Documents for your disaster recovery management can have a double importance. The first, naturally, is to hold details of how to react if disaster strikes. The DR plan must be clear, practical, effective, tested and available to those who need to put it into action. The second on the other hand is often overlooked. It is the importance of being able to prove, after a disaster has occurred, that your organisation took reasonable steps to put DR procedures and resources in place. A disaster recovery often does not end when IT systems are up and running again. There may be legal and reputational repercussions to deal with as well.
Different factors can affect such ramifications of a disaster recovery. Your organisation may be bound to observe various government or industry regulations. An IT disaster may involve the destruction or unavailability of conformance information, or the exposure or breach of confidential data. However, other entities can try to take legal action too. Customers may claim that their own business suffered prejudice because your organisation was unable to provide products or services on which they depended, while your IT disaster was happening. And whatever the grounds for making such claims, your organisation’s reputation remains fragile in the face of suggestions of negligence or incompetence in foreseeing and dealing with IT risks and incidents.
Documents that prove you planned and managed properly for such events can go a long way to calm down officials, customers and lawyers. These documents should show that you properly identified and assessed the relevant risks, that you put appropriate measures in place and that you tested those measures to show they would be effective. Your disaster recovery plan will be a key element, together with auditor reports, test reports and current certificates of conformance to standards pertaining to DR. And remember to make sure you have secure and readily accessible back-up copies of them all!