The terrorist threat continues, especially in the form of anthrax and other white powder attacks on the mailstream. Hoaxes can bring a business operation to a halt as effectively as the real thing. Other man-made disasters come from employee carelessness, civil disturbances, arson, bomb scares, and employee sabotage.
Proximate events can be even more damaging. A fire or burst boiler in a neighboring building can stop your day-to-day operations. Businesses are also vulnerable to pandemic outbreaks, chemical/biological contaminations, asbestos release, and truck and train accidents that release toxic cargos.
Four industries are at greater risk because maintaining a daily revenue stream and/or continuous service is key to their survival: financial services, utilities, service bureaus, and insurance companies.
What Happens Without a Disaster Recovery (DR) Plan?
In an emergency, emotions flow and events can unfold completely outside anyone’s control. If you don’t have a DR Plan and a staff trained to implement it, you won’t know who to contact, when to contact them, how to protect employees, or how to restore operations and maintain assets. Without a plan, the implications can be substantial.
The Human Implications – A disaster can have major personal impact on employees. The first concern is their physical safety. Next, you need to minimize the disruption a disaster brings to their lives. You’ll also need alternative staffing options.
The Cash Flow Implications – For many businesses, cash flow is king. A disaster that halts your mailstream operations can stop your revenue flow cold. Think about how your cash flow would be impacted if the mailstream were delayed a few days while a suspicious powder is tested. Once authorities are contacted, how long a building must remain shut could be out of your control. If cash flow stopped, how long could you operate with the cash on hand? When that runs out, what will it cost to borrow?
The Management Implications – Depending on their industry, size, and other factors, many companies are required by various regulations to submit reporting documentation to government agencies. A disaster could disrupt the submission of that documentation, possibly exposing companies to non-compliance penalties. Additionally, for insurance companies, banks, and utilities, state regulations can mandate substantial fines and penalties for payment delays or service disruptions. These days, there can be a loss of investment community confidence if the markets perceive management wasn’t prepared when disaster struck.
How to Develop a DR Plan
- Understand the risks and document them. Determine what’s important to your business and what you’re trying to protect. Weigh the cash flow requirements and costs and the regulatory compliance exposure. You can drive yourself to distraction with risk assessment. What’s important is to do what’s reasonable and customary. A lot of this is just common sense, but it does require forethought and planning.
- Build a business impact analysis. Quantify as best you can the cost of business interruption and the cost to rebuild your business. Determine how damages would be calculated and assess the impact based on specific time periods. What if the business interruption went on for a week or a month? What’s the cost of penalties and fees? How long would it take and what would it cost to replace infrastructure? What will insurance pay for?
- Mitigate the risks you can. Once you understand the risks and their impact, take a look at what you can do to minimize them. Should you move a warehouse, records storage facility, mailroom, or IT operation? Look to decentralize functions and build redundancies in hardware, software, and staffing. Do a site safety and security audit to determine what can be done within buildings to protect employees and operations. Should you install filtrations systems, for example? Understand IT back-up capabilities as they relate to your print/mail operations and the revenue stream. Review alternative methods of document delivery including outsourcing and electronic transactions. Make sure employees who work in the mailroom or in maintenance are adequately screened in the hiring process. Background checks and drug screening are important for these jobs, which are at the heart of critical operations and often have wide-ranging access to facilities
- Develop the DR plan to cover the gap between the risks you can mitigate and those you can’t. Identify your mission critical applications and determine their hierarchy. Separate needs vs. wants by evaluating the financial or operational impact of each application. Most organizations define needs in terms of cash flow, regulatory requirements, and the internal and external customer implications of Service Level Agreements (SLAs).
- Build a disaster response process. Construct a scenario from the worst-case perspective. Determine who has the authority to declare an emergency. Plan your emergency evacuation procedures. Focus on crisis management: determine which information to share with customers, employees, and the media. Plan to back up cash flow daily. Look at setting up a mirror image of your entire IT infrastructure at another location. Document all processes to “automate” the decision-making and minimize confusion.
- Get top executive buy-in.
CEO, CIO, or CFO support is critical to a DR Plan. Have them appoint a dedicated DR project manager with access to the decision makers and the authority to manage cross-functional teams, such as IT, audit, marketing, finance, regulatory, and procurement.
- Consider your DR Plan a process that will continue to develop.
I like to call the DR Plan your plan for “Business as Unusual.” Since the unusual is often unpredictable, this is one plan that needs to stay flexible. Changes in technology, your scope of applications, and corporate organization will continue to impact your plan, so change management is critical. Periodically validate how your plan functions and change processes as needed – test, test, test.
I am amazed at how many companies do not have a full disaster recovery plan. Top management often underestimates the cost of a business interruption from a disaster. They also typically underestimate the likelihood of a disaster happening, not taking into account the possibility of proximate events over which they have no control. Costs must always be weighed against risks, to design the plan that’s right for your company. But putting a full DR Plan in place now could save your business huge amounts of money – and even the business itself.
"Appeared in DRJ's Winter 2008 Issue"