July 4, 2009
 
About the AICPA
Member Service Center
Membership Information
AICPA Mission
Corporate Governance
Understanding the Organization
Frequently Asked Questions
Media Center
People and Places
Jobs at the AICPA
Vision Project
Legal Briefs
Professional Resources
Accounting and Auditing
Accounting and Auditing Technical Help
Accounting Standards
Audit and Attest Standards
Audit Committee Effectiveness Center
Authoritative Standards
Business Reporting Assurance & Advisory Services
Considerations for the Economic Crisis
Enhanced Business Reporting
FASB Accounting Standards Codification
IFRS
Private Company Financial Reporting
Sarbanes-Oxley Resources
SEC Regulations Committee
XBRL
Tax
Business, Industry, and Government
Financial Management Center
Audit Committee Effectiveness Center
Audit Committee Matching System
Public Accounting Firm Resources
Center for Audit Quality
Employee Benefit Plan Audit Quality Center
Governmental Audit Quality Center
PCPS Firm Practice Center
Small Firm Corner
Peer Review
AICPA Peer Review Program
Peer Review Public File
Center Peer Review Program
Peer Review Transparency
Professional Ethics/Code of Conduct
Code of Conduct
Disciplinary Actions
Professional Ethics
Personal Financial Planning
Forensic and Valuation Services
Information Technology
Antifraud Resource Center
Financial Literacy
Exposure Drafts
CPA Marketing Toolkit
Public Meeting Notices
Conferences, Publications, CPE & the AICPA Library
AICPA Conferences
CPE
Publications
AICPA Library
Magazines and Newsletters
The CPA Letter
Journal of Accountancy
Journal of Accountancy Classified Ads
Newsletters
The Tax Adviser
Weekly News Updates
Copyright Information
Becoming a CPA/Academic Resources
Accounting Education Center
Students and CPA Candidates
Minority Initiatives
Start Here. Go Places.
Career Development and Workplace Issues
What's New
Career Advice
Job Search Tools
Mentoring Guidelines
Women in the Profession
Work-Life Balance
Young CPA Network
Consumer Information
360 Degrees of Financial Literacy
Antifraud Resource Center
Audit Committee Effectiveness Center
Audit Committee Matching System
Disciplinary Actions
Find a CPA
Peer Review Firm Terminations
Peer Review Public File
Web Trust
Media Center and Video Library
Media Center
Video Library
Legislative Activities and State Licensing Issues
Congressional and Federal Affairs
Mobility and State Licensing Issues
State News and Info
Home Online Publications The Practicing CPA October 2001 Planning for Physical Disaster
 
  Planning for Physical Disaster
 

Planning for Physical Disaster

By Philip Jan Rothstein, FBCI

The tragic disasters on September 11, 2001, were a horrible reminder of how precarious and precious life is. Even though we cannot predict the future, we can prepare for the risks that may be ahead. One tool businesses use to prepare is disaster planning. The following is a discussion of three basic steps in the disaster planning process. They are:

  1. Assess exposure to various risks.

  2. Implement strategies to prevent, mitigate, or recover from identified risks.

  3. Prepare and maintain a disaster recovery plan.

Step 1: assess exposure

The first step in preparing to face a physical disaster is to conduct a risk impact assessment (RIA) of threats, vulnerabilities, and exposure to loss. This analysis should be as broad as possible. Some of the areas of investigation may include the following:

  • Physical threats and vulnerabilities, such as fire, security, electrical power, flooding, natural hazards, neighboring or regional threats, and structural threats;

  • Computer and communications threats and vulnerabilities, such as data loss or corruption, software or equipment failure, telecommunications outages, loss of access to computer, and loss of personnel;

  • People-related threats and vulnerabilities, such as civil unrest, labor action, disgruntled individuals, sabotage, and industrial espionage.

Step 2: implement strategies

The threats or vulnerabilities identified through the RIA process, where feasible, should be corrected. Where infeasible or not cost-effective, then coping, mitigation, or recovery strategies are necessary. Three types of sample strategies are covered below: strategies for general risks, strategies for specific physical risks, and strategies for information technology (IT) risks.

General risks strategies

General strategies to prepare for disaster include training staff, categorizing files, and purchasing insurance.

Train staff. Have one or more staff persons trained and certified in emergency health procedures. Local hospitals, the American Red Cross, American Heart Association chapters, and emergency care consultants offer this type of training. Also, contact your local fire department to have staff persons trained in fire prevention and the use of fire control equipment.

Categorize and back up files. Categorize client and firm files and records as vital (irreplaceable or almost irreplaceable), important (replaceable, but at considerable cost), or nonessential (not needed to continue in business). Consider all files and records, whether on paper, microfilm, or magnetic, optical, or other media. Maintain current vital files in fireproof cabinets, positioned near the center of the building and as close to wall supports as possible. This may prevent their falling into the floor below or into the street in the event of structural damage. Lock these cabinets when not in use so if the floor collapses, the contents are less likely to scatter. Important files are often voluminous, and it might be impractical to store them in fire-resistant cabinets. Therefore, they are often maintained in regular cabinets in a nonflammable area or stored off-site.

Consider whether vital files or records are best stored in paper form or on diskette, and plan for the periodic review and updating of stored material so the latest version of the information is available in the event of disaster. A firm should have a clean desk policy, especially for vital records, so all files are returned to safe storage at the close of daily business.

Because an accounting firm is highly dependent on data, most disaster planning focuses on the preservation of files and records. Even a fireproof safe has survival limits, so the most effective procedure is to maintain duplicate copies of at least all vital records at an off-site location. An alternative is microfilming records and storing the backup microfilm in a bank vault or other secure, accessible, off-site location.

Purchase insurance. Adequate insurance coverage is necessary to the survival of a firm. Disaster insurance should include the following:

  • Replacement cost for building, equipment, and furniture.

  • Valuable papers.

  • Business interruption and extra expense.

  • Legal liability.

Review each aspect of the insurance policy periodically, especially during periods of rapid growth and changing values.

Insurance coverage is only as good as your ability to prove loss; therefore, you must prepare and maintain an inventory of office contents. Learn the necessary documentation for business interruption insurance; otherwise, the amount of loss can be difficult to substantiate.

Do not keep original insurance policies and insurance-related documentation at the office. Use a safety deposit box or some other secure off-site location to store policies and insurance documentation.

Specific physical risks strategies

Specific risks to consider include electric power risks, fire risks, and weather catastrophe risks.

Electric power protection. Power sources for computers and other electrical equipment must be protected from blackouts, brownouts, and voltage swings. The first step when purchasing a power protection unit is to analyze the equipment you want to protect. Specifically, how critical is the data provided and how much downtime is tolerable? How sensitive is the equipment to power fluctuations, and how costly is the equipment to repair or replace?

Uninterruptible power supply (UPS) units and standby power supply (SPS) units are sized relative to the equipment they protect. UPS protects against glitches, sags, surges, and dips. These units operate online, regulate incoming voltage, and maintain continuous battery power for several minutes during a short-term outage, or until a standby power supply is active. Standby power supply (SPS) protects against extended outage. The source of power can range from batteries to diesel or turbine generators, and may power selected equipment or an entire building. Replace surge suppressors periodically because their effectiveness may diminish over time with repeated exposure to power surges.

Fire protection. Have your building frequently inspected by a professional trained in fire prevention. Work with building management to identify at least two evacuation routes, make fire exits easily accessible, and clear all passageways of obstruction. Familiarize employees with evacuation routes. Install and regularly test fire detection devices with remote monitoring and fire extinguishers.

Hire an experienced contractor to conduct thermal scanning of electrical power supplies and breaker panels, as well as to inspect for proper grounding of electrical equipment. Give special consideration to protecting employees who are handicapped. Whenever possible, use flame-retardant fabric for draperies and upholstery. Ensure that sprinklers are installed.

Weather catastrophes protection. To mitigate weather catastrophes, locate in an area or building that offers the best protection from weather disasters common to the region. Locate important equipment and records where they are least likely to be damaged by weather.

Information technology risks strategies

Consider the following strategies, which can be combined and adapted.

In multioffice firms, be sure that each office has the capacity to carry the critical workload if one office experiences an IT disaster. This decentralization is effective only if the facilities are geographically separated; otherwise, they run the risk of experiencing the same disaster. The procedures and structure to effect recovery at an alternate office should be carefully validated and documented.

A reciprocal agreement with another CPA firm is another backup method. One serious flaw with this strategy is the agreement is often made on a handshake and with little or no thought given to implementation. There are draft contracts that formalize reciprocal backup agreements and clarify their requirements.

This strategy is inexpensive, but it is often difficult to maintain because it is affected by changes in either system. Also, if the reciprocal firm is in your area, the agreement may be useless if you share the same disaster.

Commercial recovery site vendors provide access to “hot sites,” which are completely equipped computer and communications recovery facilities along with supporting resources, trained personnel, and work areas for firm employees. Hot sites are accessible by a subscription arrangement contracted in advance of a disaster. Costs may include monthly subscription fees, declaration (activation) fees, and daily site usage costs. “Cold sites” and “warm sites” are variations of hot sites providing a minimal or partially equipped computer recovery shell facility. Costs for cold sites or warm sites tend to be lower than hot sites, although recovery time is longer since equipment must be obtained and installed.

Quick-ship recovery services provide replacement computer and networking hardware rapidly, typically within 24 to 96 hours after notification. The equipment must then be installed, configured, loaded with software and data, and validated before use.

Mobile recovery service providers can deliver a self-contained computer room on wheels, with or without the computer equipment. One advantage of this option is that the computer recovery can take place wherever it is most desirable, whether near the original facility, or at another recovery location. The chief disadvantage is that the delivery and startup time for mobile recovery may take a week or longer from notification.

Step 3: prepare a disaster recovery plan

Firms should develop, document, and circulate among employees a disaster recovery plan; new employees should receive a copy as part of orientation. Whether or not a firm is able to obtain business interruption insurance, this documented plan is essential—business interruption insurance is a supplement, not a substitute, for a prudent, tested recovery plan. The steps in preparing a disaster recovery plan are appointing a disaster recovery team, writing the disaster recovery plan, and reviewing the disaster recovery plan.

Appoint the disaster recovery team

An important, early step in the preparation of the disaster recovery plan is the appointment of the disaster recovery team and the disaster recovery team leader. The team leaders and members should each have designated backups who are also familiar with the plan. Team members may have one or both of two roles: development of the plan or execution of the plan during an actual disaster. Team duties include the following:

  • Gathering and analyzing the information needed to create the disaster recovery plan.

  • Designing and recording the plan for distribution to all employees.

  • Conducting disaster drills and spot checks to ensure that backup procedures are being followed.

  • Revising the plan as changes occur within the physical structure or environment, internal operations, business needs, or client base of the firm.

  • Coordinating the plan with local emergency and medical services, insurance carriers, landlord, security services, and backup facilities

  • Identifying key vendors, suppliers, and other contacts.

  • Responding to a disaster declaration and executing the plan.

Write the disaster recovery plan

The disaster recovery plan document should be terse, readable, and actionable. The first step of any disaster recovery plan is the declaration or activation of the plan. The individuals who are authorized to invoke the plan should be identified, along with the initial steps that are essential.

All disaster recovery plans must be researched and tailored to each firm and to each specific location, and each task listed would require specific, detailed information. There are numerous published resources, guides, books, software tools, and templates for both business recovery and IT disaster recovery. Regional and national organizations offer workshops, conferences, and seminars, which can be valuable resources for disaster recovery education and tools. Consultants provide a range of expertise and services and can be particularly valuable in assessing risk and exposure, as well as in designing an appropriate recovery strategy.

To receive a sample outline of a disaster recovery plan, e-mail Peggie Burns at mburns@aicpa.org.

Review the disaster recovery plan

All partners and staff should be familiar with the emergency plan, and all details should be rigorously enforced. The documented plan should be frequently reviewed and updated. On a regular basis, the plan should be exercised. Three example of ways to exercise the plan are: (1) a basic exercise may consist of a tabletop walkthrough, in which the participants talk through the plan in a conference room and look for inconsistencies, inaccuracies, problems, or unrealistic assumptions; (2) a drill, in which participants walk through the recovery process, following the steps outlined in the plan document; and (3) a full-scale exercise, in which the recovery process is activated based on assumed conditions (subject to reasonable modifications to ensure that real business is not directly affected).

Should a disaster occur, this plan could help ensure employee safety, provide an organized recovery, limit firm losses, provide evidence of prudent business practices, and speed business recovery.

Adapted from the Management of an Accounting Practice Handbook, chapter 215, “Coping with Disaster,” by Philip Jan Rothstein, FBCI, president of Rothstein Associates Inc., Brookfield, Connecticut, a management consultancy focusing on business continuity, disaster recovery, risk mitigation, and crisis management since 1985. Phone: (203) 740–7400 or (888) ROTHSTE; e-mail: pjr@rothstein.com; Web site www.rothstein.com.

 

 

  
 
To ensure that you can receive email messages from the AICPA, remember to update your member profile. Also, add the AICPA's email domains ("aicpa.org" and "email.aicpa.org") to your Sender Safe List, or contact your IT administrator to update your firm's email software.

©2006-2009 The American Institute of Certified Public Accountants, ISO 9001 Certified
AICPA Privacy Policy and Copyright Information | Jobs at the AICPA | Contact Us
AICPA, 1211 Avenue of the Americas, New York, NY 10036
Trusted Commerce