, an RPO might be to lose no more than one hour of data, which means data backups must occur at least every hour to meet this objective.
Recovery time objective or RTO refers to the acceptable downtime after an outage before business processes and systems must be restored to operation. For example, the business must be able to return to operations within 4 hours in order to avoid unacceptable impacts to business continuity.
Personnel
Every disaster recovery plan must detail the personnel who are responsible for the execution of the DR plan, and make provisions for individual people becoming unavailable.
IT inventory
An updated IT inventory must list the details about all hardware and software assets, as well as any cloud services necessary for the company’s operation, including whether or not they are business critical, and whether they are owned, leased, or used as a service.
Backup procedures
The DRP must set forth how each data resource is backed up – exactly where, on which devices and in which folders, and how the team should recover each resource from backup.
Disaster recovery procedures
These specific procedures, distinct from backup procedures, should detail all emergency responses, including last-minute backups, mitigation procedures, limitation of damages, and eradication of cybersecurity threats.
Disaster recovery sites
Any robust disaster recovery plan should designate a hot disaster recovery site. Located remotely, all data can be frequently backed up to or replicated at a hot disaster recovery site — an alternative data center holding all critical systems. This way, when disaster strikes, operations can be instantly switched over to the hot site.
Restoration procedures
Finally, follow best practices to ensure a disaster recovery plan includes detailed restoration procedures for recovering from a loss of full systems operations. In other words, every detail to get each aspect of the business back online should be in the plan, even if you start with a disaster recovery plan template. Here are some procedures to consider at each step.
Include not just objectives such as the results of risk analysis and RPOs, RTOs, and SLAs, but also a structured approach for meeting these goals. The DRP must address each type of downtime and disaster with a step-by-step plan, including data loss, flooding, natural disasters, power outages, ransomware, server failure, site-wide outages, and other issues. Be sure to enrich any IT disaster recovery plan template with these critical details.
Create a list of IT staff including contact information, roles, and responsibilities. Ensure each team member is familiar with the company disaster recovery plan before it is needed so that individual team members have the necessary access levels and passwords to meet their responsibilities. Always designate alternates for any emergency, even if you think your team can’t be affected.
Address business continuity planning and disaster recovery by providing details about mission-critical applications in your DRP. Include accountable parties for both troubleshooting any issues and ensuring operations are running smoothly. If your organization will use cloud backup services or disaster recovery services, vendor name and contact information, and a list of authorized employees who can request support during a disaster should be in the plan; ideally the vendor and organizational contacts should know of each other.
Media communication best practices are also part of a robust disaster recovery and business continuity plan. A designated public relations contact and media plan are particularly useful to high profile organizations, enterprises, and users who need 24/7 availability, such as government agencies or healthcare providers. Look for disaster recovery plan examples in your industry or vertical for specific best practices and language.
Overview
In March 2018, the U.S. Department of Health and Human Services Office of Civil Rights (OCR) issued a newsletter entitled, “Plan A… B… Contingency Plan!” While contingency plans are already required under the HIPAA Security Rule1, OCR’s newsletter provides guidance regarding the importance and required elements of contingency plans. “The purpose of any contingency plan is to allow an organization to return to its daily operations as quickly as possible after an unforeseen event. The contingency plan protects resources, minimizes customer inconvenience and identifies key staff, assigning specific responsibilities in the context of the recovery.”2
Contingency plans are not only necessary to respond to natural disasters, but cyberattacks as well. “Cyberattacks using malicious software such as ransomware may render an organization’s data unreadable or unusable.”3 Restoring an entity’s data from backups may be the only option to recover the data and maintain normal business operations. Therefore, having a contingency plan in place is crucial for entities, especially covered entities who store protected health information.
A contingency plan sets forth step-by-step guidance on how to respond in an emergency and recover or maintain normal business operations.
The requirements for a HIPAA contingency plan are as follows:
(1) Disaster Recovery Plan that seeks to restore an organization’s protected health data; (2) Emergency Mode Operation Plan that seeks to maintain and protect critical functions that protect the security of protected health data; and
(3) Data Backup Plan that is focused on regularly copying protected health data to ensure it can be restored in the event of a loss or disruption.4
As part of the HIPAA contingency plan, it is crucial to identify what applications and data are critical for the contingency plan, to test the contingency plan, and revise any identified deficiencies.
When implementing a contingency plan, it is necessary to establish guidelines and procedures, such as:
(1) Maintain critical operations and minimize loss. (2) Define time periods – What must be done during the first hour, day, or week? (3) Establish plan activation – What events will cause the activation of the contingency plan and who has the authority to activate the contingency plan?
(4) Use plain language – The plan should be understandable to all levels of employees.5
When a contingency plan is created and implemented into the organization, communicate the plan with the organization and explain the responsibilities under the plan, set a test schedule for the plan to identify any issues and the effectiveness of the plan, and review the plan on a regular basis, especially when there are any organizational changes that may affect the plan.
Create a contingency plan now. Do not wait for an emergency to happen. For additional information regarding contingency plans, see:
• OCR: //www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf?language=es
• National Institute of Standards and Technology (NIST):
//csrc.nist.gov/Topics/Security-and-Privacy/security-programs-and-operations/contingency-planning
//csrc.nist.gov/publications/detail/sp/800-34/rev-1/final (SP 800‐34 rev1 and Supplemental Material)
• Assistant Secretary for Preparedness and Response:
//www.phe.gov/Preparedness/planning/hpp/reports/Documents/hc-coop2-recovery.pdf
If you have any questions regarding HIPAA contingency plans, please contact Stacy Walton Long at or Stephanie T. Eckerle at , or your regular Krieg DeVault attorney.
1 45 CFR § 164.308(a)(7).
2 //www.hhs.gov/sites/default/files/march-2018-ocr-cyber-newsletter-contingency-planning.pdf.
3 Id.
4 //www.hhs.gov/sites/default/files/march-2018-ocr-cyber-newsletter-contingency-planning.pdf.
5 Id.
“In preparing for battle I have always found that plans are useless, but planning is indispensable.” ― Dwight D. Eisenhower
While we all want to be successful, failures are a part and parcel of life. While some challenges are unavoidable, most can be dealt with a little planning on our part.
A natural disaster like a flood or an earthquake can destroy your office in a second, your largest client can move on to your competitor, your database can get hacked or your system can crash- the possibilities are endless when you really pause and reflect.
While we often forget that things can go sideways in a second, especially if everything has been good for a while, a smart businessman prepares for the untimely failure.
These people always have a “Plan B”- a contingency plan- for when their primary plan doesn’t execute as intended. Having a contingency plan can be crucial for your business as it can help you avoid disasters and ensure the smooth execution of your business plans.
Without a contingency plan in place, the chances of your business/project’s success can reduce significantly. Let us first briefly understand what a contingency plan really is, why is it important, and how to create a contingency plan quickly. Read on…
What is a Contingency Plan? (Definition & Meaning)
A contingency plan is a strategic plan created by executives or management to help a business tackle an unfavorable event that may or may not happen in the future. A contingency plan is put in place to reduce business risk, fasten disaster recovery, and to ensure the smooth execution of business processes.
Having a contingency plan minimizes the impact of unforeseen events and outlines a plan for carrying out normal business workflow without any disruption. A contingency plan is commonly known as a backup plan, a disaster recovery plan, or fondly, “plan B”.
While some companies are smart enough to create contingency plans for almost all challenges they can think of, others slack off thinking things are good for now and they don’t need to focus on something that may or may not happen in the future. If you fall into the second category, check out the reasons why every company should have a contingency plan in place.
Read more: Information Security Plan: What is it & How to Create it?
Why a Contingency Plan is Important?
A contingency plan is crucial as, without one, you are exposing your business to a wide variety of avoidable risks. Here are a few reasons why every business needs a contingency plan:
Helps minimize damage: When there is a plan B in place, you are in a better position to react to events and minimize damage. For example, if you already have a disaster management plan in place, you can quickly execute it in case there’s an earthquake in your area. This, in turn, allows you to quickly evacuate the building without impeding harm to you and your employees.
Improved Reactivity: The primary reason for planning is the improved reactivity it brings to the table. As a contingency plan clearly lays action steps one needs to take to overcome the obstacle, you can quickly react to the situation without thinking about it too much or worse, panicking.
Bounce back quickly: Since you know exactly what to do when a disaster strikes, you can quickly tackle any challenge and bounce back to normal in no time. Contingency plans, therefore, ensure your progress is not hampered for longer than necessary.
Gives you confidence: Once you have a plan in place for tackling any challenge life throws your way, things become a lot easier to handle. Having a contingency plan in place helps boost your and your team’s confidence as you already know what to do in case disaster strikes. Being prepared reduces ambiguity and fear of the unknown.
Now that we know the importance of creating a contingency plan, it’s time to put that knowledge to good use and learn how to create a contingency plan easily…
Read more: Action Plan: What, Why & How to Write it?
How to Make a Contingency Plan Easily? Follow these Steps!
An effective business contingency plan is based on good research and brainstorming. Here are the steps you need to follow in a contingency planning process.
Step 1: Brainstorm and list down the key risks
You cannot prepare for something if you don’t really know what you’re preparing for. Gather your team around and brainstorm potential events that can have a negative impact on your business or upcoming project.
Consider all the possible risks to your business, including security failures, natural disasters, sudden changes to personnel, and more.
Make sure to involve managers, team leads, subject matter experts i.e. people from all departments to ensure you are preparing for the entire organization and not just your team.
You can use a mind map to arrange and categorize the list of risks from your brainstorming session and share it with the organization for further suggestions or feedback.
Step 2: Prioritize the Risks
Once you are done creating a list of probable risks that could occur in various parts of your business, it’s time to start prioritizing them based on their possible impact.
While it’s okay to prepare for an earthquake, if your area experiences very few of them, it makes sense to put “earthquake preparation” down your list and focus more on events that have a higher probability of occurring.
Step 3: Identify and Gather Resources
Next, make a list of important resources your company has access to and can use in times of a disaster. Resources can be anything from labor and tools to software and emergency contact details. Prioritize this list in order of importance.
Step 4: Start Creating Contingency Plans for Every Event
Different business risks will require different contingency plans. Once you have prioritized your list of potential risks, you should also prioritize your plans and create contingency plans for the most significant potential threats to your business. Your key focus should be on minimizing losses.
Your contingency plan should include a step by step guideline for what to do in case the event has occurred and how to handle the situation. Furthermore, it should also include information about the key personnel to reach out to including their up to date contact information.
Step 5: Share the plan with your team
Once you have created the contingency plans, make sure they are easily accessible to all employees and important stakeholders. You can store your contingency plans in your document management system like Bit.ai and ensure every employee has access to it.
Step 6: Revisit the Plan
A contingency plan is not written in stone. A good contingency plan is the one that constantly gets reviewed and revisited, allowing managers to make appropriate changes as and when required. As new employees, software, processes, or ways of doing business enter the picture, your contingency plan must be updated to reflect the same.
Create Contingency Plan With Ease Using Bit
Documentation is a key part of creating contingency plans, which is why smart managers use a documentation tool like Bit to create sound, collaborative, and interactive contingency plans for their team.
Simply create a workspace, add your team members, and start creating your contingency plan documents quickly! You can further share these documents with external clients, partners, sub-contractors, etc.
Here are some of the main benefits of using Bit:
- Lean yet powerful editor: Bit’s minimal editor allows you to focus on your work yet is powerful enough to support all your editing needs.
- Smart workspaces and folders: Bring all your work documents and files in one place by organizing information in workspaces and folders.
- Real-time collaboration: Collaborate in real-time using @mentions and highlight features as every document comes with its separate comment stream.
- Content Library: Store and share media assets like images, files, videos, PDFs, and content easily and can access it at any point.
- Rich embed options: Bit.ai integrates with over 100+ web applications (Ex: PDFs, LucidChart, YouTube, Google Drive, etc.) to help you create media-rich and interactive contingency plans or other workplace documents.
- Smart search: Search any information quickly with Bit’s smart search. You can search for folders, files, documents, and content inside your documents across all of your workspaces.
- Interlink documents: Create unlimited documents and interlink them to create robust internal wikis.
- Templates: Hundreds of amazing templates that cut your work in half and help you kickstart your work quickly.
Our team at bit.ai has created a few more templates to make your business processes more efficient. Make sure to check them out before you go, your team might need them!
Over to you!
That’s it, folks! We have covered everything there’s to know about contingency plans. We are sure you already brainstorming the potential risks your business can face in the future and coming up with a plan in mind while reading this! Start by listing down all major events that can occur, prioritize them based on their impact, and create contingency plans describing what to do to counter them.
Need more advice? Reach out to us at @bit_docs and we’d be happy to help! Cheers.
Further reads:
Cost Management Plan: What, Why, and How?
Risk Register: Definition, Importance, and Elements!
Crisis Management Plan: Definition, Types & Steps to Create!
Tactical Plan: What is it & How to Create an Effective One?
Quality Management Plan: What is it and How to Create it?
Procurement Management Plan: What, Why, and How to Create?
Business Continuity Plan: What, Why & How to Create it?
Risk Management Plan: What, Why, and How to Write?