Disaster and Business Continuity Planning 

    by Barry MacQuarrie, CPA 

    Disaster and Business Continuity Planning

    A checklist for disaster and business continuity planning                             What Would Happen?
     
    It’s Tuesday morning and your employee, Julie, arrives at the firm’s office at 7:02 am. She notices the flashing lights as she pulls into the parking lot. The building has been sealed off by the fire department. All members of the fire department are dressed in hazardous material suits. It doesn't look good.

    She asks, "What's happened?"

    A fireman says there was a chemical spill. He informs her that nobody will be allowed into the building for at least 72 hours, and that the electricity and phone service will be out indefinitely.

    What do you think Julie should do?

    I posed this question to a group of partners and technology professionals. They thought that Julie’s first reaction would be to call a partner, firm administrator or her immediate supervisor. They hoped she would take control of the situation and put the needs of the firm first.

    I also presented this same scenario to a number of employees of various CPA firms, and was surprised to find that their response didn’t meet the partners’ expectations. Many of them said, “I would go home and go back to bed.”  

                                                                                      The Need to Plan

    Whether you work in public practice or industry, there is a wide gap between partner or director expectations and employees’ sense of responsibility in the event of an emergency or disaster. Why does this gap exist? In the case of one firm, the answer was quite simple. The staff had never been told what to do if they discovered an emergency.

    That firm did not have a complete disaster recovery plan.

    Do you have a disaster recovery plan that would adequately protect your organization? Just ask any of the hundreds of firms and businesses affected by last year’s devastating hurricanes and they will tell you all about the perils of not doing disaster planning.

    We cannot predict when or even if a disaster will strike an organization. There is no way to tell when we will feel the impact caused by a natural disaster, disgruntled employee, faulty hardware or virus. The only thing we can do is to plan.

                                                                                How To Create a Plan

    By following these steps, any organization can prepare an effective disaster recovery plan:

    Assign the Team. To design a disaster plan, you need a team. Creating the plan should not be left up to any one member of the administrative or technology staffs. The project requires a team leader, representatives from each department, a list of individual responsibilities, and a fixed due date. The team should meet regularly during the plan development process and then present the final plan to management.

    Understand the Risks. A properly written disaster plan will help your organization recover from potential disasters, so it is very important that the disaster plan focus on specific issues that may become reality.

    For example, it does little good for a company located in sunny Fort Myers, Florida, to plan for the impact of a blizzard. The team should determine all potential dangers and rate their potential impact on the company or firm.

    Just ask any of hundreds of firms and businesses affected by last year’s devastating hurricanes and they will tell you all about a lack of disaster planning. In addition to blizzards and hurricanes, there are other obvious natural catastrophes, such as tornados and floods, but disasters also encompass technology-related incidents, including viruses, failed hardware and unapproved network access. In addition, consider the disaster known as “human risk” if the company or firm were to lose a key executive.

    Whether natural or man-made, the team should focus on worst-case scenarios. Questions include, “How would we continue to operate if we had no access to the building, the computers, and company records for a period of several days?”

    Develop the Plan. In the event of an emergency or disaster, an effective recovery plan documents what will be done, by whom, and in what order.   The plan should clearly define who is in charge of the disaster recovery before the disaster strikes.

    The plan should include all documentation needed by the disaster team in the event of an emergency. The plan and related documentation must be maintained at an off-site location.
     
    For example, I believe that the first priority after a disaster is to locate all firm/company employees. Depending on the size of your organization, this would be done by a single person or by a call team. In order to call everyone in response to an emergency, the call team must have access to telephones, and a current list of employees and their contact information.
     
    Other documentation might include network documentation, an inventory of all software, a list of customers, and a vendor listing. All documentation must be updated on a regular basis to ensure that the correct information is available from an off-site location during a disaster.

    Involve Everyone. The development of the disaster recovery plan is a team effort; so it is important that everyone at the company understand his/her responsibilities if a disaster strikes. However, since most employees’ only responsibility might be to alert the disaster coordinator, the staff would simply need training and the required resources.

    In my earlier example, Julie was the first to learn of the problem. The success of the firm’s response is clearly tied to the amount of training that was provided to Julie – she should know who to call, and must also have the resources, phone numbers, or e-mail addresses with her to instantly respond.

    Test the Plan. A well-designed disaster plan is only that, a plan. Testing the plan will help you learn if it is complete and effective, and will give you the chance to improve the plan in a non-crisis timeframe.

    Mitigate the Risks. Although a tested, informative, and practical plan helps a company recover in the event of a disaster, there are several actions an organization can take to avoid a disaster:

    • Keep off-site documents up-to-date.
    • Invest in quality computers and technology professionals.
    • Diligently defend the security of your network.
    • Back up every file, every day.
    • Write and maintain a disaster recovery plan.
    • Train your employees.
    • Test your disaster recovery plan.

    In the ideal world, disaster plans would be unnecessary. However, the events of the past few years have taught us the importance of being well prepared for the potential impact of a disaster. No one knows when disaster will strike. Our best, and sometimes only defense, is to be prepared.




    A A A


     
    Copyright © 2006-2014 American Institute of CPAs.