Disaster Recovery Plans Can Keep Your Business Alive By Robert P. Green, CPA.CITP and Rick Mark, CSE
L
say your yourbusiness businesshas has offices across the country. et’s say fivefive offices across the country. You You manage their operations, accounting, IT network and all software services for these five offices from one main office. You host your e-commerce website at the main office, and, from that office, provide all software and information used by your staff at all locations. Further, 40 percent of your company’s business originates from customer transactions using your website. None of the company’s other offices store information on their local computers. Then, one day, your main office is hit by a major storm, flooding the lower floor, which houses the server room, causing irreparable systems and hardware failures. 6
No one knows when—or if— a systems failure will occur
[ PEACE OF MIND ]
In the aftermath: Work comes to a halt at all locations across the country. The company website is down, thus 40 percent of your customers cannot conduct business with you. The set of backup tapes you finally locate is more than one week old and damaged from water and other elements. No one has been able to locate older backup tapes. You are left with no current data, no productivity, limited customer orders and interaction, and no likelihood of restoring any current information with which to do business. Think this is an exaggeration? OK, instead of a flood, substitute another real disaster — the possibility of a corporation’s data being corrupted or deleted by a hacker or ex-employee. Or imagine power surges or internal staff systems abuse.
Avoid the Horror No one knows when — or if — a systems failure will occur, which is why it’s even more important for your firm to develop, maintain and regularly test a disaster recovery plan to mitigate the losses due to a system failure. Disaster recovery planning confronts the likelihood of a disaster from which a company must recover effectively and efficiently. 8
Business interruption can originate from a winter storm, the loss of electricity, inaccessibility to a facility for an extended period of time, a hardware failure or software corruption — along with the threats of viruses or hacking and malicious intent from internal or external influences. In today’s information-centric environment, much of a disaster recovery plan addresses IT systems and data loss. However, the plans also must address logistics surrounding sales, administration, manufacturing/production, operations and commerce-based functions. If successful, a disaster recovery plan allows a business to continue as usual — or close to it — in the event of system failures. Disaster recovery planning requires a sizable investment of corporate labor and financial resources in the areas of procedure design, implementation and testing. These efforts rely on the expertise and familiarity of internal managers, and often the use of outside advisers, such as CPAs and IT professionals. The adage “an ounce of prevention is worth a pound of cure” cannot be more applicable than to disaster recovery planning efforts. If you are reluctant to create a recovery plan because of time and upfront costs and believe it’s an option you can risk doing without, consider this: disaster recovery plan efforts are addressed — directly or indirectly — in regulatory
[ PEACE OF MIND ]
compliance doctrines in place for companies of all sizes, including Sarbanes-Oxley, HIPAA and other federal, state and local privacy protection acts.
Create, Maintain, Test The first step in creating a disaster recovery plan is to form a disaster recovery plan/crisis management team, which will be responsible for creating and maintaining the plan, and managing it in the event of any business interruption. This team must represent all key departments and functions of a given company, and should keep in mind the following objectives: Continuity and survival of the business Protection of corporate tangible and intangible assets Creation and documentation of specific preventative measures/ activities Ability for the disaster recovery plan to be tested periodically and modified to stay current with the business and any technological advances
The disaster recovery plan creation process involves assessing the myriad business risks that a company would face in the event of a disaster, everything from loss of data to communicating to clients about the disaster.
Once these risks are identified, an exercise of prioritization unfolds and the team focuses on preparing for the loss of those corporate services and resources that are deemed most critical to protect. Subsequently, the team creates action plans and underlying documentation of procedures that mitigate each of these risks and then tests these plans and procedures in real time to the greatest extent possible. This may mean shutting down the company’s power or internet connection, for example, during business hours as a test. It’s extreme, but it often is the only way you can test your disaster recovery plan, your employees’ understanding of it and their responsibilities. Sadly, many companies do not test their planned procedures in any way, which simply renders the disaster recovery plan useless paperwork. 9
No one knows when—or if—a systems failure will occur
[ PEACE OF MIND ]
The IT part of the Recovery Plan Returning to our company described earlier, which suffered flood damage, you would have benefited greatly from having a disaster recovery plan that addressed the loss of critical data and business information systems functions. Among others, specific steps should have included:
1
Regular and and secure secure off-site Regular rotation and and storage storage of data rotation backup media, media, accompanied accompanied by backup procedures on how to retrieve media for restoring systems in the event of a disaster.
2
AA mirrored mirrored website. website. This This is an alternate alternate live live website website that kicks inin when when the the primary primary site fails, providing continuing service. This would require procedures to point the alternative website to an alternative data source to restore e-commerce functionality.
3
Redundant communications con- Redundant communicafigurations to forward teletions configurations to phonestelephones to an alternate forward to anlocation, alternate location, including cell phones, to handle customers’ needs during the crisis.
would be to fully outsource the physical “hosting” of all of the critical business information systems to a 3rd party who would maintain the systems in a highly-secured environment, allowing access to the systems over private internet connections.
5
More More effective effective server server room build-out. build-out. Specifically, Specifically, locate servers servers and and related related equipment and backup media in a location less vulnerable to flood or other natural disasters. Disaster recovery plans are critical, and businesses that invest time and effort in their creation, maintenance and testing will be rewarded in the event of disasters. Using a combination of internal business manager knowledge and input from outside advisers, a disaster recovery plan can be created to provide peace-of-mind and value to any business. Adapted from an article by the above authors originally appearing in California CPA Magazine, 2005
4
AA “hot “hot site” site” set set up up to to provide for redundant redundant hardware, hardware, loaded loaded with current current versions versions of of business-specific software and with access to fresh backup data that could be restored in the event of a crisis. Such a site could be a remote client office location or that of a third-party vendor who specializes in this area. Side note: another option 11