Divider
Divider


Barry MacQuarrie

A CPA, a BCP and a DRP

Is your firm prepared for a disaster? Does your firm have a written business continuity plan (BCP) or disaster recovery plan (DRP)? Do you need both?

October 8, 2009
by Barry MacQuarrie, CPA.CITP

It is very early on Thursday morning and you have just arrived at the office. You notice that the building has been sealed off by the fire department. All members of the fire department are wearing hazardous material suits. It does not look good.

You are unable to enter the building. You are told that there has been a chemical spill and that nobody will be allowed into the building for at least a week. The electricity will be out indefinitely. It is not good.

You soon realize that your firm’s computer and telephone systems are down. You are effectively out of business.

What would you do? How would your firm respond? Would your firm still be in business 12 months after this disaster? Do you have sufficient resources off-site to help restore the business and keep your people working?

Are You Prepared?

Is your firm prepared for a disaster? While a chemical spill is unlikely, you may experience a work stoppage caused by a virus, a server crash, software failure or human error. The loss of a network server, a phone system, Internet connectivity or access to your building can dramatically impact your business. It might even put you out of business permanently.

Does Your Firm Need a DRP or BCP?

Does your company have a written business continuity plan (BCP) or disaster recovery plan (DRP)? Do you need both or is one good enough?

Many companies have their IT department prepare a disaster recovery plan and assume that it will protect them in the event of a disaster. These plans often focus on a series of disasters and how the firm will recover. Unfortunately, this strategy often does not fully protect a business that suffers a disaster.

A business continuity plan is as important, if not more important, than a disaster recovery plan. A business continuity plan should include a set of procedures that a firm would follow to restore critical business functions in the event of a disruption. While a disaster recovery plan is limited to the recovery of the IT infrastructure, a business continuity plan is used to recover the business.

In the opening paragraphs, I proposed a scenario where you have no access to your computer system, your office or your voicemail. Would you be able to recover? Do you have sufficient information in an offsite location that would allow you to inform your employees, your customers and your vendors of a disaster?

The process of developing your plans may seem overwhelming and the natural reaction is to ignore it and hope you never need one. The process of developing a plan involves gaining an understanding of what your firm does and the resources that are required to perform the work.

Process Mapping — A Dual Purpose

Business process improvement and workflow are very hot topics in the CPA industry over the past few years. There has been a lot of attention given to the importance of documenting and analyzing your business process as a means to make a firm more efficient and profitable. In addition, having a detailed understanding of your business processes can be a great benefit to you as you prepare a business continuity plan.
 
The process of building your plans starts with management committing to the project and assigning a team that includes employees from all departments. Once the team is assembled, your work starts by determining the types of events that could pose a threat to your business. These could include hardware malfunctions, natural disasters, employee errors, software errors, spyware and viruses.

Workflow diagrams or process maps are used to help the team understand the critical business processes, the resources that support them and the threats that could impact them. Your plans will include detailed recovery steps for each resource. The team must determine maximum tolerable downtime and recovery time objects for each resource.

The next step is to prepare written plans that may include the following:

  • Contact information for the disaster coordinator
  • Contact information for the critical IT personnel
  • Employee emergency contact inform
  • Call team procedures
  • Hardware and software inventories
  • Recovery procedures
  • Customer information
  • Vendor information
  • Temporary workplace information

After the plans are built, they need to be tested. This is often an overlooked part of the process. Your team should define the methodology that will be used to test the plan and how they will document the results. The plan should be updated to reflect findings of the testing process. Finally, the plan must be approved by management.

Preparing Your Firm

I have conducted several surveys of CPA firms and their business continuity planning efforts. It always surprises me that a large number of firms have not prepared either a business continuity or disaster recovery plan. The process of preparing comprehensive plans can be time consuming and require a lot of effort.

However, you will find your plans absolutely essential if you ever see yourself sitting in your office parking lot early some morning watching the fire department putting on their hazardous material suits!

Rate this article 5 (excellent) to 1 (poor). Send your responses here.

Barry MacQuarrie, CPA.CITP, is the Director of Technology at KAF Financial Group. MacQuarrie has extensive experience working with CPA firm technologies and expertise in workflow, process improvement, disaster recovery planning, security and paperless office technologies.