Cost managers agree that a properly developed 'disaster contingency and recovery plan' (hereafter referred to as a contingency plan) will enable a company to respond to a disaster without suffering irreparable damages. However, agreement to the concept of a contingency plan does not necessarily result in the development of such a plan. For example, businesses operating in coastal areas are aware of the disastrous effects of hurricanes. This article will show, however, that awareness of potential harm, did not lead to preventive action in many companies which were in the path of either Hurricane Hugo or Hurricane Andrew.
Hurricane Hugo inflicted at least $5 billion in property damages in South Carolina. Four years later, Hurricane Andrew struck Louisiana and Florida, causing more than $8 billion in property damages. This article compares the results of two separate surveys of controllers in businesses located in the path of these hurricanes. The study was limited to those businesses using computerized processing. Each survey examined whether these businesses had prepared for such a disaster by developing contingency plans for their computerized operations. The effectiveness of existing computer contingency plans was then determined by measuring the ability of these businesses to process accounting information in the aftermath of each disaster. The final section of the paper examines the five major subcomponents of a comprehensive contingency plan.
The Two Surveys
The authors first surveyed large businesses in the Charleston, South Carolina area, which received the brunt of Hurricane Hugo's damage. The authors limited their survey to large companies, reasoning that these companies would probably use computers to process their critical accounting jobs. The 71 Charleston companies with sales over $1 million listed in Dun and Bradstreet were included in the survey.
Four years after the Hugo disaster, Hurricane Andrew struck South Louisiana and South Dade County, the area south of Miami, Florida. Were the companies in Andrew's path more prepared for the hurricane than the companies which had faced Hugo four years earlier? To address this question, the authors mailed 66 large businesses located in selected cities in South Louisiana and South Dade County a questionnaire similar to the one used to survey Charleston businesses after Hurricane Hugo. As in the first survey, all companies with sales over $1 million listed in Dun and Bradstreet were chosen for the study.
The Hugo survey received 41 responses out of 62 computerized companies for a 66.1% response rate. The Andrew survey received 34 responses out of 64 computerized companies for a 53.1% response rate.
Analysis of The Results
Both the Hugo and the Andrew questionnaires asked controllers whether a computer contingency plan was in place when the respective hurricane struck. Table 1 reveals that the majority of the responding companies in both surveys did not have a contingency plan. Contrary to expectations, the percentage of the Andrew survey respondents having contingency plans for their computer systems was lower than the percentage of the Hugo survey respondents.
At the time Hurricane Andrew struck (refer to Table 2), less than one-third of the responding South Louisiana and South Dade County companies had computer contingency plans. This finding represents almost a 10% decrease (32% compared to 44%) from the percentage of Hugo respondents with computer contingency plans.
The authors conducted an analysis by the amount of company sales and the number of employees. However, the difference in the size of the companies included in the two surveys did not explain why the Andrew companies had fewer contingency plans than the Hugo companies.
The Effectiveness of Existing Contingency Plans
As stated earlier, the measure of the effectiveness of contingency plans chosen for this study was a company's ability to process data while its computers were down. Table 2 shows that of the businesses with contingency plans responding to the Andrew survey, the majority (55%) were able to process all jobs and only one respondent (9%) was unable to process any jobs while the computers were down. Only about 28% of the Hugo respondents with contingency plans were able to process all jobs and 44% were unable to process any jobs. Therefore, the contingency plans of the responding South Louisiana and South Dade County businesses appear to have been more effective than those of the Charleston respondents.
However, it is possible that another factor, such as improved technology in all companies over the four year period since Hurricane Hugo, rather than more effective contingency plans allowed the Andrew respondent companies to be more effective in processing their jobs after the disaster. To address this possibility, Table 3 uses only the data from the Andrew survey to compare the processing capabilities of the companies without contingency plans to the capabilities of the companies with contingency plans. Only one (9%) of the companies with a contingency plan was unable to process any jobs. In comparison, 39% of the companies without contingency plans could not process any jobs during the computer downtime. Fifty-five percent of the companies with contingency plans compared to only 22% of those without plans were able to process all of their jobs, Finally, 27% of those with plans compared to 17% of those without plans were able to process some of their jobs. The above analysis provides evidence that it was the improved contingency plans that increased the ability of the Andrew respondents to process accounting jobs after the hurricane. Responding companies with a computer contingency plan in place when Hurricane Andrew struck had a major advantage over those companies without such a plan.
For the Andrew survey, two additional measures of the effectiveness of the contingency plans were added. First, controllers were asked to rate on a scale of 1 (low) to 10 (high) the overall effectiveness of their computer contingency plan in running the critical accounting jobs in the aftermath of Hurricane Andrew. Table 4 reveals that none responded below a five, only one indicated a five, and the rest were equally divided among responses of eight, nine, and ten. Therefore, 90% of the controllers providing their perceptions of the effectiveness of their computer contingency plans rated them highly effective in producing the accounting data critical for continued operations.
The second measure added to the Andrew survey asked controllers to rank on a scale of 1 (low) to 10 (high) the effectiveness of their backup plan in running the critical accounting jobs. The ratings were very similar to the ratings of the overall computer contingency plan. Table 5 reveals these responses. Additional evidence as to whether the controllers were satisfied with their backup plan was gathered by asking if the controllers would make either major or minor modifications to their backup plan after Hurricane Andrew. Sixty-four percent indicated that they would make no modifications to their backup plan, 18% indicated minor modifications would be made, and 18% stated that they would make major modifications.
Factors Contributing to Effective contingency Plans: The questionnaires in both studies collected data on several factors which might contribute to the effectiveness of contingency plans: (1) tests and audits of the plans, (2) involvement of the internal audit department, and (3) backup methods applied.
Tests and Audits: Many of the case studies describing how companies survived disasters report improvising, correcting, or adding to their contingency plans. Many of these improvisations were very costly. For example, one company's contingency plan did not include a method to air condition their building in case the power was cut off. If the plan had been tested/audited and updated regularly, this weakness would have probably been detected. The company could have contracted to have a replacement generator on site the next day after a disaster. As it turned out, generators were very much in demand at the time of the disaster. It took a week to get a very costly replacement generator flown in from another part of the country.
The literature emphasizes that contingency plans should be tested regularly to ensure their effectiveness. However, only about one-third of both the Hugo and the Andrew responding companies with contingency plans (see Table 6A) had tested their plans before the respective hurricane struck. To further investigate this issue, the Hugo and the Andrew questionnaires asked whether the companies' plans were audited.
In the Hugo survey, 38.98 of the responding companies with contingency plans in place had been audited (See Table 6B).
The authors expected that a higher percentage of the Andrew respondents compared to the Hugo respondents would conduct contingency audits. Andrew responding companies with contingency plans indicated that 45% of the plans had been audited. This is an increase over the Hugo findings of 38.9%, but still not the majority of the companies.
Involvement of Internal Audit: Involvement of internal audit is considered a potentially important factor in both the establishment and the effectiveness of contingency plans. Table 7 reveals that most of the contingency plans in both studies were prepared by the internal audit department. Internal audit was involved in preparing all the contingency plans for Hurricane Andrew respondents; nine plans were prepared by internal auditors and two plans were prepared by both the internal and external auditors. The Hugo respondents stated that internal audit prepared 77% or 13 out of the 18 company contingency plans. Four of the Hugo companies used a consulting firm and one company hired their external audit firm to prepare their plan. These findings support .the claim that internal audit is a factor in the establishment of contingency plans.
The influence of internal audit is limited by the size of the department. Small internal audit departments are restricted by their limited resources. The lack of involvement of internal audit in testing and auditing the contingency plans in this study was related to the size of the internal audit department. Table 8 reveals that most of the respondent companies which did not audit their companies' contingency plans had, at the most, only one staff auditor.
Internal audit may also influence the effectiveness of a company's contingency plan. Table 9 reveals that the majority of the Andrew and Hugo companies whose contingency plans were developed by internal audit were able to process their data after the hurricanes.
Table 10 compares the results of the Andrew and Hugo surveys for the computer downtime of the companies with contingency plans prepared by internal audit. Most of these companies (92% of the Hugo respondents and 82% of the Andrew respondents) were back on line within 15 days. The limited computer downtime provides additional evidence that internal audit involvement contributes to effective contingency planning.
Backup Methods: Since the majority of the respondent companies in both surveys did not test or audit their contingency plans, other variables must account for the difference between the effectiveness of the contingency plans in the two surveys.
The authors questioned whether the Andrew companies had applied the backup methods recommended in the business literature and whether the use of these methods resulted in more effective backup plans in the companies responding to the Andrew survey. To provide insight into this possibility, the Andrew respondents were asked to indicate the method(s) used to process their accounting jobs after Hurricane Andrew disabled their computer system. Table 11 discloses that most of the respondents with contingency plans indicated that the accounting jobs were processed by reverting back to a manual system. Two of these companies indicated a combination of the manual system and using a service bureau or using a company computer at a different location. None of the respondents chose the following which are frequently mentioned options in the literature: using a computer vendor's computer, using another company's computer, using a 'hot site,' or using a 'cold site.'
As reported earlier (see Table 5), most Andrew respondents perceived that their companies' backup methods were effective and indicated that they did not plan to change their backup methods.
However, reverting to the manual system is very inefficient and could result in costly delays. A company should carefully consider the benefits of having off-site computer facilities available in case of a disaster.
This paper reveals that management of more companies need to be convinced to develop contingency plans, including an adequate computer backup plan. Based upon a comprehensive review of the literature, the following section recommends five components for a successful contingency plan.
Recommended Computer Contingency Plans
The authors recommend that a comprehensive contingency plan should consist of five separate interrelated component plans: emergency, backup, recovery, test, and maintenance plans.
Emergency Plan: The emergency plan provides guidelines to follow during and immediately after a disaster. This plan, as a minimum, should contain the following considerations:
1. Prepare an organization chart, showing the chain-of-command involved in the contingency plan.
2. Determine disasters that trigger the entire contingency plan or only part of the plan. Conducting a risk analysis should identify the significant disasters unique to a particular industry and the company's geographical location. In our study, the potential risk from a hurricane should have been recognized.
3. Determine who will contact fire, police, and other agencies.
4. Determine the personnel who will remain at company headquarters to lock doors, power-down computers, and perform other vital duties.
5. Prepare a map of primary and secondary evacuation routes and post these throughout the company.
6. Develop a method for communicating the 'all-clear' signal that indicates when employees can return to headquarters or the temporary business location.
Backup Plan: A backup plan ensures that key employees, vital records, and alternative backup facilities are available to continue business and data processing operations. Representative elements to include in this plan include the following:
1. Store duplicates of vital software, data, and records at appropriate off-premises locations.
2. Identify the critical and noncritical full-time and part-time employees and temporary hires who will be involved in the backup operations.
3. Cross-train key employees to perform several duties. Oftentimes after a disaster strikes, key employees may be injured or otherwise unable to temporarily perform their jobs.
4. Select the most appropriate type of backup system to quickly resume operations. Choose an alternate site for conducting regular business operations that is outside the area of anticipated destruction. Several options are available for resuming data processing operations. Manual backup systems may be feasible for small and medium size companies that process low volumes of transactions.
Decentralized firms with multiple compatible computer sites should airfreight critical jobs to an alternative company location. A reciprocal arrangement can be made between two companies who contractually agree to provide backup for each other following a disaster. A third party agreement to supply backup can be formed between the company and a data processing service bureau, a university or a vendor's computer facility.
Other disaster recovery services include cold sites, hot sites, cooperative hot sites, and flying hot sites. A cold site is an alternate data processing facility equipped with all the necessary resources, except for personnel, files and computer equipment. Following a disaster, a prearranged plan is activated to move the company's personnel, vital files, and newly acquired or rented equipment to the cold site.
A hot site is a fully-staffed and equipped computer facility contracted to provide temporary and immediate off-site services to companies suffering disasters. Vital records are moved to this location and processed by the hot site's EDP staff and equipment.
A cooperative hot site is similar to a hot site, except that the site is co-owned by two or more members who share operating expenses. A flying hot site is similar to a hot site, except that the site stores up-to-date copies of the company's vital records and software.
Recovery Plan: A recovery plan insures that a skilled recovery team is formed to reconstruct and restore full operational capabilities.
Some key items to incorporate into this plan are:
1. Appoint a recovery manager and a second in command. These officials should define specific assignments of key recovery team members.
2. Select an off-site facility to store backups and periodically inspect the facility.
3. Maintain liaison with insurance companies to facilitate the assessment of damages to resources destroyed in a disaster.
4. Arrange with vendors to have resources delivered to the alternate company site and the backup facility.
5. Establish a timetable for the recovery operations.
6. Develop a strategy to insure the strict control over applications processed at the backup site.
Test Plan: The purpose of testing the plan is to uncover and correct defects in the contingency plan before a real disaster occurs. At random intervals a mock disaster, such as a fire, should be simulated. The results should be critiqued by test participants and management, and gaps in the plan are identified and corrected.
Maintenance Plan: The final phase to contingency plan is to prepare a maintenance plan, which devises guidelines insuring that the entire plan is kept up-to-date. Factors requiring revision of the contingency plan include major changes in branch locations, key personnel, organization structure, vendor policies, hardware, and software. Any resulting updates to the contingency plan should be reviewed by appropriate company officials before the contingency plan is modified.
The questionnaires used in the Andrew study did not define a contingency plan. Therefore, the responding companies may not have included all of the five components recommended by the authors in their contingency plans. In fact, the study found that the majority of the respondents did not test their contingency plan.
Data collected in surveys of companies which suffered in the wake of two major hurricanes four years apart provided a longitudinal study of the existence and effectiveness of computer contingency plans. The first survey was sent to controllers in large businesses in Charleston, South Carolina after Hurricane Hugo.
The second was sent approximately four years later to controllers of large businesses in the South Louisiana and South Dade County area after Hurricane Andrew. The two surveys examined businesses with computerized accounting information systems to determine their capacity to process critical accounting jobs in the aftermath of Hurricane Hugo and Hurricane Andrew. The results were then compared.
The findings reveal that most of the responding companies in areas struck by Hurricane Hugo and Hurricane Andrew did not have a contingency plan for their computer systems.
In addition, the longitudinal study reveals that the percentage of companies having a contingency plan in place for Hurricane Andrew was lower than the percentage of the Hugo respondents. The study could provide no explanation for this finding.
In contrast, the computer contingency plans of the Andrew respondents were more effective than those of the Hugo respondents.
The questionnaires gathered information on three factors which contribute to the effectiveness of contingency plans: (1) Tests and audits, (2) Internal audit involvement, and (3) Backup plans used. The findings revealed that the majority of both responding groups did not test nor audit their computer contingency plans.
However, the study did provide evidence that internal audit involvement in developing computer contingency plans, did contribute to effective contingency plans. However, this involvement did not lead to more efficient backup plans.
The study found that the most frequently used backup plan in both surveys was simply to revert back to a manual system. Responding controllers, however, reported primarily that they were very satisfied with the backup methods used.
Perhaps, controllers and internal auditors need more exposure to the different backup methods available.
Five components for a successful computer contingency plan, including a discussion of backup methods, were presented by the authors.
Michael Cerullo, Ph.D., CPA, CDE, DFE is a Professor of Accounting at Southwest Missouri State. M. Virginia Cerullo, Ph.D, CPA, CFE is an Associate Professor of Accounting at Southwest Missouri State. R. Steve McDuffie, DBA, CPA is a Professor of Accounting at Southwest Missouri State.
This article adapted from Vol. 10#2.