THE CPA IN INDUSTRY

November 2001

Business Continuity Plans for Disaster Response

By Felipe Alonso and John Boucher

The devastating human and fiscal effects of the September 11 World Trade Center disaster extend far beyond New York City’s financial district:

Continuity Strategy

The events of September 11 have forced CEOs to revisit their preparations for business continuity: the measures an organization takes to operate as normally as possible after a natural or man-made disaster. Today’s business environment demands a rapid-response approach that allows for fluid continuity of core business operations in the event of a catastrophe.

Such a strategy involves the development of a business continuance plan that addresses data availability and dependability. It can lower the risk of critical-service and business-function disruption due to disasters or unplanned interruptions. The aim is to resume near-normal operations within an acceptable time period.

The success of a business continuity plan hinges largely on a commitment to an enterprise-wide perspective. Organizations face rapidly changing and growing risks: globalization; e-commerce and cyberspace; new corporate collaborations; the pace of business activity; and, now, international political risks. These new risks have spurred CEOs to scrutinize the threats to their entire enterprise, including to business continuity. Leaders are finding that they can ill afford prolonged downtimes, slow reaction times, expensive system upgrades, or inflexible processes.

An effective strategy for business continuity addresses not only risk mitigation and continuity planning for process disruptions, but also controls over configuration changes and data storage requirements that improve the availability of vital information among process owners. The benefits include—

As a result of precautions taken after the 1993 World Trade Center bombing and preparations made for Y2K, it is believed many companies affected by the September 11 disaster were able to prevent critical data loss due to thoroughly planned backup and recovery operations. Companies that were less prepared may need to consider revamping their data infrastructure and backup policies. A sound business continuity procedure can help organizations select a data storage technology and structure recovery agreements with third parties.

Research by the Gartner Group indicates that enterprises with prepared business continuity plans are significantly more likely to recover as a viable entity than those without. With corporate risk management attracting increased scrutiny, business continuity planning can satisfy many growing demands. For example, customers expect supplies and services to continue—or resume swiftly—in all situations. An effective business continuity program links systems in real time between customers, vendors, and collaborating entities along the length of the supply chain. An integrated supply chain helps the organization manage multiple chains as part of a network of cooperative entities, suppliers, and even competitors.

Other parties have certain expectations of a company:

Beyond Data

Although data is essential for a business’s survival, disaster recovery is no longer solely a data center operation. Disaster recovery does not imply business continuity. Disaster recovery plans have historically been the responsibility of an organization’s information technology (IT) department. But today’s technology has altered the ground rules. Recovery schedules that were once plotted in days and weeks must now be executed in hours and minutes, multiplying the cost of failure.

Continuity planning has evolved from an IT-centered disaster recovery strategy to an enterprise-wide framework that encompasses business processes, data availability, and the entire information delivery system. Such a comprehensive plan improves reliability in business operations that presume access to systems and data will be available all day, every day.

The development of a viable business continuity strategy should be a product not only of the providers of data processing, communications, and operations center services, but also of the users of those services and the management personnel responsible for protecting the entity’s assets. While business continuity encompasses a range of technologies (old and new, paper and electronic, manual and automated, individual and integrated), the internal business aspects—such as justifying the plan, obtaining executive buy-in, and receiving broad organizational support—represent the key challenge in instituting a successful strategy.

If an organization is to maintain continuity of its core business operations in the aftermath of a disruption, it cannot rely upon antiquated methods of data-center disaster recovery. Developing high-availability capabilities—a necessity in today’s continuous business climate—requires an examination of the organization’s business processes and data, as well as its existing technology infrastructure.

A strong business continuity plan can help companies recover quickly by providing a reliable and seamless continuity of operations. It can also protect corporate assets, provide management control of risks and exposures, offer preventive measures where appropriate, and take proactive management control of business disruption.


Felipe Alonso is a partner in KPMG LLP’s information risk management practice (falonso@kpmg.com).
John Boucher is a partner in KPMG LLP’s information risk management practice and (jboucher@kpmg.com). The views expressed above are the authors’ and do not constitute professional advice.

Editor:

Robert H. Colson, PhD, CPA
The CPA Journal


This Month | About Us | Archives | Advertise| NYSSCPA


The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.


©2009 The New York State Society of CPAs. Legal Notices

Visit the new cpajournal.com.