Disaster and Contingency Planning: A PRACTICAL APPROACHPublished by Dennis Duitch, CPA, MBA, Advisor, Mediator
The fundamental objective of disaster and contingency planning is business continuity — keeping operations running, providing professional services, maintaining client confidence, maintaining regular cash flow and similar strategic activities for survival.
Being realistic about the exposure levels in such areas, and the degree to which commensurate risk avoidance merits current energy and expense outlay, is typically the greatest impediment to developing a formal protective plan. We find a surprising number of companies operate “bareback” in this dimension of their business simply because they don’t have a starting point. The focus of this article is provide that jumpstart.
A disaster and contingency plan involves three stages: defining the risks and objectives, determining proactive preventative steps to minimize exposure and then developing a reactive plan for damage containment.
First Stage: Define the Greatest Risks to Business Continuity
- Define and quantify what “normal operations” during a disaster might be.
- Define essential business functions and prioritize those which should/must be kept running.
- Quantify short-term and long-term parameters (e.g., three days out of business versus seven days versus ten days, etc.) and determine the degree to which immediate coverage is critical, versus what could wait, depending on time (out of your facility, without computers, etc.).
- Develop procedures to safeguard interim data, both securitywise and retentionwise, during the disaster.
Second Stage: Evaluate Preventative Steps
- Consider programs and policies that could be taken proactively to prevent or lessen the probability of a disaster or its impacts.
- Define the role of employees in day-to-day functions toward following such preventative polices.
- Engage competent consultants to assist in formulating and implementing a plan.
Third Stage: Develop a Plan for Organized Response and Damage Containment
- Select an appropriate planning team.
- Identify critical response activities.
- Outline responsibilities of the coordinator, owners and management to execute the plan.
Five checklists have been summarized to guide you toward the most critical starting point–asking the right questions! These are certainly not all-encompassing. Each step of the process will be focused better or worse only with reference to your particular business circumstances. As difficult as it would be to predict the number of days your office might be shutdown as a result of a disaster would be predicting the type of disaster or building a plan to cover every conceivable disaster.
Keep a Pragmatic Perspective
In the authors’ experience, keeping practical issues foremost in mind will be key to whether a plan is ultimately workable. Key considerations include:
1. Focusing to keep the business running, not just the computer running. Don’t get caught up in the computerization as the driving force for the plan. Business continuance is the goal (which in most cases mandates keeping the computer running, but is only one aspect).
2. Addressing only those items which are pertinent and realistic; discarding any highly unlikely disasters.
3. Assuring that functional managers become architects of the plan, and intricately involved in the interim processing areas and functions.
4. Limiting the scope of the plan to those functions which impact the stated goals and objectives of the plan (cash flow, continuance of client service, etc.).
5. Writing the plan as “guidelines” rather than in excessive detail; the plan’s purpose is to guide during a disaster, not to be used as a step-by-step manual.
6. Identifying alternate manual procedures to support critical functions normally handled by computers. We all can live without a computer for at least a few days. Certainly, manual processing is less efficient, but this is about short-term survival. An example would be instructing staff to do time sheets manually on a weekly-versus-daily basis to be tallied manually for billing/payroll purposes. To accomplish this particular process, you would, for example, keep at least the following items offsite: n Packet of manual time sheets; n Client list (updated periodically with addresses; nAccounts receivable ledger (updated periodically);
7. Recognizing that inefficiencies will be the norm during a disaster, accept this up front, knowing that the problem is only short-term.
8. Keeping costs initially at a minimum; reciprocal agreements and alternate “hot” sites may depend on the outlay of funds; however, these types of decisions come at the back end of the plan, not the beginning.
9. Making it simple and keeping it simple.
10. Using professional advisors to assist in focusing on the big picture and to assure that important aspects don’t get inadvertently overlooked.
Checklist I: Determine Essential Business Functions
A. Ask the question of key personnel: How long can you be without your computer for these critical functions?
- A/P and disbursements
- A/R and collections/bank functions
- Billings and work in progress
- Word processing
B. Gather alternate paper/manual ways to perform these functions short-term versus long-term.
C. Determine what types of forms or information need to be taken ”offsite” to continue these functions, and for how long these functions should continue.
D. Determine what department personnel are needed to perform these functions.
E. List all functions in order of importance (keeping in mind the goals/objectives of the plan) for prioritization guidelines.
F. Review needs in response to each function (e.g., client files required, copies of current workpapers, etc.).
Checklist II: Organize and Gather Information
A. Organization chart
B. Office locations and pertinent information
- Post office phone numbers and information
- Local police department numbers and data
C. List of critical and useful numbers (home numbers, too)
- Messenger service
- Insurance agent and policies
- Building personnel
- Building security
- Other full floor tenant mangers
- Emergency contact numbers on file
D. List of emergency contact numbers of facilities workers (preapproved by your lessor)
- Carpet Cleaner
- Paper drying services
- Sprinkler repair person
E. List of critical equipment, office supplies
- Vendors, with applicable reorder numbers
- Important forms for quick printing
- Printers with current letterhead and logo information
- Essential furniture (six-foot tables, folding chairs, etc.)
- Potential vendors and resellers
- Operating equipment (calculators, copiers, etc.)
- Computer program information
- Computer hardware/network configurations and information
F. List for emergency preparedness
- Flashlights for all offices without windows
- Water, food and blankets
- Toilet facilities and tissue
- Communications equipment
Checklist III: Protecting Communications
A. Develop phone tree.
- List key personnel.
- Prepare employee polices, with whom to call during the emergency.
B. Update and distribute company phone directory (including car/cellular phone numbers).
C. Gather information on current phone system (including voice mail).
- Data configurations
- Forwarding and communications backup plan
- List of all vendors and critical phone numbers
- Determining contractually agreed upon response time
D. Understand how the phone lines work.
- Capacity for outside answering service
- Direct inward dial system versus two-way lines
- PBX bypass system
E. Gather information on alternate phone equipment.
- Use of cellular of portable phones
- Between-floor communications
- Emergency phone forwarding to new or alternate number
F. Investigate an out-of-state (800) number for employee.
Checklist IV: Protecting Primary Work Space
A. Review insurance policies for appropriate coverage.
- Earthquake amendments and/or sprinkler damage
- Valuable paper coverage
- Alternate site storage as named insured
- Employee policies for documents left overnight in autos/home
B. Determine what work areas and sectors are most important.
- Which personnel could work at home or in alternate environment
- Equipment needs (fax, copies, printers)
- Listing of vendors for equipment lease or purchase
- Computers and programs and who needs what
C. Determine space needs for short-term versus long-term recovery (utilizing definitions).
D. List alternate sites for recovery.
- Buildings in area
- Contact and list applicable brokers.
- Contact and list applicable areas.
- Contact building manager for current building space availability.
- Reciprocal agreements with other firms.
Checklist V: Protecting Computer Processing Ability
A. Prepare responsibility and execution list for all MIS personnel (including those ancillary to the department).
B. Back up of data.
- Prepare, review and test normal operations backup and security plans.
- Review where backup is stored.
- Periodically test backup data.
- Perform periodic software backup.
- Determine and list all software applications now in use.
- List name/versions/vendor/replacement price (if applicable).
- Indicate users/level/importance of software.
- Indicate whether software has had special modifications.
- Prioritize software regarding installation (utilizing short- term versus long-term definitions).
- Determine and list other companies who use the same type of special software for possible alternate use agree ments.
D. Computer hardware
- Compile and maintain current inventory lists.
- Compile minimum offsite requirements (short-term recovery) and maximum requirements (long-term recovery).
- Compile list of potential vendors for quick-ship equipment and/or leasing equipment.
- Prepare priority list (which systems are up and running first).
- Compile list of outside contractors and data entry operators.
- Compile list of data equipment movers for potential site relocations.
F. Review office for preventative measures.
- Surge protectors in use
- Employee compliance with network policies and procedures (backup an data control).
- Safe equipment placement (i.e., computers on desk, not the floor).
- Equipment covers in use to prevent water damage.