What You’ll Learn
- Why Every Nonprofit Needs a DR Plan
- Step 1: Conduct a Risk Assessment
- Step 2: Inventory and Prioritize Critical Systems
- Step 3: Define Your Recovery Objectives (RTO and RPO)
- Step 4: Design Your Backup Strategy
- Step 5: Document Recovery Procedures
- Step 6: Assign Roles and Responsibilities
- Step 7: Test, Review, and Maintain the Plan
- Frequently Asked Questions
- Your Next Steps
Why Every Nonprofit Needs a Disaster Recovery Plan
On a Friday afternoon, ransomware encrypts every file on your nonprofit’s network. Your donor database, financial records, grant documents, and client files are locked. The attacker demands $50,000 in cryptocurrency. Staff cannot access email. Your executive director is calling you from their personal phone asking: “What do we do?”
If you do not have a written disaster recovery plan, the honest answer is: “We figure it out as we go.” And that costs you days, weeks, or months of downtime — plus potential data loss, donor trust, and regulatory penalties.
According to BDO, 60% of nonprofits have experienced a cyberattack in the last two years, yet 68% lack a documented response plan. This gap between risk and preparedness is what a disaster recovery plan closes.
At Scottship Solutions, we have guided dozens of nonprofits through the DR planning process. Here are the seven steps that produce a plan your team can actually follow when it matters most.
Step 1: Conduct a Risk Assessment
Before you can plan for recovery, you need to know what you are recovering from. A risk assessment identifies the threats most likely to disrupt your operations and estimates their potential impact.
Common Risks for Nonprofits
| Risk | Likelihood | Potential Impact |
|---|---|---|
| Ransomware attack | High | Total system lockout for days to weeks |
| Hardware failure (server, storage) | Medium | Data loss if no backup; hours of downtime |
| Natural disaster (flood, fire, storm) | Low-Medium | Office destruction; total data loss without offsite backup |
| Cloud service outage | Medium | Temporary loss of access to email, CRM, files |
| Human error (accidental deletion) | High | Data loss if no versioning or backup |
| Power outage / ISP failure | Medium | Inability to work; missed deadlines |
Rank each risk by likelihood and impact. Focus your recovery planning on the scenarios most likely to occur and cause the greatest damage.
Step 2: Inventory and Prioritize Critical Systems
List every technology system your organization depends on, then rank them by how quickly each must be restored for operations to continue.
| Tier | System Examples | Recovery Priority |
|---|---|---|
| Tier 1: Mission-Critical | Email, donor CRM, financial/accounting system | Restore within 1-4 hours |
| Tier 2: Important | File storage, project management, phone system | Restore within 4-24 hours |
| Tier 3: Deferrable | Printers, internal wiki, non-critical apps | Restore within 24-72 hours |
This prioritization ensures that when a disaster occurs, your team knows exactly what to restore first. Do not try to bring everything back at once — restore in order of business impact.
Step 3: Define Your Recovery Objectives (RTO and RPO)
Two metrics drive every decision in your disaster recovery plan:
- Recovery Time Objective (RTO): The maximum acceptable time your systems can be down. If your RTO is 4 hours, your recovery plan must be designed to restore operations within 4 hours.
- Recovery Point Objective (RPO): The maximum amount of data you can afford to lose, measured in time. If your RPO is 1 hour, your backups must run at least hourly. If your RPO is 24 hours, daily backups are sufficient.
For most nonprofits, a starting point of RTO: 4-8 hours and RPO: 24 hours is realistic. Organizations providing direct client services (shelters, clinics, crisis lines) may need tighter objectives.
Step 4: Design Your Backup Strategy
Your backup strategy must support your RPO. Follow the 3-2-1 rule:
- 3 copies of all critical data
- 2 different storage types (e.g., local drive + cloud)
- 1 copy off-site (cloud backup or physically separate location)
Backup Decisions to Document
- What is backed up (full system images vs. specific files and databases)
- How often backups run (daily, hourly, continuous)
- Where backups are stored (cloud provider, off-site server, encrypted external drive)
- How long backup versions are retained (30 days, 90 days, 1 year)
- Who is responsible for monitoring backup success/failure alerts
- How restores are tested and how often
For detailed guidance on backup tools and costs, see our guide on backup and disaster recovery.
Step 5: Document Recovery Procedures
For each Tier 1 and Tier 2 system, write step-by-step recovery instructions. These should be clear enough that someone other than the person who set up the system can follow them.
What to Document for Each System
- System name and purpose
- Vendor contact information and support hours
- Where the backup is stored and how to access it
- Step-by-step restoration procedure
- Login credentials (reference your password manager — never put passwords in the DR plan document)
- Expected restoration time
- How to verify the system is working correctly after restoration
Store the DR plan in at least two locations: a printed copy accessible without internet, and a cloud copy accessible from any device. If your only copy is on the server that just crashed, you have a plan you cannot read.
Step 6: Assign Roles and Responsibilities
During a disaster, clarity of ownership prevents chaos. Define who does what before the crisis occurs.
- Incident Commander: Makes decisions, coordinates the response (usually ED or operations director)
- IT Recovery Lead: Executes technical recovery steps (IT staff or MSP contact)
- Communications Lead: Notifies staff, board, donors, clients (usually communications director)
- Legal/Compliance Contact: Advises on notification obligations if data was compromised
- Insurance Contact: Initiates cyber insurance claim if applicable
Include backup contacts for every role. If the IT Recovery Lead is unreachable, who is next? Document names, phone numbers, and personal email addresses (work email may be unavailable during a disaster).
Emergency Communication Channel
If your email and phone system are down, how will your team communicate? Designate an alternate channel: a group text thread, a personal WhatsApp group, or a pre-arranged phone tree. Test it before you need it.
Step 7: Test, Review, and Maintain the Plan
A disaster recovery plan that has never been tested is a document, not a plan. Build these tests into your annual calendar:
| Frequency | Test Type | What It Involves |
|---|---|---|
| Monthly | Backup restore test | Restore a random file from backup to verify it works |
| Quarterly | Tabletop exercise | Walk through a disaster scenario verbally with key staff |
| Annually | Full DR drill | Actually restore a critical system from backup in a test environment |
| After changes | Plan update | Update the plan whenever you add systems, change vendors, or onboard staff |
“A disaster recovery plan should include backup methods, frequency of backups, storage locations, and procedures for data restoration. But the plan is only as good as its last test.”
— Secureframe, Disaster Recovery Plan Template & Guide (2026)
Frequently Asked Questions
What are the steps in a disaster recovery plan for nonprofits?
The seven essential steps are: conduct a risk assessment, inventory and prioritize critical systems, define recovery time and recovery point objectives, design your backup strategy following the 3-2-1 rule, document step-by-step recovery procedures for each system, assign roles and responsibilities, and establish a testing and maintenance schedule.
How long does it take to create a nonprofit disaster recovery plan?
A basic DR plan can be created in 2-4 weeks with dedicated effort. The initial risk assessment and system inventory take about one week. Documenting recovery procedures takes another 1-2 weeks. Testing and refinement are ongoing. Working with an IT partner can accelerate the process significantly.
What is the difference between a disaster recovery plan and a business continuity plan?
A disaster recovery plan focuses specifically on restoring technology systems and data after an incident. A business continuity plan is broader — it covers how the entire organization continues operating during and after a disruption, including staffing, facilities, communications, and service delivery. DR is a component of business continuity.
How much does disaster recovery planning cost for a nonprofit?
The plan document itself costs nothing but staff time. Backup tools cost $5-$50 per user per month. Managed disaster recovery services cost $15-$50 per user per month. A one-time DR planning engagement with an IT partner typically costs $3,000-$10,000 depending on organization complexity.
How often should a disaster recovery plan be tested?
Test backup restores monthly, run tabletop exercises quarterly, and conduct a full DR drill annually. Update the plan whenever you change systems, vendors, or staff. A plan that has not been tested in over a year should be considered unreliable.
Your Next Steps
- Inventory your critical systems. List every system your organization depends on and rank them by recovery priority (Tier 1, 2, or 3).
- Define your RTO and RPO. How long can you be down? How much data can you lose? Write these numbers down — they drive every other decision.
- Verify your backups. Confirm that your critical data is being backed up automatically. Test a restore right now. If you cannot restore a file from last week in under 30 minutes, your backup strategy needs work.
- Write recovery procedures. For each Tier 1 system, document: where the backup is, who restores it, and the step-by-step process. Keep it simple and specific.
- Assign roles. Name your Incident Commander, IT Recovery Lead, and Communications Lead. Include backup contacts and personal phone numbers.
- Schedule your first test. Put a tabletop exercise on the calendar within 30 days. Walk through a ransomware scenario as a team.
- Get expert guidance: Schedule a consultation with Scottship Solutions. We help nonprofits build disaster recovery plans that are practical, testable, and right-sized for your organization.
Related Reading
- Disaster Recovery vs Data Backup — understand the difference before building your plan
- Cybersecurity Guide for Nonprofits — the security measures that reduce disaster risk in the first place
- Nonprofit IT Policy Guide — includes the incident response policy template referenced in Step 6
- Common IT Infrastructure Problems — the root causes behind many disaster recovery scenarios
Sources
- Secureframe — Disaster Recovery Plan Template, Examples & Why You Need One (2026)
- TechSoup — Nonprofit Disaster Planning and Recovery
- Cross the Divide — Steps to Effective Nonprofit Disaster Recovery Planning
- BDO — Cybersecurity for Nonprofits (60% attack rate, 68% lack response plans)
- FEMA — National Disaster Recovery Framework
At Scottship Solutions, we help nonprofits build disaster recovery plans that work. From tech stack audits that identify vulnerabilities to fractional CIO services that include DR oversight, our IT services cover the full lifecycle when you need them. From backup configuration and testing to complete DR planning and ongoing IT support, we make sure your organization can recover quickly and protect its mission. Schedule a consultation today.