Publications & Resources

April/May 2007
Focus: Risk Assessment & Disaster Planning

Effective Disaster Recovery/Business Continuity Planning Practices

By Jeff Sacks

Crises are inevitable. Every crisis has the potential to negatively impact profits, people, and the continuity of your business. However, crisis creates unique needs, opportunities, and challenges. A little blending of crisis management and disaster recovery/business continuity planning will lead to success.

An important distinction to make is the difference between disaster recovery and business continuity:

A disaster recovery plan

Activities and programs designed to return the entity to an acceptable condition. The ability to respond to an interruption in services by implementing a disaster recovery plan to restore an organization's critical IT/business functions.

The business continuity plan

A set of procedures that defines how an organization will continue or recover its critical functions in the event of an unplanned disruption to normal processing.

The primary reason for developing both disaster recovery/business continuity plans is business interruption. This consists of any event, whether anticipated or unanticipated, which disrupts the normal course of your business operations. For instance, power/electrical issues, hardware problems, rain/snow storms, or strikes/work stoppages due to employee grievances.

Common misconceptions around disaster recovery and business continuity planning include: “it is time consuming,” “nothing ever happens,” “why expend the money, time, resources, and energy to invest in the development of a plan”? However, simply put…It’s required by law.

Regulation	Industry
FEMA	Federal Government and associated contractors
Foreign Corrupt Practices Act & BS7799	Cross-Industry/ Pan European Industry
Comptroller of Currency BC-177 superseded by FFIEC	Banking
Inter-Agency Policy from Federal Financial Institutions Examination Council (FFIEC)	Banking and any regulated service bureaus, includes credit unions
Federal Home Loan Bank Bulletin R-67 superseded by FFIEC	Banking
IRS Procedure 86-19	Cross-Industry
Fair Credit Reporting Act	Credit Reporting Agencies
Gramm-Leach-Biley Act & GAO/IMTEC-91-56 Financial Markets: Computer Security Controls	Financial
FFIEC SR97-16	Banking and any regulated service providers
FFIEC FIL-67-97; Stronger wording on client/server environment replacement for FFIEC FIL 82-96	Banking and any regulated service providers
Consumer Credit Protection Act (CCPA) section 2001 Title IX	Cross-Industry

The key is to develop a plan tailored to your organization's business functions and budget. Recommended standards encompass the following:

Policies and Procedures

Written documentation describing the corporation's rules governing employee behavior while on their premises. These rules are communicated in many ways from formal documentation to email notifications.

Gap Analysis

A survey whose aim is to identify the differences between what the business says it needs at time of an event and what is in place or available.

Business Impact Analysis

A process designed to prioritize business functions by assessing the potential quantitative (financial) and qualitative (non-financial) impact that might result if an organization was to experience a disaster.

Tabletop Testing

One method of exercising teams in which participants review the actions they would take per their plans, but do not perform any of these actions.

Six-Phased Approach

I. Project Initiation Phase

Problem Definition - Disaster Recovery vs. Business Continuity
Business Continuity Objectives, Requirements, and Definitions
Scope and Cost of Business Continuity Project
Business Continuity Steering Committee and Standards

II. Functional Requirements Phase (Fact Gathering and Management Decision)

Alternative Business Continuity Strategy(ies)
- Select the strategy that best suits your business.
Cost Benefit Analysis and Selected Strategies
- Perform a cost benefit analysis geared to the strategy you selected.
Business Continuity Program (BCP) Budget
- Develop a specific budget addressing your BCP.

III. Design and Development Phase

Business Recovery Organization (BRO) and Responsibilities
Major Plan Components - Link of DR/BRO and Emergency Response Procedures
Escalation, Notification and Plan Activation
Vital Records and Offsite Storage Program
Personnel Control Program
Data Loss Limitations

IV. Implementation Phase (Creating the Plan)

Delegation/Designation of Authority
Emergency Response Linkage to Business Recovery
Vendor Contracts and Purchase of Recovery Resources
Application Critical Listing

V. Testing and Exercising Phase (Post Implementation Plan Review)

Exercise Plans, Scenarios and Actual Exercises/Evaluation
Training, Corporate Awareness Program
Vehicles for Plan Dissemination

VI. Maintenance and Updating Phase

Schedules for Update and Maintenance Activities
Program Status, Reporting, and Audits
Plan Distribution

IT is a critical component to effective DR/BCP planning. There are several components to IT recovery, including:

Develop Off-Site Programs
Develop System Back-Up Plans
Develop Network Recovery Plans
Review Facilities Recovery Plans
Review Vendor Recovery Plans
Test The Plan

Finally, here are some questions to ask in order to get started down the path of effective DR/BCP planning:

What unforeseen event could hurt your business?
How have you addressed it?
How long have you had a plan?
When was the last time it has been updated?
Plans for growth?
What has been management's perception of DR/BCP plans?

Jeff Sacks is senior manager/Southern California IT functional leader for Grant Thornton LLP in Woodland Hills, Calif. He can be reached at 818-936-5132 or Jeff.Sacks@gt.com.