|
SURVEY
Do
Small, Medium Companies Implement Disaster Recovery Plans?
By RODERICK
S. BARCLAY, Ph.D., CPA, CFE
This is not an article
intended to describe a disaster recovery plan or discuss the need for
a company to implement a disaster recovery or business continuity plan.
Nor is it an academic article to discuss an argument or make sophisticated
analysis of information. It is an article to discuss the information
obtained and possibly encourage companies and other organizations to
implement and maintain a disaster recovery plan. It is a given that
companies should have a current disaster recovery plan in order to survive
an unknown or unexpected disaster. After the events that have occurred
this past calendar year, there is much additional incidental evidence
that if a company fails to prepare for an unexpected event, they probably
will not survive the disaster; and disasters can and do happen unexpectedly
and without prior notice or probability.
Last spring, Houston and Galveston, Texas, received an unexpectedly
severe rainfall. One of the medical schools in Houston lost 20 years’
worth of medical research because they did not plan for a disaster by
protecting their data and storing it where it would be disaster proof.
They did not have backup storage facilities, nor did they store any
of their materials anywhere except in the basement of their building.
When the basement was completely flooded, all of their material was
lost. This has more implications than the loss of data. There is a possibility
that some very important medical research no longer exists. That could
possible be very severe. Granted, the medical school will survive, but
a lot of the work they have performed is lost and cannot be reconstructed.
When the World Trade Center buildings in New York City collapsed, many
companies were involved and some did not have proper backup facilities
and will no longer exist. One incident involves the Securities and Exchange
Commission (SEC) which was in the process of somewhere between 200 and
300 investigations of companies suspected of fraudulent financial reporting.
Their records were stored in their offices in one of the World Trade
Center buildings. Obviously, all of those materials were lost. Granted,
they had some backup files, but all of the notes and other information
obtained through the investigation process were lost. This has an implication
greater than the mere loss of data. It has very broad implications because
some companies that may have been involved in fraudulent financial reporting
will get away without any penalties. That has broader implications that
the mere loss of data.
There is another aspect of these issues that requires discussion at
this point of the article. Current financial statement disclosure rules
omit the requirement for stating the value of the two most important
and valuable possessions of any company in today’s business world:
the skills of the employees and the value of information possessed by
the company. Neither of these is stated in financial reports, but most
experts agree with the concept that most companies will not survive
if either or both of these assets disappear as a result of a disaster.
I think most individuals agree the majority of large companies have
disaster recovery plans that are tested regularly and updated periodically
so they are useful if a disaster occurs. However, the question residing
in my mind is if small or medium-sized companies follow the same prudent
business processes, if they have prepared and implemented a disaster
recovery plan. If they have, are the plans updated, current and broad
enough to be effective if a disaster occurs?
Based on these questions, I implemented a research plan to ask the questions:
Do you have a disaster recovery plan?
What is its structure?
Do you have a backup and/or hot site plan in effect?
I sent a short survey to the chief executive officer of each company
included in Standard and Poor’s 600 SmallCap Guide and 400 MidCap
Guide 2001 Editions. I only sent out 595 to the SmallCap Companies and
393 to the MidCap Companies because there was no chief executive officer
listed in the books for a few of the companies, so it was not apparent
to whom I should address the survey.
The remainder of this article involves the information contained in
the replies I received from various companies. I will report the various
results, make comparisons where appropriate, and discuss basic financial
data pertaining to the companies who replied to my survey instrument.
Other information I will analyze will pertain to risk factors various
companies take by not having a disaster recovery plan or having an ineffective,
incomplete or untested plan. The basic objective of this article is
to share empirical data I received from the survey and discuss its implications.
Report On Survey Results
This section of the paper reports on the results received from the surveys.
The first issue to be discussed is the percentage of replies and the
percentage of those replies that indicated the existence of a disaster
recovery plan.
| |
SmallCap |
MidCap |
|
| Replies: |
51 - 12.97% |
Replies: 80 - 13.45% |
|
| Disaster Plans |
Yes: 47 - 92.16% |
Yes: 74 - 92.5% |
|
These numbers deserve a little
discussion. The large percentages of the replies that indicate the existence
of a disaster recovery plan imply one of two conclusions. The first
conclusion is that the majority of SmallCap and MidCap companies have
a disaster recovery plan in existence. I do not feel that this is a
valid conclusion. I favor the other conclusion that the majority of
companies that do not have a disaster recovery plan in existence did
not wish to document this failing. Based on human nature, how many individuals
managing a company will willingly admit they have failed to institute
a disaster recovery plan? I think most would not.
Another factor needs to be addressed at this time. I visited the information
published in the directories mentioned above. I examined two factors,
net income and common equity. For the MidCap companies, the total common
equity is $35,627.5 million; for the SmallCap companies, the total common
equity is $22,360.1 million. I will use these factors to help illustrate
the findings and discuss the economic risk factors.
The next issue is the type of events the disaster recovery plans addressed.
I specifically asked if natural events, IT disasters and disasters caused
by actions by individuals were addressed in their plan. There were some
interesting results. First, I will indicate the number and percentage
of plans that specifically address each issue, and then the number and
percentage of common equity covered by those specific plans.
| MidCap |
Number |
% |
Com Equity |
% |
| Natural |
39 |
76.5 |
$31.693.7 |
88.9 |
| IT |
42 |
82.4 |
$31,908.7 |
89.6 |
| Human Factors |
30 |
58.8 |
$23,861.7 |
67.0 |
| SmallCap |
Number |
% |
Com Equity |
% |
| Natural |
62 77 |
77.5 |
$17,392.2 |
77.8 |
| IT |
63 |
78.8 |
$17,644.8 |
78.9 |
| Human Factors |
x49 |
61.3 |
$13,998.3 |
62.6 |
These results are interesting. Approximately 90 percent of the MidCap
companies and 80 percent of the SmallCap companies have plans that address
natural disasters or IT failures caused by hardware, software or human-generated
failures. However, it is noticeable that a much smaller number of the
plans cover specific actions generated by individuals; approximately
60 percent of the plans cover about 60 percent of the economic value
of the companies. That means about 40 percent of the total economic
value of SmallCap and MidCap companies is not protected by disaster
recovery plans that address adverse actions by individuals. This indicates
that many companies are unwilling to address the possibility that individuals
will deliberately perform actions that cause company disasters. Maybe
recent actions will cause companies and individuals within the companies
to address additional disaster possibilities.
The next question I asked was if the disaster recovery plan had been
tested. Surprisingly enough, both categories of companies came up with
almost the same percentage of plans tested. SmallCap companies stated
80.6 percent had tested their plans and MidCap companies stated 80.4
percent had tested their plans. Those are encouraging results since
a disaster recovery plan that has been tested is much more likely to
be effective than those that have not been tested. However, in favor
of those companies that have not tested their plans, the lack of testing
does not mean they will not work; it just increases the questionability
factor.
The next questions related to the existence of protected on site storage
and the existence of off-site storage. As for off site storage, all
but one company in each category stated that they had off site storage
for their data files. That is very encouraging since it protects the
company against any type of unexpected disaster, whether it is nature
or an individual. The other question about protected on site storage
is less important given the off site storage. Approximately 70 percent
of the companies in both categories stated they had protected on site
storage. Probably the only advantage to that process is if a disaster
occurs, there is probably a little less work involved in recovery since
there is probably a little more current information available from protected
on site storage than from off site storage.
The other questions addressed related to the existence of a hot site
for computer operations or an alternative location for company or computer
operations. While these are not absolutely critical for a company that
is the victim of a disaster of any kind, it does enhance the probability
of continued existence for companies that have these facilities.
| |
|
MidCap |
SmallCap |
| Hot Site Alternative |
|
|
|
| |
Yes |
34 - 69% |
48 - 60% |
| |
No |
15 - 31% |
32 - 40% |
| |
|
MidCap |
SmallCap |
| Alternative Location |
|
|
|
| |
Yes |
32 - 64% |
45 - 57% |
| |
No |
18 - 36% |
34 - 43% |
In comparing the results of these
answers, I found most of the companies that had one alternative also
had the other alternative. That means 60-70 percent of the companies
have set up plans for an alternative operating location for at least
part of their activities in case of a disaster. While on the surface
this indicates good planning, there are some issues that these answers
do not address. How many of the companies have the same hot site or
alternative location as other companies, large or small? This is not
known and cannot be investigated without asking for confidential company
information. Therefore, the existence of these sites may not provide
the advantage indicated by their existence.
Conclusion
I believe the empirical information reported in this article is informative.
It indicates many of the SmallCap and MidCap companies, at least the
ones replying to the survey, have a reasonably valid and current disaster
recovery plan in place. The only question is the large percentage of
companies that did not reply to the survey. If we infer that most of
them do not have a disaster recovery plan in existence, there is a tremendous
amount of economic risk involved if any type of disaster occurs. It
is well-known and well-documented facts that without a current, tested
and complete disaster recovery plan in existence, the probability of
a company continuing in existence when a disaster occurs is not large.
Current publications have indicated the existence and failure of disaster
recovery plans in companies in the World Trade Center. Other publications
have indicated that because of this event, the necessity of a company
having a formal disaster recovery plan is much higher up the priority
listing than before these events occurred.
Roderick S. Barclay, Ph.D., CPA,
CFE had a 20-year career in the United States Air Force before entering
the business world. He has been involved with client companies, academic
studies and teaching subjects regarding disaster recovery plans. Barclay
is currently an assistant professor at Texas A&M University-Commerce.
To comment on this article, go
to 1503-11 at www.drj.com/feedback.
«BACK
to the Articles Index
|
