This article appears in the AICPA Management of an Accounting Practice Handbook (American Institute of Certified Public Accountants).

Copyright (c)2005, Rothstein Associates Inc.

(Go to printable version of this article)

Introduction
All accounting firms are vulnerable to physical disasters. Some form of disaster generally happens at least once in the history of every firm. Physical disasters may be natural or man-made and may be caused by fire, flooding, tornado, hurricane, explosion, earthquake, freezing, civil unrest, terrorism, theft, or vandalism. Limited accessibility to the firm’s offices, whether from a storm or other regional event, could be just as devastating even in situations in which there is no physical loss or damage. Computer disasters may result from power surge, data corruption, software error, human error, or equipment failure.

      This article covers the importance of disaster planning and the steps in the disaster planning process.

The Importance of Disaster Planning
Until a disaster strikes your firm or that of a neighbor or colleague, you may have a false sense of security. But when disaster strikes, your firm’s preparation and preplanned ability to cope are critical in determining the extent of the damage or loss, and whether your practice survives. The consequences of a physical disaster could include the following.

• Loss of billable time and cash flow—A CPA’s inventory is time and, once lost, it cannot be regained. Redoing or reconstructing completed work products that have been lost, as well as time invested in the recovery process, may seriously impair cash flow.
• Lost records—The firm may not be able to reconstruct lost or damaged documents. Federal and state laws may hold officers liable for failing to protect vital files and records, and that includes client officers, not just officers of the accounting firm. In addition, clients may experience losses or delays. The result may be additional liability, loss of time, litigation, and even loss of dissatisfied clients as well as reduced ability to attract new clients.
  
• Lost equipment, furniture, and personal property—This loss can include computer equipment, office copiers, communications equipment, furniture, desks, books, reference materials, telephones, calculators, and supplies.
  
• Loss on leasehold items—This loss can include draperies, carpet, pictures, and other leasehold improvements, or even temporary or permanent loss of use of the entire office facility.
  
• Relocation and start-up expenses—This can include temporary quarters, moving of equipment and records, temporary equipment rental, extra staffing, and time and expenses associated with moving back once the regular offices are habitable, or a suitable replacement office is committed.

      Disaster planning is often viewed as a necessary evil – investing time and money in planning for an event that may never occur. In reality, a comprehensive disaster recovery program can add value to an accounting firm in many ways, including the following:

• Reduced financial, legal, and regulatory exposure
  
• Improved ability to smoothly handle disruptions ranging from operational glitches to full-scale disasters, resulting in increased billable time
  
• Increased client confidence (A carefully designed recovery program can actually prove to be a powerful marketing advantage.)
  
• Increased employee confidence and security, resulting in increased productivity
  
• Reduced insurance premiums
  
• And, above all else, a degree of peace of mind

      Disaster planning can help mitigate losses from actual disasters, or the circumstance of nondestructive events in the vicinity of your office that nevertheless prevent you from doing business. For example, if there is a fire or accident one street away from your office, the police or fire department may block access to surrounding buildings. Your firm may not actually suffer any direct damage,  but your business may nevertheless be disrupted. A hazardous material incident could force the evacuation of a large area, including your office. The key is to be prepared.

Back to top of page

The Disaster Planning Process

The following are three basic steps in the disaster planning process.

1. Assess exposure to various risks.
2. Implement strategies to prevent, mitigate, or recover from identified risks.
3. Prepare, exercise, and maintain a disaster recovery plan.

        The following is a typical list of priorities that must be established when planning for and coping with a disaster.

• Priority 1—Safety of personnel
  
• Priority 2—Safety of your clients’ files and records
  
• Priority 3—Safety of your own office records
  
• Priority 4—Safety of office equipment, furniture, and fixtures
  
• Priority 5—Preserve profitability and productivity

       These should be kept in mind as you go through each step of the disaster planning process.

Step 1 – Assess Exposure
The first step in preparing to face a physical disaster is to conduct an objective assessment of threats, vulnerabilities, and exposure to loss. This analysis, known as a Business Impact Assessment (BIA), is intended to ensure the following.

• Prevention—Preventable disasters are identified and avoided.
  
• Mitigation—Predictable, unavoidable potential disasters are identified so they can be explicitly addressed, such as earthquakes in southern California or hurricanes in South Carolina.
• Recovery—Contingency plans reflect prioritized exposures to loss.

       The assessment process begins with a survey of threats and vulnerabilities, known as a Risk Impact Assessment (RIA). The RIA process will produce a prioritized inventory of threats to “business as usual” and vulnerabilities. This analysis should be as broad as possible. Some of the areas of investigation may include the following:

• Physical threats and vulnerabilities such as fire, security, electrical power, flooding, natural hazards, neighboring or regional threats, and structural threats
  
• Computer and communications threats and vulnerabilities such as data loss or corruption, software or equipment failure, telecommunications outages, loss of access to computer, and loss of personnel
  
• People-related threats and vulnerabilities such as civil unrest, labor action, disgruntled individuals, sabotage, terrorist acts or industrial espionage
  

Step 2 – Implement Strategies
The best method of disaster control is always prevention. After all, why go through the pain, expense, risk, and aggravation of recovering from a preventable disaster? From the RIA process, high-priority threats or vulnerabilities will have been identified. If feasible, these should be corrected. If infeasible or not cost-effective, then coping, mitigation, or recovery strategies will be necessary. Sample strategies are listed below. These strategies are organized by strategies for general risks, strategies for specific physical risks, and strategies for information technology (IT) risks.

Generic Risks Strategies
General strategies to prepare for disaster include training staff, categorizing files, and purchasing insurance.

Train Staff
Have one or more staff persons trained and certified in emergency health procedures to administer first aid and cardiopulmonary resuscitation (CPR) to victims of accidents or disasters. Local hospitals, the American Red Cross, chapters of the American Heart Association, and emergency care consultants offer training courses for responding to such emergencies. The basic training programs usually consist of sixteen to twenty hours of intensive training covering CPR, injuries, shock, burns, and management of the accident scene. Also, contact your local fire department to have staff persons trained in fire prevention and the use of fire control equipment.
       These programs are an investment in the protection of lives and a defense against potential loss. Such programs can help improve employee morale, demonstrate management’s concern and interest in employee welfare, reduce insurance premiums, and contribute to community welfare.

Categorize Files
Categorize client and firm files and records as vital, important, or nonessential. Vital records are irreplaceable or almost irreplaceable. Important records are replaceable, but only at considerable cost. Nonessential records are not needed to continue in business. Consider all files and records, whether on paper, magnetic or optical media, microfilm, or other media.

Client Files.  Client files are generally vital or important. Vital client files include current working paper files and any files involved in firm or client litigation; originals may be needed by the courts or taxing authorities, or may have an intrinsic value, such as bearer bonds or wills.
       Important client files include permanent files. Maintain current working papers in fireproof cabinets, positioned near the center of the building and as close to wall supports as possible. This may prevent their falling into the floor below or into the street in the event of structural damage. Lock these cabinets when not in use so that if the floor collapses, the contents are less likely to scatter. The contents also have a greater chance of surviving a fire when the file cabinets are fire-resistant or fire-rated, although even the best fire-rated cabinets provide limited protection in a fire. Check the floor strength of designated file areas before installing heavyweight cabinets. Permanent files and noncurrent tax files are usually reconstructible from client or IRS records. Store these files in regular file cabinets or boxes, or at an off-site archival records retention center.

Firm Files.  For the CPA firm, vital records include accounts receivable, billings-in-progress, firm manuals, certain employee records, corporate or partnership minutes, significant contracts, and other irreplaceable original records. Store these and all basic records, such as monthly reports, employee contact lists, payroll information, and accounts receivable lists, in fireproof cabinets. It is also advisable to protect client lists and work-in-progress, internal forms, and a schedule of future engagements outside the office. Consider whether vital files or records are best stored in paper form or on diskette, and plan for the periodic review and updating of stored material so the latest version of the information is available in the event of disaster.
       Important firm records might include past tax returns for the firm, library collection, and other noncurrent firm records needed for firm business. Important files are often voluminous, and it might be impractical to store them in fire-resistant cabinets. Therefore, they are often maintained in regular cabinets in a nonflammable area or stored off-site. It may be more cost-effective to replace lost library materials than to back up the collection in off-site storage.
       A firm records retention policy is an important step in reducing the volume of document storage. Nonessential firm files include noncurrent word processing drafts and noncurrent correspondence. Consider purging these items since they are nonessential and increase the risk of fire. Personnel records for former employees may be purged after the statute of limitations is passed. Records relating to matters for which litigation is pending should be retained until the litigation is resolved.
       A firm should have a clean desk policy, especially for vital records, such that all files are returned to safe storage at the close of daily business. These records include client lists, employee names and addresses, accounts receivable, and unbilled work-in-process.

Back to top of page

Backup.  Since an accounting firm is highly dependent on date, most disaster planning focuses on the preservation of files and records. Since even a fireproof safe has survival limits, the most effective procedure is to maintain duplicate copies of at least all vital records at an off-site location. The firm should only maintain backup of the latest version of certain lists such as client lists and employee lists. Out-of-date records should be discarded. An alternative is microfilming records and storing the backup microfilm in a bank vault or other secure, accessible, off-site location.

Restoring Damaged Files. The following are procedures used for restoring water and fire-damaged files and records. Ideally, a restoration contractor should be consulted. The Disaster Recovery Yellow Pages™ is an excellent resource to locate restoration vendors.

• Protect client records and other office records from further damage by gathering them as quickly as possible and storing them in a secure place. This is important for preservation and for the protection of confidentiality.
  
• Establish an advance relationship with a professional document restoration contractor.
  
• Determine which documents to salvage or reconstruct during the first twenty-four hours—this can prevent mold and bacteria from developing. Consider which original documents must be preserved (for example, original contracts and negotiable financial instruments), and prioritize these separately from documents whose information content is important and those that simply need to be copied.
  
• Stabilize important water-damaged papers by freezing them immediately. Use an ice house if necessary. Make arrangements to have them freeze-dried by a local records restoration service or by a taxidermist.
  
• Fire-damaged papers should only be handled by professionals trained in document preservation.
  
• Partially damaged files can be photocopied or photographed.
  
• Establish procedures for restoring files. Consider all sources of information, such as clients, off-site storage, the IRS, clients’ attorneys, or other offices.
  
• Do not discard anything until you are sure there is no reasonable way to save it. If the damaged record may be used in litigation, do not destroy it. You should consult your attorney before destroying any files.
  
• Monitor the progress of your reconstruction efforts closely.

Purchase Insurance
Adequate insurance coverage is necessary to the survival of a firm. Disaster insurance should include the following:

• Replacement cost for building, equipment, and furniture
  
• Valuable papers
  
• Business interruption and extra expense
  
• Legal liability

       Review each aspect of the insurance policy periodically, especially during periods of rapid growth and changing values. When discussing valuable papers insurance with your agent, make the following inquiries:

• Does the policy restrict coverage to papers stored in fireproof cabinets?
  
• How is coverage on valuable papers determined? By the cost of the paper or by the cost to reconstruct the document?
  
• Is the insurance company financially stable? Ask your agent to provide a current rating from at least one of the major insurance company rating organizations.
  
• What is the carrier’s reputation? Ask for references, preferably from policyholders who have had to file claims.

      It may be advisable to have a knowledgeable attorney review the policy to ensure that your understanding of the coverage is consistent with the policy wording.
       If a disaster occurs, carefully log all time spent reconstructing documents as evidence of an insurable loss. Also, discuss the necessary documentation for business interruption insurance; otherwise, the amount of loss can be difficult to substantiate. Important documentation includes monthly firm budgets of projected revenues, evidence of prior billings, and billings-in-progress. It is important to demonstrate that you met your budgeted goals in every month except the month in which the disaster occurred.
       Consider obtaining additional liability insurance if your firm shares a building with other tenants. Should a fire attributable to negligence originate within your offices, your firm may face a lawsuit. You may also assess neighboring office spaces for potential hazards.
       Insurance coverage is only as good as your ability to prove your loss, and therefore, you must prepare and maintain an inventory of office contents. Include not only office furniture and fixtures, but also a list of the base stock of supplies, considering any seasonal factors that might apply, and a record of the library volumes and their approximate value. Have each employee list personal items located in the office and include an estimate of their value. Photograph all extremely valuable items. It should be noted, however, that some insurance policies do not extend coverage to employee-owned items that are in the office.
      Do not keep original insurance policies and insurance-related documentation at the office. Use a safety deposit box or some other secure off-site location to store policies and insurance documentation. A final note on insurance—keep your insurance current and do not let it lapse. Be familiar with your insurance policy and ensure continuous coverage, regardless of when the loss occurs and when the claim is made.

Back to top of page

• Employees
• Customers
• Suppliers
• Press
• Stockholders
• Financial markets
• Neighboring businesses
• Community emergency services (police, fire, ambulance, civil defense, building inspector)
  
  It is helpful to draft prepared statements which can be tailored when needed, and to prepare preformatted, fill-in-the-blanks communications in advance. Be sure to consider what messages you want to emphasize – for example, you may want to emphasize the firm’s mission, commitment to clients and the community, and your commitment to continue to serve those clients despite the circumstances (with a realistic explanation of how that service may be affected by the disruption).

Identify a Spokesperson. A spokesperson (and backup) should be identified in advance. The spokesperson could be a senior executive, a marketing manager, an attorney, or even an outside public relations firm.

Using a Consultant
Many firms utilize external consultants for business continuity planning. A consultant may provide partial or turnkey plan development; or, provide coaching and training. In selecting a consultant for business continuity, consider these factors:

• Professional certification from the Disaster Recovery Institute or Business Continuity Institute
• Relevance of experience – for example, types of firms, technology environments, focus on business or technology operations, emphasis on crisis management
• Depth of relevant experience
• References from similar clients
• Flexibility of engagement – for example, does the consultant require use of a specific software package, or only follow a single methodology which may or may not fit your firm’s requirements?
• Cost and billing structure – fixed-fee or time and materials
• Backup resources – if the principal consultant is unavailable.

Business Continuity Software
Dozens of software tools are available for business continuity and disaster recovery planning, ranging from $100 or so up to tens of thousands of dollars. A continuity plan may be documented with nothing more than off-the-shelf word processing, spreadsheet, charting and database software, but prepackaged business continuity tools or templates may prove worth the investment.

• They generally provide a fill-in-the-blanks framework  so you are less likely to miss something important
• A lot of the material you will need to document will be included in a form you can edit or adapt rather than writing from scratch
• Most tools or templates include guidance on developing the plans and procedures.

Many software tools and templates are documented at http://www.rothstein.com/data/index.htm.

Back to top of page

Specific Physical Risks Strategies

Specific risks to consider include electric power risks, fire risks, and weather catastrophe risks. Each is discussed below.

Electric Power Protection
Power sources for computers and other electrical equipment must be protected from blackouts, brownouts, and voltage swings.
       The first step when purchasing a power protection unit is to analyze the equipment you want to protect. Specifically, how critical are the data provided and how much downtime is tolerable? How sensitive is the equipment to power fluctuations, and how costly is the equipment to repair or replace?
       UPS (uninterruptible power supply) units and SPS (standby power supply) units are sized relative to the equipment they protect. UPS units may serve a single workstation or an entire computer room. Remember to inventory power protection needs for important noncomputer equipment such as fax machines, network and communications gear, and security systems.

       Keep in mind that backup UPS or SPS power for essential equipment will only be effective if everything associated with (or necessary for access to) that equipment is powered¾building lighting, emergency exit lighting, heating or cooling, elevators, water supply, security systems, and so on.
       There are a variety of power protection units on the market. Consider the following.

• Surge suppressors protect against voltage spikes and surges. These units should meet the UL Testing Standard #1449 for surge suppression. Replace surge suppressors periodically, as their effectiveness may diminish over time with repeated exposure to power surges.
  
• Uninterruptible power supply protects against glitches, sags, surges, and dips. These units operate online, regulate incoming voltage, and maintain continuous battery power for several minutes during a short-term outage or until a standby power supply is active.
  
• Standby power supply protects against extended outage. The source of power can range from batteries to diesel or turbine generators and may power selected equipment or an entire building.
  
• Alternate power sources. If power delivery from your utility company could be a problem¾overhead wires vulnerable to damage, for example¾consider contracting for an alternate power supplier with independent delivery facilities. Availability is limited to specific regions and locations.

Fire Protection

• Have your building frequently inspected by a professional or by an employee trained in fire prevention.
  
• Look for fire hazards in the vicinity of your building, as well as in other tenants’ areas of your building. For example, a second floor office in a building in which the first- floor occupant is a paint store or restaurant may not be an ideal location.
  
• Work with building management to identify at least two evacuation routes, make fire exits easily accessible, and clear all passageways of obstruction. Familiarize employees with evacuation routes.
  
• Install and regularly test fire detection devices with remote monitoring and fire extinguishers.
  
• Hire an experienced contractor to conduct thermal scanning of electrical power supplies and breaker panels, as well as to inspect for proper grounding of electrical equipment.
  
• Give special consideration to protecting employees who are handicapped.
  
• Protect vital records using appropriately fire-rated vaults, or storing those records (or backups) off-site.
  
• Whenever possible, use flame-retardant fabric for draperies and upholstery.
  Ensure that sprinklers are installed.

Weather Catastrophes Protection

• To mitigate weather catastrophes, locate in an area or building that offers the best protection from weather disasters common to the region.
  
• Locate important equipment and records where they are least likely to be damaged by weather. For example, raise equipment, files, and electrical components well above the level of potential flooding.
  
• Do not assume employees will be able to get to the office in severe weather.
  
• Consider that employees as well as clients may be directly affected by severe weather or other regional events. You should consider not only that their availability may be limited to help with recovery, but you may also want to incorporate provisions into your recovery plans to assist employees or clients who may be in need of help.
  
• If necessary, have lightning protection installed by a certified professional.

Information Technology Risks Strategies

There are several steps to creating an IT recovery plan. These steps are outlined below, followed by a list of strategies.

Steps in Creating an IT Recovery Plan
Once the threats to a firm’s IT system have been identified, there are eight steps in creating a recovery plan, as follows.

1. Chart the workflow and include hardware, software, and personnel requirements. Note that this analysis must be updated each time any of these factors changes.
   
2. List, and then prioritize, the application systems based on the unacceptable period of unavailability. Keep in mind that not every resource or function is going to be needed instantly. Often, considerable savings may be found by deferring the restoration of nonessential resources or functions. Remember that priorities may change at different times, such as at the end of a payroll period, or around a major tax filing deadline. A typical prioritization scheme might look like the following, for example.
   
   

   Priority one (or vital systems) are necessary to keep the firm in operation and must be restored within forty-eight hours. Priority two (or important systems) are necessary, but not immediately, and can be phased in gradually within a week. Priority three (or nonessential systems) are not necessary for thirty days or longer.

   
   
3. Outline a database management system. Specify in what order and how soon data must be available.
   
4. Identify what backup files to create. Outline how often and how many generations to save. One generation is insufficient; three generations is preferable. Backup files should be cycled to a secure, off-site location to ensure their usability in the event of a facility disaster. Separate archival backups, which are required for regulatory or business requirements, from disaster backups, which should always be stored in a secure, off-site location.
5. Define the minimal configurations needed to function, and then determine the following requirements.
   
   

   Hardware—Record needed equipment including workstations, plus required electrical power supply, cabling, and air conditioning. Software—;Keep extra copies stored off-site by copying the original in accordance with licensing arrangements. Be sure to check for processor serial-number dependencies embedded into some software products. Personnel—List who is responsible and what are the staff requirements and alternates. Communications—Compile needed telephone lines, data lines, modems, routers, hubs, multiplexors, and other data equipment. Forms—Store a supply of frequently used forms off-site. Refresh this inventory periodically. Facility—Decide the minimum square footage requirements. The IT recovery site may or may not be in the same location as the office recovery; consider network connection requirements. Determine electrical power load and air-conditioning requirements.

   
   
6. Identify vendors and contact them to discuss in advance their response during an emergency. List contact names and telephone numbers, including after-hours and weekend coverage, and include copies of agreements and contracts.
   
7. Select the data backup method most likely to be effective when required for recovery. Keep in mind that the data backups must be (a) quickly moved to another location which is not subject to the same threats or vulnerabilities; (b) secure and protected from loss or disclosure; and, (c) accessible and usable when needed. Many commercial record center vendors provide inexpensive pickup, secured storage, and emergency delivery of data backups. The most comprehensive directory of commercial off-site data storage centers is contained in The Disaster Recovery Yellow Pages™ (Systems Audit Group, 2000).
   The following are are the numerous backup methods that are available.
   
   

   Floppy disks—These are the simplest, cheapest for small files, but the most time-consuming, least secure, and least reliable. Magnetic tape cartridges—Some can perform backups automatically at preprogrammed times. Hard disks—Make sure they are removable. Optical disks—These must be CD-ROM and CD-Rewriteable. Electronic vaulting—This involves the transmittal of backup data files to another location, whether it is a commercial e-vaulting provider or another firm office.

   
   
8. Develop a system to periodically review the plan and, if necessary, amend it to reflect changes in hardware, applications, or personnel.

IT Disaster Recovery Strategies
Consider the following strategies, which can be combined and adapted.

1. In multi-office firms, be sure that each office has the capacity to carry the critical workload if one office experiences an IT disaster. This decentralization is only effective if the facilities are geographically separated; otherwise, they run the risk of experiencing the same disaster. The procedures and structure to effect recovery at an alternate office should be carefully validated and documented.
   
2. A reciprocal agreement with another CPA firm is another backup method. One serious flaw with this strategy is that it is often an agreement made on a handshake and with little or no thought given to implementation. Experience has shown that reciprocal agreements almost never work in practice. There are draft contracts that formalize reciprocal backup agreements and help clarify the following:
   
   

   Requirements to notify parties of any change in hardware configuration Requirements to notify parties of any change in available computer time Definition of testing to confirm compatibility Provisions for a locked file for confidential records Provisions for ready access to facility Identification of persons qualified to invoke the agreement This strategy is inexpensive, but it is often difficult to maintain since it is affected by changes in either system. Also, if the reciprocal firm is in your area, the agreement may be useless if you share the same disaster.

   
   
3. Commercial recovery site vendors provide access to hot sites, which are completely equipped computer and communications recovery facilities along with supporting resources, trained personnel, and work areas for firm employees. Hot sites are accessible by a subscription arrangement contracted in advance of a disaster. Costs may include monthly subscription fees, declaration (activation) fees, and daily site usage costs.
   Cold sites and warm sites are variations of hot sites providing a minimal or partially equipped computer recovery shell facility. Costs for cold sites or warm sites tend to be lower than hot sites, although recovery time is longer since equipment must be obtained and installed.
4. Quick ship recovery services provide replacement computer and networking hardware rapidly, typically within twenty-four to ninety-six hours after notification. The equipment must then be installed, configured, loaded with software and data, and validated before use.
5. Mobile recovery service providers can deliver a self-contained computer room on wheels, with or without the computer equipment. One advantage of this option is that the computer recovery can take place wherever it is most desirable¾whether near the original facility, or at another recovery location. The chief disadvantage is that the delivery and startup time for mobile recovery may take a week or longer from notification.

Step 3 – Prepare a Disaster Recovery Plan
Firms should develop, document, and circulate among employees a disaster recovery plan, which new employees receive as part of orientation (as a summary if the complete plan is too detailed for all levels of employees). Whether or not a firm is able to obtain business interruption insurance, this documented plan is essential¾business interruption insurance is a supplement, not a substitute, for a prudent, tested recovery plan.

Disaster Recovery Team

An important, early step in the preparation of the disaster recovery plan is the appointment of the disaster recovery team and the disaster recovery team leader. The team leaders and members should each have designated backups who are also familiar with the plan. The team leader may be a senior executive, or, more commonly, an individual who is in a position to devote enough time to the disaster recovery program to be the de facto expert. The team leader must have the skills and experience to manage and coordinate efforts at all levels of the organization, including senior management and external resources.
      Team members may have one or both of two roles: development of the plan or execution of the plan during an actual disaster. Team duties include the following:

• Gathering and analyzing the information needed to create the disaster recovery plan
  
• Designing and recording the plan for distribution to all employees
  
• Training employees in any skills (for example, CPR) necessary to fulfill the plan
  
• Conducting disaster drills and spot checks to ensure that backup procedures are being followed
  
• Revising the plan as changes occur within the physical structure or environment, internal operations, business needs, or client base of the firm
  
• Pre-assigning roles, responsibilities, and authority in the event of a disaster
  
• Coordinating the plan with local emergency and medical services, insurance carriers, landlord, security services, and backup facilities
  
• Identifying key vendors, suppliers, and other contacts
  
• Responding to a disaster declaration and executing the plan

Possible disaster recovery team members may include:

• senior officer
• finance/accounting manager
• human resources manager
• facilities manager
• IT/technology manager
• Telecommunications specialist or manager
• Business area or department managers
• key supplier or major customer representatives

Contents of the Plan

The disaster recovery plan document should be terse, readable, and actionable. The more concise and targeted, the more likely it will be maintained and used.
       The first step of any disaster recovery plan is the declaration or activation of the plan. The individuals who are authorized to invoke the plan should be identified, along with the initial steps that are essential. Often, these steps must take place quickly, even before the full recovery team has arrived.
       There are numerous published resources, guides, books, software tools, and templates for both business recovery and IT disaster recovery.
       Regional and national organizations offer workshops, conferences, and seminars, which can be valuable resources for disaster recovery education and tools. Consultants provide a range of expertise and services and can be particularly valuable in assessing risk and exposure, as well as in designing an appropriate recovery strategy. More important, a seasoned consultant can bring their experience with comparable firms so that wasted effort or investment are avoided and, more critically, the resulting disaster recovery plan is likelier to work when it is needed most.
       “Sample Outline of a Disaster Recovery Plan” below contains a sample outline that is a very general guide. All disaster recovery plans must be researched and tailored to each firm and to each specific location, and each task listed would require specific, detailed information, for example, “Call an ambulance” might include the 911 number and an alternate number for the local fire rescue squad or hospital.
       “Emergency Supplies” below contains a list of supplies which could prove useful during a business disruption. These supplies may address

• personnel needs, including safety and comfort
• temporary business operations
• relocation or operation at a temporary location.

Review the Plan

All partners and staff should be familiar with the emergency plan, and all details should be rigorously enforced. Should a disaster occur, this plan could help ensure employee safety, provide an organized recovery, limit firm losses, provide evidence of prudent business practices, and speed business recovery.
       The documented plan should be frequently reviewed and updated. On a regular basis, the plan should be exercised. A basic exercise may consist of a tabletop walkthrough, in which the participants talk through the plan in a conference room and look for inconsistencies, inaccuracies, problems, or unrealistic assumptions; a drill, in which participants walk through the recovery process, following the steps outlined in the plan document; or a full-scale exercise, in which the recovery process is activated based on assumed conditions (subject to reasonable modifications to ensure that real business is not directly affected).

Special Needs
The Americans with Disabilities Act of 1990 (ADA) requires that employers, public services, and public accommodations and services operated by private entities modify their policies and procedures to include people with disabilities. During a business disruption, there are extra consideration to protect people with disabilities, as well as considerations to enable people with disabilities to function effectively in their roles within the organization.

See http://www.rothstein.com/links/links.html for links to web resources addressing Disaster Preparedness for People with Disabilities.

Sample Outline of a Disaster Recovery Plan for a Small Office

I.  Medical Emergency Information

    A. Medical Emergency Procedures

1. Call an ambulance.
2. Find the nearest person trained in CPR or first aid.
   
3. Send someone to the parking lot to meet the ambulanc
4. Do not move the patient unless failure to do so would be life threatening.
5. Have the firm spokesperson, [name or alternate name], notify family members of any injured persons.

III  Emergency Response Procedures

   A.   Notification Procedures

1. External           
   List telephone numbers of ambulance services, police departments, fire departments, hospitals, utilities, landlord, emergency contractors (for example, for plumbing, electrical,, heating/cooling systems, emergency smoke/water cleaning and drying services), and the phone companies serving the business. An alternative communication plan should be devised in the event of a disruption in telephone service. Transportation services to move people as well as equipment or business records, including taxis, car rentals, trucking services, should be identified.
   
2. Internal
   List the names, addresses, home telephone numbers, pagers, cellular numbers, and names of contact relatives for all employees. Home and alternate addresses can prove useful when phone service is disrupted, as well as to arrange employee transportation. Staff will need to know when and where to report to work. Large firms can organize this information into call trees, which are charts showing who to notify first, then who each employee should notify, and so on. Area radio stations may provide brief announcements of company closings or other instructions for employees. An answering service or call center provider can also be contracted to provide for emergency telephone contact and delivery of instructions to employees. Consider that confidentiality or privacy issues may limit what information about individual employees may be gathered or published; employee consent may be required.
   
   
3. Clients
   Coordinate communication with all clients to inform them immediately of any temporary location or a reopening date and to assure them of your continued ability to service their needs. This can be done by personal telephone calls, mail, email, fax, or print advertisements. If necessary, transfer incoming calls to another number. Have a partner available to handle essential calls, or use an answering machine or message service to request that clients leave their telephone numbers for you to call back. Ideally, arrange for call forwarding or an answering service as a part of your regular telephone system, so that if an emergency situation occurs, client calls will not be lost. Follow a similar procedure if informing vendors and regulatory or governmental agencies of a disaster.
   
4. Vendors and Suppliers
   Put key vendors and suppliers on notice of your situation as soon as possible, and advise them about what support you may require of them. They are far more likely to be responsive with reasonable advance warning. These vendors should be consulted during development of the disaster recovery plan, and contracts should be reviewed to ensure emergency or contingency situations are addressed.
   
   
5. Insurance
   Notify insurance carriers and your attorney as soon as possible. Include contacts and telephone numbers, and have copies of contracts maintained off-site. Your disaster recovery team should oversee the recovery process and compile documentation of the nature and extent of the loss.

1. Damage to computer hardware
2. Damage to firm’s office
3. Regional damage

1. Equipment and Software
   Record and regularly update a listing of all hardware, software, and network connections, including serial numbers, registration numbers, versions, and installation or customization specifications; also include those items maintained off-site. Maintain copies of essential manuals and documentation off-site.
   
   
2. Vendors
   Discuss in advance with vendors their response during an emergency. List contact names and telephone numbers (including after-hours and weekend coverage), and include copies of agreements and contracts.
   
   
3.  Plans for Protection of Computer Application Systems
   The key to application systems disaster planning is to identify and provide for immediate restoration of systems critical to the firm’s survival. This is accomplished by prioritizing the firm’s systems by unacceptable downtime.

Emergency Supplies

• First aid kit
  
  
• Flashlights with spare batteries
  
  
• Battery-powered weather radio and battery television
  
  
• Spare cell phones with charged batteries (checked and recharged regularly)
  
  
• 2-way radios
  
  
• Food and water for an extended stay if unable to leave the office, or for use in a temporary location
  
  
• Sanitation supplies
  
  
• Petty cash
  
  
• Area maps and phone directories for local services
  
  
• Toothbrushes/toothpaste, mouthwash, personal hygiene supplies
  
  
• Office supplies which may be needed if power is out
  
  
• Pre-printed forms, including forms used for normal business operations; forms which may be necessary to conduct business manually; purchase order forms
  
  
• Basic tools
  
  
• Medication and supplies for individuals with special medical needs
  
  
• Plastic sheeting or tarpaulins, duct tape, plastic bags to protect business records, equipment and furnishings from water or smoke damage
  
  
• Work gloves, spare/disposable clothing, breathing masks
  
  
• Basic cleaning supplies such as paper towels, mops, wet/dry vacuum
  
  
• Cots, blankets

Site Map | The Rothstein Catalog on Disaster Recovery | The Rothstein Catalog on Service Level Books

Contact Us | Management Consulting Services | Business Survival Newsletter | Original Feature Articles

Disaster Recovery Forum | Today's Industry News | Links to Industry Web Sites | ‘Keep Me Posted’ | Privacy Policy

E-mail Rothstein Associates Inc.