DR Runbook Report

Service or system:

Use the name responders and business owners will recognize during an incident.

Recovery tier:

Choose the priority tier agreed through business impact analysis or service ownership.

Disaster scenario:

Pick the failure mode this runbook is meant to handle first.

Recovery strategy:

Use the strategy the service has actually built, not the one planned for a future architecture.

Recovery time objective:

Enter the RTO agreed by the business owner or continuity plan.

Recovery point objective:

Use the data-loss target the backup or replication design can prove.

Primary environment:

Be specific enough that responders know the failed source environment.

Recovery environment:

Name the destination that will carry service while the primary environment is unavailable.

Runbook owner:

Use a role when the assigned person changes by rota.

Activation authority:

This appears in the declaration and rollback decision sections.

Dependencies:

Include identity, DNS, databases, queues, object storage, network paths, vendors, and monitoring sources.

Failover steps:

Keep every step observable and reversible where possible.

Validation checks:

These become acceptance criteria before declaring the service recovered.

Restore or failback steps:

Include data resync, traffic return, monitoring, and closeout evidence.

Communications and escalation:

Add the bridge, business owner, service desk, vendor, on-call, and executive update path.

Fix before using the runbook

{{ error }}

Backup evidence:

This drives the data protection gate and post-exercise notes.

Replication health:

For backup-only recovery, Complete means restore evidence proves the data point.

Privileged access and secrets:

Mark Complete only when responders have verified access without depending on the failed environment.

Monitoring coverage:

Monitoring appears in the recovery-mode and closeout sections.

Last DR exercise:

Use the last tabletop, restore drill, game day, or full failover test date.

Exercise cadence:

Choose the cadence expected by the service owner or compliance program.

Data integrity proof:

When enabled, the validation gate expects explicit data-integrity evidence.

Recovery-mode operating notes:

One note per line; these become recovery-mode operating instructions.

{{ result.runbookText }}

{{ header }}	Copy
{{ cell }}
No rows for the current runbook.

Export to PDF Fullscreen

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

A disaster recovery runbook turns a high-pressure service outage into a controlled sequence of decisions, checks, owners, and evidence. It is most useful when the service already has agreed recovery objectives, known dependencies, a tested recovery environment, and a clear authority for declaring disaster recovery.

The two most important planning targets are recovery time objective (RTO) and recovery point objective (RPO). RTO is the maximum acceptable downtime for the service. RPO is the maximum acceptable data-loss window. Both targets should come from business impact analysis or service ownership, because a technical team can restore systems only to the level the architecture, data protection, access paths, and exercises can support.

Primary system facts, recovery objectives, recovery actions, validation evidence, and readiness gates becoming a disaster recovery runbook record.

A runbook is not the same thing as a promise of recovery. It records the plan responders intend to execute, the evidence they need, and the stop cues that should slow a risky failover. Real readiness still depends on restore tests, replication health, privileged access that survives the outage, monitoring that can see the recovery environment, and a communication path that reaches the right owners under pressure.

A good DR report should leave a review trail. It should show what service is being recovered, which disaster scenario is in scope, which dependencies must be checked, what validation proves the service is usable, and what must happen before failback or closeout.

Technical Details:

Disaster recovery planning joins business tolerance with technical evidence. A Tier 0 or Tier 1 service may need short downtime and low data-loss targets, but those targets are credible only when the recovery strategy, standby capacity, replication or backup design, access paths, and validation checks have been exercised.

Recovery strategies differ mainly in how much work has already been done before the incident. Backup and restore waits until recovery is needed. Pilot light keeps the smallest critical parts ready. Warm standby keeps a reduced working environment available. Hot standby keeps a passive environment close to production capacity. Active/active uses multiple serving locations, but even that does not remove the need for data integrity proof when corruption or ransomware is the scenario.

Rule Core

The readiness result is built from gates. Each gate becomes Ready, Review, or Blocked, and those statuses feed the summary score, residual risk badge, gate table, and radar profile.

Disaster recovery readiness gate rules
Gate	Ready condition	Review or block cue
Objectives and authority	Service name, activation authority, positive RTO, and non-negative RPO are present.	Missing objective or authority fields block the runbook.
Recovery strategy fit	The selected strategy can reasonably support the entered RTO and RPO thresholds.	An aggressive target for the selected strategy becomes `Review`.
Dependency map	At least three dependency rows are provided, with critical rows counted separately.	One or two dependency rows need review; none blocks the runbook.
Data protection	Backup evidence and replication health are both marked complete.	Missing backup evidence blocks readiness; missing replication also blocks tight RPO targets of 60 minutes or less.
Execution, validation, and failback	Five or more failover steps, three or more validation checks, and four or more restore or failback steps are stronger ready signals.	Short lists produce review states. Empty required lists block generated output.
Coordination and exercise	Communications have at least three entries, access and monitoring are complete, and the last exercise date is current for the chosen cadence.	No cadence, no last exercise date, stale exercise evidence, missing access, or missing monitoring can block readiness.

Recovery strategy objective thresholds used for review
Strategy	Minimum RTO for ready fit	RPO freshness target
Backup and restore	240 minutes	1440 minutes reference target
Pilot light	60 minutes	60 minutes or less
Warm standby	30 minutes	30 minutes or less
Hot standby active/passive	15 minutes	15 minutes or less
Multi-site active/active	5 minutes	5 minutes or less

Exercise currency uses the chosen cadence as a time window: quarterly is 92 days, semiannual is 183 days, and annual is 366 days. A last exercise date inside the window is Ready. A date up to one and a half times the window is Review. Older evidence, a missing date, or no recurring cadence is Blocked.

The radar profile groups readiness into Objectives, Dependencies, Data, Execution, Validation, Failback, and Coordination. Gate scores use 100 for Ready, 62 for Review, and 20 for Blocked. The overall summary averages the profile groups, while residual risk stays stricter for Tier 0 and Tier 1 services.

Everyday Use & Decision Guide:

Start by entering the service identity and decision authority. Service or system, Recovery tier, Disaster scenario, Recovery strategy, Primary environment, Recovery environment, Runbook owner, and Activation authority set the scope and accountability of the report.

Set Recovery time objective and Recovery point objective from approved service targets. A short RTO with backup-and-restore architecture will appear as a review concern because the selected strategy may not match the target. A short RPO with missing replication evidence can block the data protection gate.

Use one line per dependency, failover action, validation check, restore or failback action, and communication item. Dependency rows can include dependency name, criticality, owner, recovery note, and verification focus separated by pipes, tabs, semicolons, or commas. That structure makes the Dependency Log more useful during review.

Use DR Draft for the Markdown runbook that can move into an incident ticket, tabletop packet, or owner review.
Use DR Gates to find the readiness gaps that need closure before responders rely on the runbook.
Use DR Timeline to review phase, sequence, action, owner, evidence, and stop or rollback cue.
Use DR Readiness to see whether one readiness area is much weaker than the others.
Use JSON when another system needs the structured service, readiness, dependency, timeline, and runbook text record.

Open Advanced for evidence that often decides whether the plan survives a real incident: backup evidence, replication health, privileged access and secrets, monitoring coverage, last exercise date, exercise cadence, data integrity proof, and recovery-mode operating notes.

A strong-looking score is not permission to skip review. Confirm that dependencies include identity, DNS, data, network paths, monitoring, vendors, and service desk channels, then compare the runbook against the latest exercise notes before using it as an operational record.

Step-by-Step Guide:

Work from service scope to recovery actions, then read the gates before copying the draft.

Enter Service or system, choose Recovery tier, and select the Disaster scenario that matches the first runbook use case.
Choose Recovery strategy, then set Recovery time objective and Recovery point objective with the correct units. Watch the summary badges for the selected strategy, RTO, and RPO.
Name the Primary environment, Recovery environment, Runbook owner, and Activation authority. Missing required identity or authority fields appears under Fix before using the runbook.
Fill Dependencies with one dependency per line. Use the suggested pipe-separated format when owner, recovery note, and verification focus matter.
Add executable Failover steps, acceptance-focused Validation checks, Restore or failback steps, and Communications and escalation entries.
Open Advanced and set evidence states for backup, replication, access, monitoring, exercise date, exercise cadence, and data integrity proof.
Review DR Gates. Close Blocked rows first, then decide whether Review rows need more evidence or owner approval.
Use DR Draft, Dependency Log, DR Timeline, DR Readiness, and JSON for the review record only after the top summary no longer says the runbook is incomplete.

Interpreting Results:

Read blockers before reading the percentage. Blocked means a required field, list, evidence state, exercise record, or validation expectation is missing enough that the runbook should not be used as-is. Review means the plan may be usable for a tabletop or owner check, but a target, evidence item, or list depth needs attention.

The readiness score summarizes gate groups, not actual recovery performance. A high score means the entered plan is well populated against the tool's checks. It does not prove that data can be restored, traffic will move cleanly, users can authenticate, vendors will respond, or the business owner accepts the recovery state.

How to interpret disaster recovery runbook outputs
Output cue	What it means	What to check next
`DR runbook incomplete`	Required inputs or required lists are missing.	Read the warning list and complete the named service, environment, owner, authority, dependency, action, validation, restore, or communication field.
`Recovery strategy fit` is `Review`	The selected strategy may not support the entered RTO or RPO target.	Compare the target with the strategy threshold table and confirm through an exercise or architecture review.
`Data protection` is `Blocked`	Backup or replication evidence is missing for the data-loss target.	Record restore evidence, replication health, restore point, and lag before declaring readiness.
`Exercise currency` is `Review` or `Blocked`	The last tabletop, restore drill, or failover test is stale or missing.	Run or schedule an exercise, then update the date and lessons learned.
`Medium residual risk` on a critical service	Tier 0 and Tier 1 services stay conservative even when most gates are ready.	Use owner review and exercise evidence before treating the runbook as operationally ready.

Use the generated Markdown as a draft record. Before an actual invocation, make sure owners, bridge details, change authority, secrets access, recovery capacity, data integrity checks, and customer-impact messages still match the live service.

Worked Examples:

Critical service with warm standby:

A Tier 1 authentication service using Warm standby, 2 hours RTO, and 15 minutes RPO fits the strategy thresholds. If dependencies, failover steps, validation checks, restore steps, communications, backup evidence, replication health, access, monitoring, and exercise date are mostly complete, the DR Gates table should show most rows as Ready and the summary can show the runbook ready for exercise.

Aggressive target for the selected strategy:

A database service set to Backup and restore with a 30 minutes RTO will mark Recovery strategy fit for review because the strategy threshold expects at least 240 minutes before it reads as a ready fit. The practical fix is to validate the short target through an exercise, choose a stronger strategy, or adjust the objective after business approval.

Data integrity required after corruption:

For Data corruption or ransomware recovery, leave Data integrity proof enabled. If validation checks mention only login and traffic routing, Validation and acceptance can stay in Review. Add checks for clean restore point, checksum or write/read evidence, audit logging, and business acceptance before treating the validation gate as ready.

Runbook blocked by missing communications:

If Communications and escalation is empty, the page shows Fix before using the runbook and the DR Draft output is replaced by a warning message. Add the incident bridge, service desk path, business owner, vendor escalation, or executive update route so the generated runbook can include communication steps.

FAQ:

Can this replace a DR exercise?

No. The runbook draft and DR Gates table organize the plan and readiness evidence. A tabletop, restore drill, or failover test is still needed to prove that owners, access, data, routing, monitoring, and validation checks work under the chosen scenario.

Why did a short RTO create a review warning?

The Recovery strategy fit gate compares the entered RTO and RPO with the selected strategy. Backup and restore, pilot light, warm standby, hot standby, and active/active each have different thresholds, so a target that fits one strategy can need review under another.

Why is the runbook still incomplete when most fields are filled?

The page requires service, environments, owner, authority, RTO, RPO, and at least one dependency, failover step, validation check, restore or failback step, and communication item. The warning panel names the missing item that blocks generated output.

Does active/active remove the need for backup evidence?

No. Active/active can reduce failover time, but data corruption and ransomware recovery still need clean restore points and integrity checks. The tool keeps backup evidence, replication health, and data integrity proof separate so those gaps remain visible.

Does runbook content get sent to a server?

The current page builds the runbook, tables, chart data, and JSON from browser-side state after the page loads. The tool behavior does not show a submission path for runbook contents; copy and download actions use the current page data.

Glossary:

Recovery time objective: The maximum downtime target recorded for the service.
Recovery point objective: The maximum data-loss window recorded for the service.
Recovery tier: The priority level used to express how critical the service is during recovery planning.
Recovery strategy: The technical pattern used to restore service, such as backup and restore, warm standby, or active/active.
Readiness gate: A check that marks part of the runbook as ready, needing review, or blocked.
Failback: The controlled return from the recovery environment to the repaired primary environment, or acceptance of the recovery environment as the new primary.

References:

NIST SP 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems, National Institute of Standards and Technology, May 2010.
IT Disaster Recovery Plan, Ready.gov, 2025-02-05.
Disaster recovery options in the cloud, AWS Well-Architected Framework.
Defining your DR strategy, AWS Prescriptive Guidance.
NIST SP 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities, National Institute of Standards and Technology, September 2006.