Wrapped inside any good business contingency plan is disaster recovery. Disaster recovery is the process of returning to operations following some type of failure. There are many levels of failures, from a small event that can be corrected in under an hour, to catastrophic failure that may take days or weeks – or from which you may never recover.

Recovery and minimizing loss will depend on how well you plan. Your recovery plan must include written procedures for all the functional areas of your organization as well as computer recovery. 

Getting your computers up and running may be the least of your problems. What about getting your people into work? In the case of a disaster destroying your office or plant, where will your people report? Where will their workspace be, and what equipment and office supplies will be available for them to use? What tasks must be done, should be done, and would be nice to have? How long can you go without performing those less important tasks, like taking inventory, or closing month-end?

September 11, 2001, made many of us more aware of the potential threats we face daily. And, we know that such threats are a good reason to take proactive measures to protect ourselves. However, since 9/11, we are still aware the greatest threat to any business is still natural causes from violent storms, fire or man-made causes such as chemical spills or accidents. 

But, there are threats you must recover from that do not destroy your physical surroundings, disasters that can be just as catastrophic, such as computer viruses, cyber crime and employee theft. 

All these potential threats should share space in your written business contingency plan and disaster recovery processes.

Begin with a team to define and manage the recovery process, the Emergency Response Team (ERT). In larger organizations with multiple locations, you may assign secondary teams to manage the recovery at each location, but the ERT is responsible for conducting the overall recovery process. The ERT is typically composed of senior management from each critical area of your organization.

The next step is to write the plan. The business contingency plan is a formal document that records the objective of the overall plan. Who is responsible? How will the recovery take place? Involvement and commitment to the process begins in the boardroom, not the back room. From the highest level of the organization, there must be a commitment to contingency planning. The ERT is actively involved with ensuring that this plan is created, tested and reviewed annually.

In the development of your written recovery plan, you must define what a disaster is. There are several levels of disasters and not all disasters are catastrophic. Generally there are four levels of disasters to plan for:

Level IV disasters are catastrophic. The organization must have these systems in operation within 72 hours or experience significant economic loss. Level IV disasters can occur when the computer center is lost due to system failure or natural disaster (hurricane, tornado, etc.). When a Level IV disaster is declared, it is time to head to the alternate processing site.

Level III disasters are severe, but not catastrophic. Ranging up to 72 hours, this type of emergency is monitored very closely beyond 48 hours to determine if, in fact, it will escalate to a Level IV condition. Level III disasters are expensive and can range from the data center losing critical components, loss in telecommunications or loss of branch operations with portions of the organization functioning correctly.

Level II disasters are very common. They usually only affect a segment of an organization, such as a department, a branch, warehouse, etc. A Level II disaster is considered up to 24 hours (one full business day) and may be escalated to a Level III if corrective measures are not effective.

Level I disasters are the most common, and the most overlooked. Those are the every day annoyances you experience. The duration of the failure is typically less than four hours and is very isolated to one workstation, work group or office. An example might be a Network Interface Card (NIC) or Network Hub that fails, bringing the users down until repaired.

By the way, there are many more Level I than Level IV disasters each year and Level I disasters, collectively, cost most businesses more annually than Level IV disasters do.
Once the plan is written and approved, the most important task remains – test the plan. Failure to test the plan leaves you vulnerable to errors.

Finally, management, through the ERT, should review the plan at least annually and adjust for changes that have occurred in the business. Then retest again. Make sure your people are aware of the plan and know how to react. 

About the Author
Dr. Bob Spencer is a nationally recognized writer, educator and consultant. He speaks y for K2 Enterprises, www.k2e.com. Spencer has written several books and hundreds of articles on technology, including two books on Disaster Recovery Planning. His latest book, co-authored with Randy Johnston, Technology Best Practices, was published in 2002 by Wiley.

Related Information
Sample Plan
For a sample business contingency plan on the author’s site, visit http://www.tsif.com and click on Disaster Recovery under Services in the left-hand menu.

Disaster Recovery Guide
The AICPA has teamed up with the American Red Cross and the National Endowment for Financial Education (NEFE) to develop a Disaster Recovery Guide for the public to help guide them through the steps following a disaster. Access this valuable resource at http://www.redcross.org/services/disaster/
beprepared/FinRecovery.

Disaster Preparedness Resources
Prepare now for the future. View resources on disaster preparedness available through the Red Cross, including specifics about financial preparedness, at http://www.redcross.org/services/disaster/
beprepared/financeprep.html. Another site, created by the U.S. government, details how to make a kit of emergency supplies, creating a family emergency plan and information on what might happen in the event of a biological, chemical, nuclear or radiation threat. Visit http://www.ready.gov.

Top