Backing up so that you can recover in the event of untoward events, be they simple hardware failure or disasters,...
starts with assessment. A thorough risk assessment should point out vulnerabilities you can fix now, possibly heading off trouble, as well as providing a starting point for disaster recovery planning for the risks you can't fix.
The first phase a risk assessment covers, among other things, personnel practices, physical security of the site, operating procedures, backup and contingency planning and even systems development and maintenance. This is a big job and it is usually handled either by a specially appointed team or farmed out to a contractor experienced in risk and security assessment.
If you decide to go outside for help in your risk assessment, it's important that you secure the services of a contractor who is familiar with enterprises of your size and type. Ask potential contractors for references from similar enterprises and then check the references.
After the risks are assessed they are easier to manage. Usually a risk assessment will uncover vulnerabilities that you can fix immediately that can substantially reduce your exposure in the event of a disaster. Fixing some of these will involve little or no cost to the organization while other problems can be headed off for relatively low cost.
The university of Toronto has a guide to disaster recovery planning for IT on its Web site.
Rick Cook has been writing about mass storage since the days when the term meant an 80K floppy disk. The computers he learned on used ferrite cores and magnetic drums. For the last twenty years he has been a freelance writer specializing in storage and other computer issues.