Auditors Can Help Sell Your Plan
- Published on October 29, 2007
Recently, I was involved in helping my company, the Board of Public Utilities in Kansas City, Kansas, to develop a disaster recovery plan. The BPU is owned by the city and is Kansas’ largest utility district. It serves approximately 75,000 electric and 57,000 water customers. The actual disaster recovery planning process was made easier because of a unique PC-based disaster recovery plan. The following explains the roles of our outside and internal auditors, and the resulting benefits to our company.
After completing the annual audit, our auditors (a big eight public accounting firm) told our board of directors, “Prepare for the loss of your computers.” The auditors explained to the elected board that, like most growing businesses, we had become dependent on computers, and that “If a disaster were to occur—the utility would be out of business” unless we took immediate action to prepare ourselves.
The alarm bells had sounded. The auditors left us with disaster recovery sales representatives knocking on the door and a mandate from the elected board to proceed with disaster recovery planning immediately! Following a vulnerability study and an attempt to develop a plan the “old fashioned way” to no avail, the auditors recommended AIM/SAFE 2000(tm), The Disaster Recovery Plan, developed by Advanced Information Management, Inc. The auditors thought the product would work well for the Board of Public Utilities because it could be used to produce user department recovery plans as well as a plan for the data center itself.
The product turned out to be a disaster recovery planner’s dream. Why? The main reason is that it is extremely flexible, including not only user plans, but also clear instructions for the entire process, from initial planning straight through to testing of the developed plan.
Use of the system brought many positive results in addition to the actual production of a plan. Specific features that were helpful to BPU include:
- Time Saving. The Disaster Recovery Plan not only provided clear guidance, but it was also a real time saver. Within 30 minutes, it was installed on one of our PC’s and was ready to use. Within four weeks, we had developed and distributed a comprehensive plan for the data center and 20 very diverse users. All this in a company that had previously attempted disaster recovery planning but had failed because there were no guidelines or procedures and the actual purpose and definition were missing.
- Ease of Use. User-friendliness of this PC-based product won over many participants in the planning process. Even our internal auditors, whose function is not basically EDP auditing and who initially were hesitant to participate, were won over. They realized they could input information, using the plan as a vehicle to validate critical user requirements. They also liked being able to see the flow of work from one user area to the other.
User Plans. Users at the Board of Public Utilities are extremely varied, ranging from the typical departments assigned business functions (i.e., word processing, accounting) to three extremely unique electrical generating plants. At the kickoff meeting with users, their interest was immediate because the plan allowed them an element of control—input into their own plans. They were not forced to just go along with management analysis of their recovery and backup needs.
- Flexibility. The plan was designed for customization. So it allows a great degree of adjustment for individual needs. If users wish to produce their own plans, they can. Or, if needed, the disaster recovery manager can produce them. We found that a combination of effort was required, and the systems allowed it.
- Testing and Maintenance. The system provides guidance for testing and maintenance of plans, so after 90 days, we performed our initial test. The necessity of testing was immediately proven. Though we had carefully analyzed both manual and automated backup needs, we had failed to update lists of personnel responsible for supplying backup tapes in the event of a disaster. Five phone calls were required before we found a current employee of the remote storage site who allowed us to acquire a set of backup tapes. Now we routinely update—maintain—the plan quarterly, with some parts updated monthly. The database management system in the AIM/SAFE 2000 (TM) plan makes this an easy task requiring only 35-40 minutes per month. In addition, we spend approximately 8-12 hours each month to test various parts of the plan.
Our initial test also showed us we had missed a file when backing up data. We were able to determine weaknesses, and then correct them. Ongoing testing and maintenance features built in to the plan helped us to become truly skilled in providing not only a plan, but a comprehensive disaster recovery capability.
Written by John E. Smith, Disaster Recovery Analyst,Board of Public Utilities in Kansas City.
This article adapted from Vol. 2 No. 4, p. 25.