Disaster Recovery Planning
Presented by National Conference of CPA Practitioners
Contact Neil Sullivan
Tuesday, November 27, 2001
November 27, 2001 workshop sponsored by National Conference of CPA Practitioners
Disaster Recovery Planning, Presented by the National Conference of CPA Practitioners.
You can read the complete transcript of this workshop.
Unforeseen circumstances such as power outages, fires, catastrophic weather conditions, construction accidents and system failures, can bar access to company facilities and business systems for extended periods of time. These unplanned business interruptions will severely affect company operations and materially affect cash flow.
Most businesses today cannot function without access to their computer or telecommunications systems. Information technology and communications systems are the engine that drives the business forward. As a result, business owners and managers must focus on maintaining business operations if they lose access to company facilities.
In this workshop, participants learned how accountants, their firms and their clients can plan to mitigate the effects of a disaster and have business operations continue with minimal interruption.
- The need for a Disaster Recovery Plan
- Elements of a Disaster Recovery Plan
- Organization of The Disaster Recovery Team
- Identification or Risks
- Disaster Recovery and Information Technology systems
- Importance of off site Archiving of Documents
- Electronic Media Protection
Workshop presenters included:
Cornick, Garber & Sandler, LLP
CGSolutions, Inc. (consulting arm of CG&S)
Stanley Weiner, CPA
Peter Frank, CPA, CITP
Sid Edelstein, Director of IT
Session Moderator: Welcome everyone, and thank you for joining us today! My name is Gail Perry and I'm the managing editor of AccountingWEB. I'm pleased to introduce Peter Frank, Neil Sullivan, co-chairmen of the Technology Committee for the National Conference of CPA Practitioners, as well as other members of the NCCPAP who are here to present a workshop on disaster recovery planning.
The National Conference of CPA Practitioners (NCCPAP) is the only national organization representing practicing CPAs. Member firms represent several hundred thousand small, closely held businesses and other taxpayers.
I'd also like to take a moment to thank NCCPAP for sponsoring today's workshop. You can find out more about NCCPAP by visiting their Web site at www.nccpap.org.
Welcome, gentlemen - we look forward to your presentation!
Neil Sullivan: We are glad to be here.
Peter Frank: Thank you for inviting us.
Neil Sullivan: If the terrorist attacks of September 11 have not already altered the way that businesses view security and disaster planning, the assessments and events in its aftermath will heighten personal and professional awareness of the effects of such a major disruption to business.
No one starts the day believing that the physical presence of her/his business will be gone later that morning. Although some very large businesses with multiple major sites have weathered the storm well, the typical smaller and middle-market company at a single location has faced severe difficulties in reestablishing its business. The need for a basic disaster recovery plan has never been more apparent.
Many companies that have disaster recovery plans developed them in response to a demand from regulatory authorities or a board of directors. Banks, financial institutions, and publicly held companies are usually required to have a formal disaster recovery plan. In the smaller and middle-market sector, however, such plans are rare.
The management of middle market companies frequently views disaster recovery plans in the same light as insurance: They are costly, additional overhead items that relate to a future, highly remote event that will probably never occur.
As we have already witnessed in the aftermath of September 11, however, the impact and repercussions of a major business disruption can place such severe pressures on a company that it is unable to continue in business.
Peter Frank: Although an extremely detailed disaster recovery plan can cost more to develop than many businesses wish to spend, a company can develop a basic plan for moderate cost. Such a basic plan can cover most of the issues that would need to be addressed in order to quickly respond to most catastrophes.
Neil Sullivan: Studies that have focused on information system catastrophes indicate that 90% of companies without a disaster recovery plan go out of business within two years of a catastrophic loss.
Peter Frank: Although an extremely detailed disaster recovery plan can cost more to develop than many businesses wish to spend, a company can develop a basic plan for moderate cost.
Such a basic plan can cover most of the issues that would need to be addressed in order to quickly respond to most catastrophes.
The Elements of a Disaster Recovery Plan
Peter Frank: A disaster recovery plan marshals a company's resources to deal prospectively with a variety of future adverse events that could disrupt business operations.
Such an event could be a natural disaster like a fire or flood or an information system malfunction like a computer center failure.
A good disaster recovery plan should prepare the organization to deal with any events that could curtail business operations.
The plan's strength relies upon its identification and provision of the internal resources and organizational structure to cope with a variety of major business disruptions.
Important elements to consider when developing a disaster recovery plan include the following:
- Organization of the crisis management team
- Identification of unique exposures to the organization that require special preparation
- Crisis management procedures
- Recovery procedures
- Site restoration procedures
Organization of The Crisis Management Team
Peter Frank: The Crisis Management Team will normally have the following members:
- Crisis Coordinator
- Information Technology
- Office Management
- Human Resources
- Records and Document Management
- Facilities management
Identifying other specialized areas unique to the Organization
Peter Frank: Each Organization has unique exposures related to disasters that could occur. These exposures normally revolve around the following four major areas:
- Financial Exposures
- Operational Exposures
- Data Center Exposures
- Physical Risk Exposures
Peter Frank: Efforts made to understand unique exposures and the development of a plan to cope with them are well worth the time and money should a disaster occur.
Crisis Management Procedures
Peter Frank: The following common procedures should be part of every plan:
- Emergency Response procedures
- Notification Procedures
- Activation of the Crisis Management Team
- Development of a plan to react to the incident
- Implementation of the Recovery Process
- Communication Procedures: Good, honest communications are important to both employees and the business community. This could affect the Organization's ability to survive.
- Basic Low Cost Preparedness Procedures: Some companies may prefer to gamble that they will not be involved in a disaster and, therefore, forego the cost of a full disaster recovery plan.
Peter Frank: For those that prefer this approach, the steps on the following checklist are inexpensive to implement but could have significant positive benefits in mitigating the adverse consequences if a business is unable to transact normal business.
- Designate a senior manager as the crisis manager with responsibility for basic disaster recovery preparedness.
- Review and update security and safety procedures.
- Maintain an off site list of all employees, their addresses, telephone numbers, social security numbers, contact relatives, and other pertinent information.
- Review the company's insurance policy for business interruption, extra expense, business income, and ordinary payroll coverage.
- Review procedures for the backup of computer files. Are backups stored offsite in a secure facility, regularly tested for reliability, and updated?
- Provide an off site storage facility for copies of vital documents such as contracts, manuals, forms, customer and vendor lists, specifications and inventories for computer and communications systems, critical accounting records, and extra check stock.
- Ensure that all employees understand the escape routes from the company's premises by holding periodic evacuation drills.
- Designate an alternate site for management personnel to meet if the regular place of business cannot be used.
- Arrange for the use of alternate computer facilities if the company's computer systems cannot operate and current hardware cannot be easily replaced.
- Investigate how to obtain alternate communications systems. Explore wireless communications for staff in an emergency.
- Explore alternate production and administrative facilities through replacement, rental, or reciprocal agreements with competitors.
Peter Frank: Each business has its own requirements and the items on this checklist cannot be considered as all-inclusive. They are, however, a starting point for consideration.
Peter Frank: The preceding is from a forthcoming article in The CPA Journal, by Stanley Weiner, CPA, Cornick, Garber & Sandler, LLP
Session Moderator: At this time we'd like to encourage questions from participants. NCCPAP has provided me with some questions to include in our Q&A session - please feel free to jump in and enter your questions at any time.
Session Moderator: Why should a business have a Disaster Recovery Plan?
Peter Frank: To be able to get back up and running as quickly as possible after a disabling incident.
Session Moderator: Why is the back up of media important?
Stan Weiner: The back up of media allows a company to restore its electronic records rapidly should they become destroyed.
Session Moderator: Any other reasons?
Peter Frank: Not only the data files but program files as well must be available for restoring. In addition, backup media must be periodically tested to ensure that they are readable and restorable.
Session Moderator: Should a business have a functioning Crisis Management Team?
Peter Frank: Yes. Formation of the Crisis Management Team and keeping it in a semi active status is an inexpensive endeavor and will help a Company recover from a Disaster rapidly.
Session Moderator: Who should be on the Crisis Management Team?
Peter Frank: The Crisis Management Team should be drawn from the vital sectors of the Company. Members should have functional knowledge of Information Technology, Office Management, Finance, Human Resources, Records and Document Management, Facilities Management, Communications, etc.
Session Moderator: Should a Company attempt to identify its unique risks?
Peter Frank: Yes. Identification of Unique risks will provide the Company with the ability to attempt to come up with a solution for resolving a disabling incident in advance of its occurrence.
John Hoogesteger: Why is my accountant a logical person to help me with my disaster plan?
Stan Weiner: The accountant has training in objectivity and the ability to quantify diverse elements of information. His/her background provides the ability to formulate a fundamental plan utilizing the unique talents of the company
Session Moderator: How would an accountant market his expertise in this area?
Alan Feldstein: The best place to start is with existing clients
Neil Sullivan: Ask your client about the backups they do, how often and when was the last test of backup done.
Lana Kupferschmid: Small business owners wear many hats and would welcome the accountant to take charge of the recovery plan.
Alan Feldstein: Many CPA's have long standing relationships with their clients and are able to impart knowledge that comes from the understanding of their business operations as well as other clients.
Stan Weiner: On the subject of backups, it is important to test back ups. Sid could comment on this.
Peter Frank: It's critical to test restorations regularly and to determine that specialized networking and o/s files along with files that may be open for critical apps are included
Peter Frank: Many applications that run on servers in real time have open files which are not typically included in backup routines unless specialized software is utilized to back these files up
Stan Weiner: It is also important to have an inventory of existing computer equipment. It is also important to know where to locate replacement equipment
Neil Sullivan: Has the client identified a person to coordinate the recovery team?
Stan Weiner: The client should utilize a manager who has familiarity with the company
Stan Weiner: and can select the proper crisis management team
Stan Weiner: Rank does not matter. It is the ability to understand what has to be accomplished and implement a solution.
John Hoogesteger: What if I have a disaster and don't have a plan. What should my accountant do when I call and ask for help right now?
Peter Frank: don't take the call!!!
Stan Weiner: The accountant, if he is interested in disaster recovery, should be in a position to marshal the resources of the Company and be able to bring the diverse requirements together. However, this will be quite difficult.
Alan Feldstein: What options are available for offsite backups?
Peter Frank: Numerous web-based backup services now exist that will allow company's to automatically backup their servers and PCs over the web. The key issue regarding these services relates to volume of data, specialized data backup capabilities, and bandwidth connection speed of the systems to be backed up.
Be sure to work with a qualified company and make sure to do some due diligence as to their track record of service
There are a number of better alternatives available for real-time off-site replication but these tend to be far more expensive and complicated to configure
Neil Sullivan: What are some inexpensive alternatives?
Peter Frank: Best inexpensive alternative IMHO is traditional tape backups sent regularly to off-site archive service providers. Most warehouse companies offer regularly scheduled Pickup and retrieval of tapes for very reasonable prices.
Alan Feldstein: I would be concerned with web backup services....their ability to stay in business and handle volume
Peter Frank: rightfully so!
Session Moderator: Do any of today's participants use (or recommend) off-site storage?
sdc: We have used Business Management Records for off site storage of our DLT tape backups for a few years. They pick up every week.
Stan Weiner: Sdc---what happens if they come to pick up the back up and its not ready?
Peter Frank: they come back daily and charge you for the extra visit
sdc: They pick up at 2-3pm; our backups run every night. If for some reason they would not be ready we would use the previous nights backup
Stan Weiner: Do they notify anyone at a managerial level?
Peter Frank: yes
sdc: I imagine they would, if instructed to do so
Session Moderator: Is anyone offering CPE to prepare accountants to perform disaster recovery services? (perhaps the AICPA will create a new certification!)
Peter Frank: an XYZ cognidisastor!
Stan Weiner: While there are a number of training sessions, I know of none that provide CPE.
Lana Kupferschmid: Do we get CPE for this session?
Session Moderator: I'm sorry - we don't offer CPE at AccountingWEB for our workshops
Lana Kupferschmid: ncCPAp should discuss presenting a seminar with CPE with our Education Chair
Neil Sullivan: Do insurance companies offer coverage and offer discounts for companies with plans?
Stan Weiner: Insurance Companies have been known to give discounts, but your client will have to be aggressive in requesting them.
Stan Weiner: On the subject of insurance, it is advisable to have your clients obtain extra expense insurance which is an add-on to business interruption and is reasonably priced.
Stan Weiner: Should a disaster occur, this will cover all the costs of restoration
sdc: In some court related cases, federal investigators have viewed the lack of backups and off site storage as lack of due diligence
Stan Weiner: I believe this is negligence, not due diligence.
Stan Weiner: comments, sdc?
sdc: the language may be incorrect; I am a network admin in an accounting firm
Stan Weiner: fine did not mean to be critical
Lana Kupferschmid: Disaster recovery for individuals should be considered. Are your important papers in a safe deposits box?. In case of fire do all family members have a meeting place, etc.?
Session Moderator: For those with questions about how to prepare clients for disaster recover, please refer to the beginning of the transcript where several points were discussed.
Peter Frank: Lana, some of the tips from earlier in the presentation can apply to individuals, too.
Session Moderator: We're nearly out of time - any other questions?
Neil Sullivan: As part of your periodic meetings with clients, just like when you go for an annual medical checkup, discuss what the client is doing to maintain preparedness. Perhaps send an annual survey or checklist... Are you doing these?
Session Moderator: Should a company have emergency response procedures?
Peter Frank: Yes. Emergency response procedures can save lives and will allow the Company to get a running start should a disaster occur.
Session Moderator: How important is good Communications to the outside Community and to the employees of a Company.
Peter Frank: Good Communications are extremely important. A Company may have the best Disaster Recovery Plan, but it may ultimately fail because it hasn't communicated properly. Communications should be factual in nature. Don't embellish. The Company should achieve what it promises.
Peter Frank: If any of you have a client that you feel would benefit from a comprehensive disaster recover plan, please contact us so we can offer you guidance in that area.
Peter Frank: Contact Cornick, Garber & Sandler, LLP, a member of NCCPAP, through either Stan Weiner (212) 557-3900 x.231 or email@example.com or Peter Frank (212) 557-3900 x.288 or firstname.lastname@example.org
Session Moderator: We really want to thank all of you for attending today, and thank you to the representatives from NCCPAP for sharing this valuable information with us! Be sure to visit NCCPAP's Web site, www.nccpap.org, for additional information about this organization that represents practicing CPAs.
Peter Frank: Stan Weiner, Sid Edelstein and I would like to thank NCCPAP and Accounting Web for this opportunity to share with other CPA's the benefits of a good disaster recovery plan. Thank you
Neil Sullivan: We are glad to be part of the process to better prepare today for smoother sailing down stream. Thanks.
Alan Feldstein: On behalf of NCCPAP, thank you all for participating. To stay informed on this and other matters, I would invite you to visit the NCCPAP website at www.nccpap.org
The National Conference of CPA Practitioners (NCCPAP) is the only national organization representing practicing CPAs. Member firms represent several hundred thousand small, closely held businesses and other taxpayers. For more information about the organization please contact Holly Coscetta at (888) 488-5400.