Disasters Happen
You Need to Plan for Them

Were you ready when North America's largest blackout hit? Will you be ready when it happens again?

Were you ready when computer systems were devastated by viruses during the Summer 2003? Will you be ready when they strike again?

If you do not have a Disaster Recovery Plan in place you are in for a shock. The rules of the game are changing. In order to follow them and ensure your firm survives and thrives, you need a plan for recovery.

A Disaster Can Kill Your Business

Few businesses can survive a direct hit when disaster strikes. The facts are punishing:

Some 70% of businesses fail within a year of a major IT disaster if a recovery plan is not in place;
Of those that do survive only 10% make a full recovery; and
Without a plan, recovery is slower. Customers, sales revenue and shareholder confidence will disappear.

Looking Out For Your Own

If your firm is not prepared for disaster when it strikes, your directors may be liable for failing to do their duty. A proper plan will protect them and clearly show that no matter what the outcome, they did their job.

Minimizing the impact of a disaster and ensuring that your company is back in operation as soon as possible will ease the loss felt by investors. Just knowing a plan is in place will also encourage them to continue to support the firm.

You Cannot Escape Disaster

Disasters happen:

North America's largest blackout, August 2003;
Devasting computer worms, Summer 2003;
Forest Fires in US and Canadian Rockies, Summer 2003; and
SARS-related quarantines shut down businesses worldwide, 2003.

The list of potential disasters is alarming. Here are just a few:

"Repeated acts of terrorism on American soil are almost certain to occur in the future. Corporations must now prepare for an expanded scope of risks."
Bruce T. Blythe and Terri Butler, Contingency Planning and Management Magazine, July/August 2003.

Storm
Fire
Employee strike
Tornado
Hurricane
Flood
Malicious employee sabotage
Hardware failure
Software failure
Virus
Theft

Anyone of these could bring your company down unless you have a thorough and tested strategy of recovery.

Recovery Planning and the Law: Sarbanes-Oxley and More

It is becoming increasingly clear that you will be legally bound to ensure your firm has a plan in place to help it recovery when disaster strikes. This is especially true with the advent of the Sarbanes-Oxley Act, which tightens the rules that govern corporations and ensures that the heads of of those corporations follow the rules.

Under Sarbanes-Oxley, the CIO of a firm has become a key player because it is his job to make sure that IT meets process and internal control requirements. In particular, Section 409 of the Act appears to require real-time reporting of critical information that could affect the performance of a corporation:

"Each issuer reporting under section 13(a) or 15(d) shall disclose to public on a rapid and current basis such additional information concerning material changes in the financial condition or operations of the issuer, in plain English, which may include trend and qualitative information and graphic presentations, as the Commission determines, by rule, is necessary or useful for the protection of investors and in the public interest."

Planning, reporting, IT requirements have become crucial, not just for corporate survival but also for making sure you play by the rules of the game. Their continued operation must be protected.

Sarbanes-Oxley is only the most recent of many regulations strongly encouraging corporations to be prepared if disaster strikes. Several others are listed below.

Sector

Legislation

Requirements

Medical

HIPAA Regulations

Regulations covering electronic security and transmission of patient records. A documented, tested disaster recovery plan is required.

Financial Services & Banking

FFIEC FIL-67-97

Board of Directors is responsible for ensuring that a comprehensive business resumption and contingency plan has been implemented, to encompass distributed computing and external service bureaus.

Comptroller of Currency BC-177 (1983, 1987) superceded by FFIEC and Federal Home Loan Bank Bulletin R-67 (1986) superceded by FFIEC

Requires banking institutions to develop and maintain Business Recovery Plans.

Inter-Agency Policy from Federal Financial Institutions Examination Council (FFIEC - 1989, revised and made stronger 1997)

Requires business wide resumption planning and extends regulation to require contingency plans from any service bureaus or outsourcing companies which service such banks.

Public Companies

SEC Regulations

"Reasonable safeguards for information" - Board of Directors and senior management will be accountable.

Foreign Corrupt Practices Act (1977)

Requires that publicly-held corporations provide "reasonable protection for information systems" and holds management accountable.

All Companies

IRS Procedure 86-19

Legal backup and recovery requirements for computer records containing tax data.

eCommerce Transactions

Consumer Credit Protection Act (CCPA) section 2001 Title IX (1992)

Due Diligence for availability of data in Electronic Funds Transfers including Point of Sale.

Federal Government

Computer Security Act

Requires security plans for all federal computer systems to assure data integrity, availability, and confidentiality

FEMA FRPG 01-94

All department and agency heads must formally plan for continuity of essential operations.

State Governments

Various State Departments of Administrative Services Policies, e.g., Texas, (1 TAC 210.13(b)), Oregon’s Dept. of Information Resources (ORS 291.038)

Policies assigning responsibility for contingency planning within state agencies.

Legislative Requirements for Business Continuity and Disaster Recovery Planning

Where Do You Start?

You need a Disaster Recovery Plan, but where do you start?

First of all, recognize that a good Disaster Recovery Plan is intended to help your company survive a disaster and get back to business in a reasonable time. This means that the goals of your Plan should be to:

Identify where the weaknesses are and set up a program to try and prevent them;
Minimize the length of time that business operations would be seriously disrupted;
Help to co-ordinate all the recovery tasks; and
Make the recovery effort as uncomplicated as possible.

Secondly, use proper strategies to help you develop a Plan that works. Emphasize the following:

Ensure management knows that a total effort is needed to develop and maintain an effective plan;
In addition, management must be committed to supporting and taking part in this effort;
Define your recovery requirements in terms of business functions;
Document the impact of an extended loss of operations and key business functions;
Focus on preventing a disaster and minimizing its impact as well as business recovery;
Select teams that will give you the balance needed to develop a proper plan;
Develop a continuity plan that is easy to develop and easy to maintain; and
Define how to integrate continuity planning issues into ongoing business planning and system development processes to ensure the plan is viable over time.

Remember that senior personnel from Information Systems and user areas must be involved to make the planning process work.

Finally, use the right tools for the job. This will help you to cover all contingencies as much as possible and minimize the impact of a disaster on your company.

Contact Us for More Information?

We want to hear from you. Contact us now to discuss your Disaster Recovery Planning needs. We can help save you thousands of dollars, head off legal risks and ensure your firm will stay strong when disaster strikes.

[Top] | [Home]