Preparing for a Disaster
Is it likely that your business will never be interrupted by a chemical spill? Thankfully, the answer is probably no. In fact, statistics show that there is a low likelihood that a company will experience a natural disaster. It is much more likely that a business will be interrupted by a hardware failure, a virus, a software malfunction or human error.
Regardless of the type of disaster, it is obvious that the loss of a network server, a phone system, access to your building or internet connectivity can dramatically impact a business. It might even put you out of business permanently. To protect your business, you need to have a written Business Continuity Plan and Disaster Recovery Plan.
Is your business prepared?
A BCP, a DRP and Me?
Business Continuity Planning is defined by Wikipedia.com as, "The creation and validation of a practiced logistical plan for how an organization will recover and restore partially or completely interrupted critical (urgent) functions within a predetermined time after a disaster or extended disruption. In plain language, BCP is working out how to stay in business in the event of disaster."
Disaster Recovery Planning is defined by Wikipedia.com as, "The process, policies and procedures related to preparing for recovery or continuation of technology infrastructure critical to an organization after a natural or human-induced disaster."
Most firms make the mistake of having their IT department build a disaster recovery plan and then assume that they are protected. In my opinion, a DRP is not enough. A company needs a BCP to protect the business and a DRP to protect the company's technology infrastructure.
Building Your Plans
The process of developing a comprehensive Business Continuity and Disaster Recovery Plans often seems like an overwhelming task. The natural reaction is to ignore it and hope you never need one.
The process of building a BCP and DRP includes the following:
Getting Started - The process of building your plans start with management committing to the project and assigning a task force that includes employees from all departments. The task force should determine their overall objectives and develop a timetable for building their plans.
Risk Assessment - The process of assessing risk includes determining the company's critical assets and the threats that could impact them. Each department in the company should assess their assets and determine which are critical to the organization. Finally, management must determine the acceptable levels of risk. This is expressed in terms of maximum allowable downtime (MTD) and recovery time objective (RTO).
Business Impact Analysis - The task force must determine their company's critical business processes and the impact of potential disasters. As they look at each process, they must define the required resources, threats and the related MTD.
Building Your Plans - Using the information gathered in the preceding steps, the task force will build a plan that includes the following:
- Contact information for disaster coordinator(s)
- Contact information for critical IT personnel
- Off-site or hot site information
- Reciprocal process agreements
- Employee emergency contact information
- Call team procedures
- Hardware and software inventories
- Recovery procedures
- Clearly defined roles
- Chain of command
- Customer information
- Vendor information
- Temporary location information
Implementation - Once the plans are built, it is critical to test them. The task force should define the methodology that will be used to test the plan and how they will document the results. The plan should be updated to reflect findings of the testing process. Finally, the plan must be approved by management. The implementation process must also include employee training.
Maintain Information Off-Site - It may seem obvious, but it is worth noting that copies of your BCP and DRP should be kept off-site. After conducting CPA firm surveys, I have found that many write their plans and store them in the office. If possible, the off-site copies of the plans and the supporting information should be stored in both electronic and paper formats. The paper copy may be helpful if you are without electricity or internet access.