Backup copies of critical data should be kept in a media safe.
The justification for a disaster recovery plan is that disasters happen all the time. Without a proper plan, a business may be unable to continue after the disaster. Insurance usually covers the physical losses to a business, but not the information losses or lost operating time, business, reputation, people, customers, and cash flow. Because information lends itself to being duplicated, it is a fairly easy matter to make usable backup copies of information and store them in locations that are unlikely to be affected by a disaster at the data's normal location. Similarly, most computer hardware can be replaced readily and on reasonably short notice if its replacement is planned in advance. More rapid recovery of information technology and are advised if significant challenges or expenses would result from the loss of all IT capabilities and records. This is strictly a small investment in exchange for slightly reduced cost and increased convenience in case of a disaster.
Off-site copies of backups should be kept and a tested process for getting things going again should be in place.
For businesses in which there is a medium impact of information technology on operations, some sort of disaster recovery plan is strongly advised. If timeliness is important, for example, if product support requires computer access in order to answer questions that are asked 24x7 from customers in immediate need of help, outages can only be allowed to cause delays on rare occasions and for relatively short time periods. This means that, in a disaster, a rapid recovery process is needed, but it does not call for a secondary real-time backup site if the business impact of an IT failure isn't large enough to be worth the extra expense of a full-time redundant site. Business services will be down for hours to a day on rare occasions. In cases with less of a timeliness requirement, businesses can afford to be less prepared and spend less time, effort, and money on disaster recovery planning and preparation.
A pre-arranged set of computer and human resources should be available for use in a short time frame.
For businesses in which IT is high impact, the loss of IT capabilities is very expensive, perhaps life threatening, and could lead to business collapse. In these cases, disaster recovery must be done within required time frames, so higher surety and higher cost options are called for. If the IT is critical but time is not very important, the key is having a good set of backups that are well protected. This means that off-site copies of backups and a tested process for getting things going again in the required time frame for business continuity are necessary. In cases where only days to a week are available for recovery to normal operation, it may become questionable as to whether a proper set of hardware can be located and put in place at a reasonable cost in the necessary time. For that reason, depending on the hardware requirements, availability, and time, a pre-arranged set of computer resources may have to be available for use in a short time frame. For example, this is common in substantial insurance businesses, where instant availability is not critical, but confidence will be lost in a few days if service cannot be restored, and where systems typically in use are not available at any local office supply store.
Multiple sites with redundant operational capabilities should be used.
In cases when time is of the essence, this is a necessary approach. For example, banks cannot sustain outages of some systems for time frames on the order of hours without risking enormous losses. If a bank cannot clear transactions with the Federal Reserve system by the start of the next business day, they can lose enormous sums of money in interest alone.