The CPA Journal

Managing Effective Disaster Recovery

By Stanley Weiner

IN BRIEF

Take Care of the Fundamentals

Substantial anecdotal evidence suggests that many small, and some large, businesses were not well prepared to respond effectively to the type of disaster that occurred on September 11. Not only did they not have effective disaster recovery plans in place, many had not even provided for the basic secure backup of the data files and software necessary to run their businesses. The scope of disaster recovery plans can vary considerably, but, as the author underscores, spending a lot of money is not the only way for a middle-market company to ensure that the fundamentals of disaster recovery are taken care of. The author's checklist for the budget-minded business could prevent the shutdown that ends in bankruptcy

If the terrorist attacks of September 11 have not already altered the way that businesses view security and disaster planning, the assessments and events in its aftermath are heightening personal and professional awareness of the effects of such a major disruption to business. No one starts the day believing that the physical presence of a business will be gone later that morning. Although some very large businesses with multiple major sites have weathered the storm well, the typical middle-market company at a single location has faced severe difficulties in reestablishing its business. The need for a basic disaster recovery plan has never been more apparent.

Many companies that have disaster recovery plans developed them in response to a demand from regulatory authorities or a board of directors. Banks, financial institutions, and publicly held companies are usually required to have a formal disaster recovery plan. In the middle-market sector, however, such plans are rare. Where they exist, they tend to focus narrowly on the backing up of basic data rather than broadly on preventing the losses that accompany a major disaster. The management of middle market companies frequently views disaster recovery plans in the same light as insurance: They are costly additional overhead items that relate to a future, highly remote event that will probably never occur. As we have already witnessed in the aftermath of September 11, however, the impact and repercussions of a major business disruption can place such severe pressures on a company that it is unable to continue in business. Studies that have focused on information system catastrophes indicate that 90% of companies without a disaster recovery plan go out of business within two years of a catastrophic loss.

Although an extremely detailed disaster recovery plan can cost more to develop than many businesses wish to spend, a company can develop a basic plan for moderate cost. Such a basic plan can cover most of the issues that would need to be addressed in order to quickly respond to most catastrophes. See the Exhibit for additional resources in designing a disaster recovery plan and see the Sidebar for a checklist for low-cost preparedness procedures.

The Elements of a Disaster Recovery Plan

A disaster recovery plan marshals a company's resources to deal prospectively with a variety of future adverse events that could disrupt business operations. Such an event could be a natural disaster like a fire or flood, or an information system malfunction like a computer center failure. A good disaster recovery plan should prepare the organization to deal with any events that could curtail business operations. The plan's strength relies upon its identification and provision of the internal resources and organizational structure to cope with a variety of major business disruptions.

Important elements to consider when developing a disaster recovery plan include the following:

In addition, the crisis management team should identify and communicate with outside parties that could play a significant role in a recovery effort, especially if the team plans to depend on an outsider for significant assistance. Common outside parties that should be considered are accountants, lawyers, public relations professionals, insurance counselors, and IT consultants. Bankers, suppliers, and customers that are important to the continuity of the business should be contacted in the event of a disaster, kept abreast of current developments, and requested to cooperate in the recovery efforts.

Identifying Unique Exposures

Although each organization has unique exposures to the potential effects of a disaster on its continuing operations, most middle-market businesses have extensive and critical exposures in the areas listed below. The crisis management team should carefully outline the unique exposures in each of these areas and determine the team's corresponding recovery measures.

Financial exposures. The team should plan for specific sources of cash during a recovery period in order to balance the negative cash flow from operations. The preservation, or reconstruction, of financial documents and data should also be on the list of high-priority items. In some emergencies, it is also necessary to plan alternative facilities for accounting and other essential financial record-keeping activities.

Operational exposures. Exposures in a business's operations will often require the most careful analysis and planning because they tend to be coupled with the unique ways that companies conduct their affairs. For retailers and manufacturers, an important concern will center on replenishing inventories and reconstructing or relocating (either temporarily or permanently) retail or manufacturing space. Some plans call for a hypothetical immediate move into new space that the team identifies periodically on a current availability basis: If we had to move to new space today, what is the best space available? In some cases, the team will be faced with the fact that the disaster will cause an interruption in business operations during the recovery period. The goal should be to minimize the duration of such interruptions, but in cases where it will last for a longer term, the team should consider business interruption insurance. Finally, the team should also consider the steps that would be required if the business would need to rapidly find replacement staff in an essential area.

Data center exposures. Primary among the team's concerns should also be exposures that could lead to lost backup data, work stoppages, or system breakdowns and shutdowns. The nature of these exposures will influence whether the team provides for off-site backup (considering distance from the main site) and alternative sources of computing capacity.

Physical risk exposures. Exposures that pose physical or health risks to employees are among the most difficult to identify and plan for. Most team members are accustomed to living and working in a safe and secure environment. One of the most difficult lessons to absorb from the September 11 terrorist attacks is that our work places, once considered safe, may be subject to a disaster. Physical safety is a concern that does not lend itself to half-hearted measures. Employees want to know that their employer has a plan that deals realistically and completely with threats to their physical well-being.

Some of the critical exposures that the team should consider include location, proximity to hazardous materials, industry risk factors, and physical security. Some facilities and their staffs are at risk because of their location in areas where certain natural disasters are likely (i.e., floods, tornadoes, and earthquakes). Other facilities could be at risk because of the symbolic value of the location, as evident in the terrorist attacks on the World Trade Center and Pentagon. Some businesses work in industries where specific inherent risks arise from the application of technology. If the business is proximate to hazardous materials or on a route used to ship them, the company could face substantial exposure to a disaster. In addition, businesses that have operated with few security precautions in the past may find it necessary to focus more attention and resources on ensuring that the people and materials entering their places of business are not dangerous.

All the efforts made to identify, analyze, and understand such exposures and to develop a plan to mitigate their potential impact are well worth the time and money if a disaster occurs.

Crisis Management Procedures

There are certain common procedures that should be part of every disaster recovery plan.

Emergency response procedures. Well-designed procedures for the initial reaction to a disaster must be standardized in order to ensure that team members respond rapidly, consistently, and authoritatively to a disaster. There should be a designated off-site meeting place for the crisis management team. All employees should be aware of procedures that maintain communications with management, either from home or another facility, in case they cannot contact the normal place of business. Provisions should be made for manual procedures to maintain critical records for those functions that require continuous record-keeping. If the normal place of business must be abandoned, the team should have a plan in place to provide the appropriate type of workspace and decide where to move. Such plans could range from the rental of open space to the maintenance of pre-configured offices with information and communications technology already in place.

Notification procedures. Employees, customers, vendors, banks, insurance companies, accountants, consultants, attorneys, creditors, investors, and various governmental authorities will have to be notified that the business has experienced a disaster. The effect on each group will be somewhat different and the plan should deal with the communications process and contact points for each. One of the most important components of ensuring that a business will still exist after disaster recovery is to keep large customers and suppliers aware of the recovery's status. To recover fully only to discover that customers have found a new source of supply because they were unsure of the business's future capability could negate an otherwise efficient disaster recovery plan.

Activation of the crisis management team. The plan should address how the crisis management team will know that it should start functioning. The trigger mechanism should be given careful thought. If the plan calls for the CEO to activate the team and the CEO is unable to do so, then the team may waste valuable time. On the other hand, if the decision to activate the team rests solely with the crisis coordinator, then clear guidelines are necessary to prevent false alarms.

Development of specific reactions. Once the crisis management team is activated and goes into action, one of its first tasks should be to assess the crisis and thoroughly analyze its damage and potential impact on the business. It should also identify and communicate to all team members and involved employees any updated recovery procedures that deal with the specific circumstances of the crisis. Finally, once the scope of the crisis is determined and a plan for recovery procedures is outlined and approved, the team should commence recovery procedures.

Business Recovery Procedures

Each member of the crisis management team should have specific procedures to follow in case of a major disruption of business. Some of these procedures will be generic in nature, providing the context for the creation and implementation of specific steps in the recovery. Important steps to take in any disaster recovery plan include the following: