Disaster Readiness Checklist: 15 Things Your Company Needs to Prevent & Recover From the Unexpected

Share via

Is your company ready for the unexpected?

In a sense, the answer has to be “no.” The “unexpected,” after all, is the set of unfortunate events that we don’t see coming. If there’s anything the past year has taught us, it’s that we can’t truly be ready for events outside the realm of our collective experience.

In another sense, however, it’s absolutely possible to prepare for the unexpected. It’s vital, in fact, at least for organizations that want to remain viable after disaster strikes — and eventually thrive once more.

Unfortunately, disasters come in many different forms that each necessitate a different combination of responses. We can think carefully about which types of disasters are most likely to affect our own organizations and take steps that we believe will prevent worst-case outcomes in each scenario, but we simply don’t have the resources to create bespoke disaster recovery plans for every single eventuality. We’ve got businesses to run.

That’s why it’s so important to have a general disaster readiness checklist to which you can turn when the unexpected does strike. Each of the 15 items on our list of disaster preparedness and recovery steps is designed to either prevent or mitigate serious impacts from the unexpected events that statistics and lived experience teach us will happen eventually. Read through it in its entirety, then get to work implementing each recommendation as you’re able.

1. Cloud-Based Disaster Recovery Capabilities

These days, even quintessentially “real world” disasters like fires and hurricanes don’t remain in the tangible realm. They affect organizations’ digital capabilities as well.

That’s where a robust cloud-based disaster recovery solution comes in. If and when digital disaster strikes, your organization needs to be in a position to recover with minimal downtime and data loss. Not least because your competitors have almost certainly armed themselves with such recovery capabilities already.

A best-in-class cloud-based disaster recovery solution should have these features and capabilities:

  • No special knowledge or technical capabilities needed to implement and maintain the solution
  • Flexible, customizable coverage that keeps up with your organization’s changing, growing needs
  • Multi-network coverage that doesn’t leave vital databases exposed
  • Non-disruptive testing that doesn’t impact everyday operations
  • Comprehensive execution monitoring that delivers real-time runbook views and execution history insights
  • Initial implementation in minutes

Your company’s future is too important to chance on “getting lucky” in the event of digital data loss. Get your cloud-based disaster recovery solution up and running today and get on with the more difficult-to-implement items on this list.

2. A Robust Corporate Firewall That Keeps Out Cyber Threats

Your corporate firewall is the first line of defense against external threats that could cripple its operations and cause permanent data loss (without a cloud-based disaster recovery solution, that is). But you don’t want to rely on that cloud-based disaster recovery solution to pick up the pieces, at least not entirely on its own. You’d certainly prefer to prevent the disaster entirely.

Speak with your in-house IT team or your external cybersecurity partner to determine the best course of action with regards to your corporate firewall. But don’t delay. As with your disaster recovery solution, every day you go without an adequate firewall is a day that you’re vulnerable to an attack that doesn’t need to happen.

3. A Plan to Deal With Ransomware

On the subject of attacks that don’t need to happen, your organization needs a scalable plan to deal with ransomware, one of the most common and destructive types of cyberattacks.

A comprehensive disaster recovery solution can certainly help minimize the impact of a successful ransomware attack. But it’s equally important to have a whole-organization response plan that ensures the initial victim — whoever that might be — doesn’t act in a way that gives undue advantage to the attacker or compromises the larger organization. Dealing with ransomware is possible with the advance planning and the proper tools.

4. Protocols for Managing Suspicious Emails

By the same token, it’s vital that your organization have a process for identifying and managing suspicious emails. This process needs to go well beyond the standard-issue spam filters that come with your organization’s email suite. While those filters catch most phishing attempts, they’re not designed to protect against the really sophisticated threats that have the highest likelihood of success.

A process for managing suspicious emails should start with your chief information security officer (or equivalent, if that’s not a C-level position) and flow outward from there. Every single member of your team should know exactly what to do when they receive a suspicious email; there must be no room for error, lest a manageable threat turn into an unmitigated disaster.

5. A Robust Chain of Command for Disasters (And Everyday Situations Too)

Effective disaster management requires a clear chain of command. This chain need not be rigid in all situations, as not all disasters are alike. When the event is digital in origin, the CISO or equivalent is likely to run point on the response and recovery effort; for other types of events, the chief communications lead or corporate leader is a better fit to manage the response. The key is to have an undisputed chain of command with clearly defined roles for all participants in each type of disaster situation that could affect your organization. Once you know the nature of the threat, you can switch on the corresponding chain of command and get to work.

6. A Comprehensive Crisis Communications Plan

During a full-blown crisis, effective internal and external communication is every bit as important as an undisputed chain of command. In fact, crisis communications is a key aspect of the disaster response chain of command; it’s often inseparable from other facets of the response. An organization whose disparate parts don’t communicate effectively is unlikely to lead an efficient disaster response. One that doesn’t communicate effectively with the outside world is certain to create an information vacuum that those without the organization’s best interests at heart will only be too happy to fill.

7. An In-House Disaster Preparedness and Recovery Team

By themselves, a clear disaster response chain of command and a whole-organization crisis communications plan can do much to improve the efficacy of disaster response and recovery. But they’re not quite enough. To be truly prepared, your organization needs an in-house disaster preparedness and recovery team whose primary purpose is to contemplate and prepare for the threats your company could face. Embed members of this team inside the departments that will bear the most responsibility for response and recovery: information technology, human resources, communications.

8. A Detailed Understanding of Your Company’s Key Vulnerabilities

One of the core responsibilities of your disaster preparedness and recovery team is to create and maintain a dynamic list of your organization’s key vulnerabilities along with detailed plans for shrinking the “threat footprint” of each. While it’s a fool’s errand to predict with certainty which adverse events are most likely to cause your company grief at any point in time, there’s simply no excuse for your team not to have as much visibility as possible into the vulnerabilities that could turn a manageable problem into an unmitigated catastrophe.

9. A Go-To Source of Post-Disaster Financing

Disaster recovery ain’t cheap, although how “not cheap” depends to a great extent on the nature and severity of the disaster in question. Regardless of the actual price tag, which you won’t know for sure until months or even years after the event itself, your organization needs to have a robust source of post-disaster financing. More likely, that “source” will be a combination of several different sources coordinated and managed by your in-house finance team and external financial partners (such as your business lender and insurer).

10. Legal Services to Help Clean Up the Collateral Damage

Your organization probably has a law firm on speed dial. If it doesn’t, that’s another item to add to your disaster preparedness and recovery to-do list. Even if the threat you’re facing involves no obvious legal peril and isn’t grounds for you to commence legal action of your own, it’s a good idea to protect yourself in the event of second- or third-order liability or legal questions. If the threat is grounds for you to take legal action against another party or parties, or vice versa, the value of a trusted legal partner should be more than clear.

11. A Trusted Partner for Physical Cleanup and Recovery

On the matter of trusted partners: You’ll need at least one to help manage physical cleanup and recovery after a disaster that impacts your organization’s inventory, places of business, vehicles, or all three. Look for partners with a wide range of capabilities: fire, flood, burglary, storm, and so on. After a really serious disaster that causes severe damage to your company’s infrastructure, you may need to bring in a general contractor as well, in which case you’ll preside over less of a cleanup effort than a full-blown recovery campaign.

12. Adequate Insurance for the Full Range of Potential Threats

Just as your organization probably has a law firm on speed dial, it probably has a basic lineup of business insurance coverage. The real question is whether that coverage lineup is sufficient to address the full range of potential threats that could affect your organization’s operations and finances. And, if you’re being honest with yourself, the answer to that question might not be particularly comforting. It might be time for a chat with your insurance agent before too long.

13. A Comprehensive Dossier of Recovery Resources You Might Overlook

Financing, cleanup, insurance, legal services — these are the building blocks of disaster recovery. They’re not the only pieces of the puzzle, however. Other recovery resources could be no less vital to your organization’s long-term resilience.

Unfortunately, those resources are easy enough to overlook. SBA disaster recovery loans, local business grants, mutual aid — these are the sorts of disaster recovery tools that many capable business owners overlook. Before disaster strikes, task a member of your preparedness team with building a comprehensive dossier of such resources that you can turn to in a hurry.

14. A Team Devoted to “Lessons Learned” (Without Unduly Assigning Blame)

Once the acute phase of the disaster has passed, it’s okay to look back and try to make sense of what happened. That’s how you learn from the past and prepare for the future, after all. The balancing act here is straightforward: You want to extract “lessons learned” and understand what went wrong (to the extent that anything did) without assigning undue blame. The best way to do this is to have fact-finding and debriefing processes in place from the get-go, perhaps embedded within your crisis response or disaster preparedness teams.

15. Tools for Collecting and Keeping Track of Recovery-Related Receipts

Finally, a practical matter: collecting and organizing the immense volumes of receipts that an involved recovery effort is likely to produce. Some or all of these receipts may qualify for offsets from disaster relief aid. Even if not, you’ll need them to calculate credit draws and tax purposes, among other needs. Fortune favors the well-organized accounting team, as they say.

Is Your Company Ready for the Unexpected?

Even the best-resourced organization can’t implement these 15 disaster prevention, preparedness, and recovery to-dos in a single week, or even a single quarter. Like any other big project, getting ready for the unexpected takes time. But it’s absolutely essential that it get done, and sooner rather than later.

Think of it this way. The unexpected will strike, sooner or later, and you want your company to be in the strongest possible position when it does. Whether it’s a targeted hack that affects only your organization or a natural disaster that wreaks havoc across a wide geographical area and affects your competitors too, your response — and the time it takes to get your business back on track — could set the course for your company’s success or failure for a long time to come. You’d be foolish not to give yourself every advantage on the road to recovery.

Ready? It’s time to stop worrying so much about what could happen and focus on what your team can do about it. Your organization and those whose livelihoods depend on it are too important to leave to fate.

Share via
Samantha Acuna is a writer based in San Francisco, CA. Her work has been featured in The Huffington Post, Entrepreneur.com, and Yahoo Small Business.