When the World Trade Center buildings in New York City collapsed, many companies were involved and some did not have proper backup facilities and will no longer exist. One incident involves the Securities and Exchange Commission (SEC) which was in the process of somewhere between 200 and 300 investigations of companies suspected of fraudulent financial reporting. Their records were stored in their offices in one of the World Trade Center buildings.
Obviously, all of those materials were lost. Granted, they had some backup files, but all of the notes and other information obtained through the investigation process were lost. This has an implication greater than the mere loss of data. It has very broad implications because some companies that may have been involved in fraudulent financial reporting will get away without any penalties. That has broader implications that the mere loss of data.
There is another aspect of these issues that requires discussion at this point of the article. Current financial statement disclosure rules omit the requirement for stating the value of the two most important and valuable possessions of any company in today’s business world: the skills of the employees and the value of information possessed by the company. Neither of these is stated in financial reports, but most experts agree with the concept that most companies will not survive if either or both of these assets disappear as a result of a disaster.
I think most individuals agree the majority of large companies have disaster recovery plans that are tested regularly and updated periodically so they are useful if a disaster occurs. However, the question residing in my mind is if small or medium-sized companies follow the same prudent business processes, if they have prepared and implemented a disaster recovery plan. If they have, are the plans updated, current and broad enough to be effective if a disaster occurs?
Based on these questions, I implemented a research plan to ask the questions:
Do you have a disaster recovery plan?
What is its structure?
Do you have a backup and/or hot site plan in effect?
I sent a short survey to the chief executive officer of each company included in Standard and Poor’s 600 SmallCap Guide and 400 MidCap Guide 2001 Editions. I only sent out 595 to the SmallCap Companies and 393 to the MidCap Companies because there was no chief executive officer listed in the books for a few of the companies, so it was not apparent to whom I should address the survey.
The remainder of this article involves the information contained in the replies I received from various companies. I will report the various results, make comparisons where appropriate, and discuss basic financial data pertaining to the companies who replied to my survey instrument.
Other information I will analyze will pertain to risk factors various companies take by not having a disaster recovery plan or having an ineffective, incomplete or untested plan. The basic objective of this article is to share empirical data I received from the survey and discuss its implications.
Report On Survey Results
This section of the paper reports on the results received from the surveys. The first issue to be discussed is the percentage of replies and the percentage of those replies that indicated the existence of a disaster recovery plan. SmallCap MidCap
Replies: 51 - 12.97% Replies: 80 - 13.45%
Disaster Plans Yes: 47 - 92.16% Yes: 74 - 92.5%
These numbers deserve a little discussion. The large percentages of the replies that indicate the existence of a disaster recovery plan imply one of two conclusions. The first conclusion is that the majority of SmallCap and MidCap companies have a disaster recovery plan in existence. I do not feel that this is a valid conclusion. I favor the other conclusion that the majority of companies that do not have a disaster recovery plan in existence did not wish to document this failing. Based on human nature, how many individuals managing a company will willingly admit they have failed to institute a disaster recovery plan? I think most would not.
Another factor needs to be addressed at this time. I visited the information published in the directories mentioned above. I examined two factors, net income and common equity. For the MidCap companies, the total common equity is $35,627.5 million; for the SmallCap companies, the total common equity is $22,360.1 million. I will use these factors to help illustrate the findings and discuss the economic risk factors.
The next issue is the type of events the disaster recovery plans addressed. I specifically asked if natural events, IT disasters and disasters caused by actions by individuals were addressed in their plan. There were some interesting results. First, I will indicate the number and percentage of plans that specifically address each issue, and then the number and percentage of common equity covered by those specific plans. MidCap Number % Com Equity %
Natural 39 76.5 $31.693.7 88.9
IT 42 82.4 $31,908.7 89.6
Human Factors 30 58.8 $23,861.7 67.0
SmallCap Number % Com Equity %
Natural 62 77 77.5 $17,392.2 77.8
IT 63 78.8 $17,644.8 78.9
Human Factors x49 61.3 $13,998.3 62.6
These results are interesting. Approximately 90 percent of the MidCap companies and 80 percent of the SmallCap companies have plans that address natural disasters or IT failures caused by hardware, software or human-generated failures. However, it is noticeable that a much smaller number of the plans cover specific actions generated by individuals; approximately 60 percent of the plans cover about 60 percent of the economic value of the companies. That means about 40 percent of the total economic value of SmallCap and MidCap companies is not protected by disaster recovery plans that address adverse actions by individuals. This indicates that many companies are unwilling to address the possibility that individuals will deliberately perform actions that cause company disasters. Maybe recent actions will cause companies and individuals within the companies to address additional disaster possibilities.
The next question I asked was if the disaster recovery plan had been tested. Surprisingly enough, both categories of companies came up with almost the same percentage of plans tested. SmallCap companies stated 80.6 percent had tested their plans and MidCap companies stated 80.4 percent had tested their plans. Those are encouraging results since a disaster recovery plan that has been tested is much more likely to be effective than those that have not been tested. However, in favor of those companies that have not tested their plans, the lack of testing does not mean they will not work; it just increases the questionability factor.
The next questions related to the existence of protected on site storage and the existence of off-site storage. As for off site storage, all but one company in each category stated that they had off site storage for their data files. That is very encouraging since it protects the company against any type of unexpected disaster, whether it is nature or an individual. The other question about protected on site storage is less important given the off site storage. Approximately 70 percent of the companies in both categories stated they had protected on site storage. Probably the only advantage to that process is if a disaster occurs, there is probably a little less work involved in recovery since there is probably a little more current information available from protected on site storage than from off site storage.
The other questions addressed related to the existence of a hot site for computer operations or an alternative location for company or computer operations. While these are not absolutely critical for a company that is the victim of a disaster of any kind, it does enhance the probability of continued existence for companies that have these facilities.
Hot Site Alternative
Yes 34 - 69% 48 - 60%
No 15 - 31% 32 - 40%
Yes 32 - 64% 45 - 57%
No 18 - 36% 34 - 43%
In comparing the results of these answers, I found most of the companies that had one alternative also had the other alternative. That means 60-70 percent of the companies have set up plans for an alternative operating location for at least part of their activities in case of a disaster. While on the surface this indicates good planning, there are some issues that these answers do not address. How many of the companies have the same hot site or alternative location as other companies, large or small? This is not known and cannot be investigated without asking for confidential company information. Therefore, the existence of these sites may not provide the advantage indicated by their existence.
I believe the empirical information reported in this article is informative. It indicates many of the SmallCap and MidCap companies, at least the ones replying to the survey, have a reasonably valid and current disaster recovery plan in place. The only question is the large percentage of companies that did not reply to the survey. If we infer that most of them do not have a disaster recovery plan in existence, there is a tremendous amount of economic risk involved if any type of disaster occurs. It is well-known and well-documented facts that without a current, tested and complete disaster recovery plan in existence, the probability of a company continuing in existence when a disaster occurs is not large. Current publications have indicated the existence and failure of disaster recovery plans in companies in the World Trade Center. Other publications have indicated that because of this event, the necessity of a company having a formal disaster recovery plan is much higher up the priority listing than before these events occurred.
Roderick S. Barclay, Ph.D., CPA, CFE had a 20-year career in the United States Air Force before entering the business world. He has been involved with client companies, academic studies and teaching subjects regarding disaster recovery plans. Barclay is currently an assistant professor at Texas A&M University-Commerce.