By Cynthia Scarinci, CPA, assistant professor of accounting, College of Staten Island, CUNY

Contingency planning is essentially a plan that an organization will follow in the event of a disaster, outlining workplace requirements and a plan of action.
The first step is to identify potential exposure: What are the potential disasters, and how they would impact business operations? The what-if analysis should pose the following questions:

Most large companies have a team directly responsible for contingency planning and disaster recovery. For small business owners, contingency planning is often less of a priority because their focus is on such day-to-day issues. Through technology, small companies are increasingly self-sufficient, maintaining their own accounting records, preparing their own budgets, and developing their own advertisements. The sudden loss of technological capabilities can be devastating.

Companies usually have three common concerns about contingency planning:

The answers depend on the type of business, the technology being used, the size of the staff, and, most important, the commitment of the business owner. Many businesses will find the following basic template useful in establishing a contingency plan.

Basic Steps

Backup, backup, backup. The single most important step is backing up the computer system or network. An often-overlooked part of this process is to make sure the backup is stored safely—off premises. Many business owners take the time and effort to back up their systems, then leave the backup in the desk drawer next to the computer, which is useless if the office is destroyed. Off-site storage can be as simple as keeping one backup copy at home or in a safe deposit box, anywhere it will be secure and easily accessible.

An important related issue, backup frequency, is very organization-specific. The more frequently data is updated, the more frequently it should be backed up. The more time that would be required to restore it, the more frequently backups should be made. Application software should be backed up as well, but less frequently for programs that have not been updated.

When backing up, one good approach is the grandfather, father, and son method, a system of three distinct backups that are used in sequence and rotated in order. For example, in the first week, tape 1 is used as a backup tape. Week 2 is backed up with tape 2. Finally, week 3 is backed up with tape 3. In week 4, the business uses the oldest tape (tape 1, grandfather) for its backup, writing over the oldest data. At this point, tape 2 is now the oldest backup tape and goes from father to grandfather. Tape 3 goes from son to father. The rotation continues, always using the oldest tape for each successive back-up.

This method is effective because it maintains three generations of backup. If a virus attack or program glitch affects the computer system at a particular point in time, the business will have a backup of the system before the problem occurred, and can return to the data in its pre-virus condition.

The type of system to use for backing up data depends upon the type of computer system. Many systems today are already equipped with backup devices. If not, backups can be made using Zip drives, backup tape units, compact discs, or floppy disks. If frequent backups are required, the business should investigate more efficient systems.

Plan

Devise a plan to be followed in the event of a disaster (e.g., the building is destroyed or inaccessible). Identify where employees should call for further information or report for work. Some larger companies have a “hot site” that has the necessary equipment and system backups ready for use. Some small businesses have designated the owner’s home address as the “hot site” in the event of a disaster.

An overall schematic of the business must be made, identifying the office space required and the number and location of computer stations, printers, telephones, desks, chairs, cabinets, and bookcases.

Get the numbers. To facilitate the replacement of assets and the filing of insurance claims, record the quantities, models, and serial numbers of all fixed assets. This includes computers, printers, servers, peripherals, telephones, video equipment, desks, and chairs.

Identify vital records. Identify all important documents and records, including corporate records, insurance policies, deeds, leases, and patents. Make copies of these documents. If the originals are not necessary in the office, keep a copy on file and move the originals off-site.

Names and numbers. Many companies retain electronic contact information for their employees, important clients, associates, consultants, and vendors. Periodically print out these lists, retaining one hard copy in the office and another off-site.

Assign tasks. If possible, assign recovery tasks to specific employees so that the business owner has assistance in carrying out a quick recovery.

Test It

The biggest and most important test will be that of the computer system backup. Tests should be conducted at least once a year. The best time to do so is during the slow season, if there is one, or at night, on holidays, or on weekends.

When possible, the business should test other features of the contingency plan by putting it into action after a simulated disaster. The test phase is the most valuable tool in determining whether the plan has overlooked anything.

Keep It Up to Date

Updating the contingency plan is the easiest task but perhaps the most difficult to enforce. Many organizations implement contingency plans but fail to keep them current. A business should review its contingency plan at least once a year to determine if changes are necessary. An outdated contingency plan is as bad as no plan at all.

©2002 CPA Journal. Legal Notices