Why Plan for Disaster Recovery?

The simple answer is if you don’t you may be in for a nasty surprise. The fact is there are many good reasons why you should plan:

You may be required by law to set up a Disaster Recovery Plan;
Your business may fail if you do not properly plan how to recover from disaster;
Proper planning protects your directors from liability and your investors from financial loss; and
Disasters happen. They are a very real risk to the operation of your business.

Disaster May Doom Your Business to Failure

A business that is unprepared for a disaster will be struck down hard if one strikes. For example:

Some 70% of businesses fail within a year following a major IT disaster, if they do not have a valid recovery plan in place;
Of those that do survive only 10% make a full recovery; and
Without a plan, recovery is slower resulting in loss of customers, sales revenue and shareholder confidence.

Protecting Your Directors and Investors

If your firm is not prepared for disaster when it strikes, your directors may be liable for failing to do their duty. A proper plan will protect them and clearly show that no matter what the outcome, they did their job.

Minimizing the impact of a disaster and ensuring that your company is back in operation as soon as possible will ease the loss felt by investors. Just knowing a plan is in place will also encourage them to continue to support the firm.

Disasters Happen

September 11 is the clearest example of how disasters can come, quite literally, out of the blue. Any firm that’s been caught off guard by a hurricane, forest fire, sabotage or postal strike knows that the it-won’t-strike-me mindset just isn’t good enough.

The list of potential disasters is alarming. Here are just a few:

"Repeated acts of terrorism on American soil are almost certain to occur in the future. Corporations must now prepare for an expanded scope of risks."
Bruce T. Blythe and Terri Butler, Contingency Planning and Management Magazine, July/August 2003.

Storm
Fire
Employee strike
Tornado
Hurricane
Flood
Malicious employee sabotage
Hardware failure
Software failure
Virus
Theft

Anyone of these could bring your company down unless you have a thorough and tested strategy of recovery.

Where Do You Start?

So you know you have to do something to plan for the recovery of your firm in case disaster strikes, but where to start?

First of all, recognize that a good Disaster Recovery Plan is intended to help your company survive a disaster and get back to business in a reasonable time. This means that the goals of your Plan should be to:

Identify where the weaknesses are and set up a program to try and prevent them;
Minimize the length of time that business operations would be seriously disrupted;
Help to co-ordinate all the recovery tasks; and
Make the recovery effort as uncomplicated as possible.

Secondly, use proper strategies to help you develop a Plan that works. Emphasize the following:

Ensure management knows that a total effort is needed to develop and maintain an effective plan;
In addition, management must be committed to supporting and taking part in this effort;
Define your recovery requirements in terms of business functions;
Document the impact of an extended loss of operations and key business functions;
Focus on preventing a disaster and minimizing its impact as well as business recovery;
Select teams that will give you the balance needed to develop a proper plan;
Develop a continuity plan that is easy to develop and easy to maintain; and
Define how to integrate continuity planning issues into ongoing business planning and system development processes to ensure the plan is viable over time.

Remember that senior personnel from Information Systems and user areas must be involved to make the planning process work.

Finally, use the right tools for the job. This will help you to cover all contingencies as much as possible and minimize the impact of a disaster on your company.

Want More Information?

If you have any questions about business continuity planning or disaster recovery planning, contact us.

Legal Reasons to Plan for Disaster: Sarbanes-Oxley and More

The legal case for setting up a plan to help your business recover from a disaster is very strong. This is especially true with the advent of the Sarbanes-Oxley Act, which tightens the rules that govern corporations and ensures that the heads of of those corporations follow the rules.

Under Sarbanes-Oxley, the CIO of a firm has become a key player because it is his job to make sure that IT meets process and internal control requirements. In particular, Section 409 of the Act appears to require real-time reporting of critical information that could affect the performance of a corporation:

"Each issuer reporting under section 13(a) or 15(d) shall disclose to public on a rapid and current basis such additional information concerning material changes in the financial condition or operations of the issuer, in plain English, which may include trend and qualitative information and graphic presentations, as the Commission determines, by rule, is necessary or useful for the protection of investors and in the public interest."

Planning, reporting, IT requirements have become crucial, not just for corporate survival but also for making sure you play by the rules of the game. Their continued operation must be protected.

Sarbanes-Oxley is only the most recent of many regulations strongly encouraging corporations to be prepared if disaster strikes. Several others are listed below.

Sector

Legislation

Requirements

Medical

HIPAA Regulations

Regulations covering electronic security and transmission of patient records. A documented, tested disaster recovery plan is required.

Financial Services & Banking

FFIEC FIL-67-97

Board of Directors is responsible for ensuring that a comprehensive business resumption and contingency plan has been implemented, to encompass distributed computing and external service bureaus.

Comptroller of Currency BC-177 (1983, 1987) superceded by FFIEC and Federal Home Loan Bank Bulletin R-67 (1986) superceded by FFIEC

Requires banking institutions to develop and maintain Business Recovery Plans.

Inter-Agency Policy from Federal Financial Institutions Examination Council (FFIEC - 1989, revised and made stronger 1997)

Requires business wide resumption planning and extends regulation to require contingency plans from any service bureaus or outsourcing companies which service such banks.

Public Companies

SEC Regulations

"Reasonable safeguards for information" - Board of Directors and senior management will be accountable.

Foreign Corrupt Practices Act (1977)

Requires that publicly-held corporations provide "reasonable protection for information systems" and holds management accountable.

All Companies

IRS Procedure 86-19

Legal backup and recovery requirements for computer records containing tax data.

eCommerce Transactions

Consumer Credit Protection Act (CCPA) section 2001 Title IX (1992)

Due Diligence for availability of data in Electronic Funds Transfers including Point of Sale.

Federal Government

Computer Security Act

Requires security plans for all federal computer systems to assure data integrity, availability, and confidentiality

FEMA FRPG 01-94

All department and agency heads must formally plan for continuity of essential operations.

State Governments

Various State Departments of Administrative Services Policies, e.g., Texas, (1 TAC 210.13(b)), Oregon’s Dept. of Information Resources (ORS 291.038)

Policies assigning responsibility for contingency planning within state agencies.

Legislative Requirements for Business Continuity and Disaster Recovery Planning

[Top] | [Home]