Disaster and Business Continuity Planning

Resources

How can we help you?

Disaster and Business Continuity Planning

Disaster and Business Continuity Planning

By Barry MacQuarrie, CPA, director of Technology at KAF Financial Group

What Would Happen?

It's Tuesday morning and your employee, Julie, arrives at the firm's office at 7:02 am. She notices the flashing lights as she pulls into the parking lot. The building has been sealed off by the fire department. All members of the fire department are dressed in hazardous material suits. It doesn't look good.

She asks, "What's happened?"

A fireman says there was a chemical spill. He informs her that nobody will be allowed into the building for at least 72 hours, and that the electricity and phone service will be out indefinitely.

What do you think Julie should do?

I posed this question to a group of partners and technology professionals. They thought that Julie's first reaction would be to call a partner, firm administrator, or her immediate supervisor. They hoped she would take control of the situation and put the needs of the firm first.

I also presented this same scenario to a number of employees of various CPA firms, and was surprised to find that their response didn't meet the partner's expectations. Many of them said, "I would go home and go back to bed."

Whether you work in practice or industry, there is a wide gap between a partner's or director's expectations and the employee's sense of responsibility. In the case of one firm, the answer was quite simple. The staff had never been told what to do if they discovered an emergency.

That firm did not have a complete disaster recovery plan.

Do you have a disaster recovery plan that would adequately protect your organization? We cannot predict when or even if a disaster will strike an organization, and there is no way to tell when we will feel the impact caused by a natural disaster, disgruntled employee, faulty hardware or virus.

The only thing we can do is to plan. This article provides an overview of the steps an organization should follow to prepare a disaster recovery plan.

Assign the Team. The process of designing a disaster plan requires a team. Creating the plan should not be left up to any one member of the administrative or technology staffs. The project requires a team leader, representatives from each department, a list of individual responsibilities and a fixed due date. The team should meet regularly during the plan building process and present the final plan to management.

Understand the Risks. A properly written disaster plan will help your organization recover from potential disasters that may affect it, so it is very important that the disaster plan focus on specific issues that may become reality.

For example, it does little good for a company located in sunny Fort Myers, Florida, to plan for the impact of a blizzard. The team should determine all potential dangers and rate their potential impact on the company or firm.

Just ask any of hundreds of firms and businesses affected by last year's devastating hurricanes and they will tell you all about a lack of disaster planning. In addition to a hurricane, there are other obvious catastrophes, such as tornados and floods, but disasters also encompass technology-related incidents, including viruses, failed hardware and unapproved network access. In addition, consider the disaster known as "human risk" if the company or firm were to lose a key executive.

Whether natural or man-made, the team should focus on worst-case scenarios. Questions include, "How would we continue to operate if we had no access to the building, the computers and company records for a period of four days?"

Develop the Plan. If a disaster occurs, an effective recovery plan documents what would be done, by whom and in what order. The plan should clearly define who is in charge of the disaster recovery before the disaster strikes.

The plan should include all documentation needed by the disaster team in the event of an emergency, and the plan and related documentation must be maintained at an off-site location.

For example, I believe that the first priority after a disaster is to locate all firm/company employees. Depending on the size of your organization, this would be done by a single person or by a call team. In order to call everyone in response to an emergency, the call team must have access to telephones, and a current list of employees and their contact information.

Other documentation might include network documentation, an inventory of all software, a list of customers and a vendor listing. All documentation must be updated on a regular basis to ensure that the correct information is available from an off-site location during a disaster.

Involve Everyone. The development of the disaster recovery plan will be done by the team, so it is important that everyone at the company understand his/her responsibilities if a disaster strikes. However, most employees' only responsibility might be to alert the disaster coordinator, so the staff simply needs to be trained and provided with the required resources.

In my earlier example, Julie was the first to learn of the problem. The success of the firm's response is clearly tied to the amount of training that was provided to Julie—she should know whom to call, and must also have the resources, phone numbers or e-mail addresses with her to instantly respond.

Test the Plan. A well-designed disaster plan is only that, a plan. Testing the plan will help you learn if it is complete and effective, and will give you the chance to improve the plan in a non-crisis timeframe.

Mitigate the Risks. Although a tested, informative and practical plan helps a company recover in the event of a disaster, there are several tasks an organization can do to avoid a disaster:

  • Keep off-site documents up to date.
  • Invest in quality computers and technology professionals.
  • Diligently defend the security of your network.
  • Back up every file, every day.
  • Write and maintain a disaster recovery plan.
  • Train your employees.

  • Test your disaster recovery plan.

In the ideal world, disaster plans would be unnecessary. However, the events of the past few years have taught us the importance of being well prepared for the potential impact of a disaster. No one knows when disaster will strike. Our best defense is to be prepared.

AICPA's Top Technologies 2006 is a project of the AICPA's Information Technology (IT) Membership Section, and led by the IT Executive Committee and CITP Credential Committee. For more information on the AICPA's technology initiatives, including Top Technologies, the CITP Credential and the IT Membership Section, visit the IT Center. Any hardware or software products mentioned do not in any way represent an endorsement by the Institute or Section.

Barry MacQuarrie, CPA, is director of Technology for KAF Financial Group and is the CIO for an affiliated company, XCM Solutions. He has extensive experience working with technologies used by CPA firms, including paperless office solutions, workflow applications, and document management software. Barry is a member of the AICPA Information Technology Executive Committee.

Copyright © 2006 by the American Institute of Certified Public Accountants, Inc., New York, New York.  Reproduced with permission.

For further information, contact Barry MacQuarrie: bmacquarrie@kafgroup.com