Let’s say your client has five offices across the country. They manage their operations, accounting, IT network and all software services for these offices from their local office.

Your client hosts its e-commerce website at its local office, and, from that office, also serves all software and information used by its staff at all locations.

Further, 40 percent of the company’s business originates from customer transactions using its website. None of the company’s other offices store information on their local computers.

Then, one day, your client’s local office is hit by a major storm, flooding the lower floor, which houses the server room, and causing irreparable systems and hardware failures. In the aftermath:

• Work comes to a halt—at all locations across the country.
• The company’s website is down, thus 40 percent of its customers cannot conduct business with your client.
• The set of backup tapes your client locates is more than one week old, and are damaged from water and other elements. No one has been able to locate older backup tapes.

Your client is left with no current data, no productivity, limited customer orders and interaction, and no likelihood of restoring any current information with which to do business.

Think this is an exaggeration? OK, instead of a flood, substitute another real disaster—the possibility of a corporation’s data being corrupted or deleted by a hacker or ex-employee. Or imagine power surges or internal staff systems abuse.

Avoid the Horror
No one knows when—or if—a systems failure will occur, which is why it’s even more important for your firm, and your clients, to develop, maintain and regularly test a disaster recovery plan to mitigate the losses due to a system failure.

Disaster recovery planning confronts the likelihood of a disaster from which a company must recover effectively and efficiently.

Business interruption can originate from a winter storm, the loss of electricity, inaccessibility to a facility for an extended period of time, a hardware failure or software corruption—along with the threats of viruses or hacking and malicious intent from internal or external influences.

In today’s information-centric environment, much of a disaster recovery plan addresses IT systems and data loss. However, the plans also must address logistics surrounding sales, administration, manufacturing/production, operations and commerce-based functions.

If successful, a disaster recovery plan allows a business to continue as usual—or close to it—in the event of system failures.

Disaster recovery planning requires a sizable investment of corporate labor and financial resources in the areas of procedure design, implementation and testing. These efforts rely on the expertise and familiarity of internal managers, and often the use of outside advisers, such as CPAs and IT professionals.

The adage “an ounce of prevention is worth a pound of cure” cannot be more applicable than to disaster recovery planning efforts.

If your clients resist implementing a recovery plan because they choose to avoid its common sense and prudence, consider this: disaster recovery plan efforts are addressed—directly or indirectly—in regulatory compliance doctrines in place for companies of all sizes, including Sarbanes-Oxley, HIPAA and other federal, state and local privacy protection acts.

Create, Maintain, Test
The first step in creating a disaster recovery plan is to form a disaster recovery plan/crisis management team, which will be responsible for creating and maintaining the plan, and managing it in the event of any business interruption.

This team must represent all key departments and functions of a given company, and should keep in mind the following objectives:

• Continuity and survival of the business;
• Protection of corporate tangible and intangible assets;
• Creation and documentation of specific preventative measures/activities; and
• Ability for the disaster recovery plan to be tested periodically and modified to stay current with the business and any technological advances.

The disaster recovery plan creation process involves assessing the myriad business risks that a company would face in the event of a disaster, everything from loss of data to communicating to clients about the disaster.

Once these risks are identified, an exercise of prioritization unfolds and the team focuses on preparing for the loss of those corporate services and resources that are deemed most critical to protect.

Subsequently, the team creates action plans and underlying documentation of procedures that mitigate each of these risks and then tests these plans and procedures in real time to the greatest extent possible.

This may mean shutting down the company’s power or internet connection, for example, during business hours as a test. It’s extreme, but it often is the only way you can test your disaster recovery plan, the employees’ understanding of it and their responsibilities.

Sadly, many companies do not test their planned procedures in any way, which simply renders the disaster recovery plan useless.

The IT part of the Recovery Plan
Returning to our company described earlier, which suffered flood damage, your client would have benefited greatly from having a disaster recovery plan that addressed the loss of its critical data and business information systems functions.

Among others, specific steps should have included:

1. Regular and secure off-site rotation and storage of data backup media, accompanied by procedures on how to retrieve media for restoring systems in the event of a disaster.
2. A mirrored website. This is an alternate live website that kicks in when the primary site fails, providing continuing service. This would require procedures to point the alternative website to an alternative data source to restore e-commerce functionality.
3. Redundant communications configurations to forward telephones to an alternate location, including cell phones, to handle customers’ needs during the crisis.
4. Set up a “hot site” to provide for redundant hardware, loaded with current versions of business-specific software, and access to fresh backup data that could be restored in the event of a crisis. Such a site could be a remote client office location or that of a third-party vendor who specializes in this area.
5. More effective server room build-out. Specifically, locate servers and related equipment and backup media in a location less vulnerable to flood or other natural disasters.

Disaster recovery plans are critical, and businesses that invest time and effort in their creation, maintenance and testing will be rewarded in the event of disasters.

Using a combination of internal business manager knowledge and input from outside advisers—including CPAs—a disaster recovery plan can be created to provide peace-of-mind and value to any business.

Robert P. Green, CPA, CITP and Scott Cooper, CMC are managing partners and Rick Mark, CSE is chief infrastructure architect at Los Angeles-based INSYNC Consultin Group Inc., which provides IT advisory services and computer forensics services. Your can reach them at (310) 446-8600.