CPAs design disaster recovery plans for one thing: to quickly aid clients in their time of need, whatever that need is and whenever it arises.Cheryl Folkerth, CPA and technology manager with Abalos & Associates, in Phoenix, said that disaster recovery is a basic numbers game - sometimes with dire consequences.
According to a study at the University of Minnesota, 93 percent of organizations that lose critical systems for more than 10 days file bankruptcy almost immediately.
Other studies, she added, indicate that 90 percent of companies that experience a catastrophic loss of data and equipment without a disaster recovery plan are out of business within two years. Unquestionably, a small or midsized company that has a minimum of cash reserves and of cash flow rarely recovers from a major loss.
So then, how difficult is it to set up such a disaster recovery plan, and is the CPA really the best party to implement it?
Mitchell Freedman, founder of Mitchell Freedman Accountancy Corp. in Sherman Oaks, Calif., pointed out that many parts of the country have been subjected to natural disasters for eons. "Businesses that are located in such areas, therefore, must have a disaster recovery plan in place in order to ensure their survival after such events."
Since the terrorist attacks of Sept. 11, 2001, Freedman said that it has become undeniably clear that any part of the country can be subjected to a disaster, including man-made ones.
As a specific example, he cited the Oklahoma City bombing. "Most people thought of that as an anomaly. Now all business owners and managers must be aware that they can become victimized. Their business may be in close proximity to a government office, an important landmark or an important economic enterprise, any of which could be a target of a terrorist attack."
Freedman noted that inasmuch as there could be a loss of office space, important papers, computer equipment and electronic data, not to mention key personnel, it is vital that owners and managers do themselves, their customers, their staff and the economy a service by planning for the possibility of a disaster, so that they can be up and running as quickly and as practically as possible should a catastrophe occur.
Gerald Gagne, CPA, CISA and shareholder of Massachusetts-based Wolf & Co.'s Information Technology Assurance Services Group, added that businesses face the risk of process interruption every day.
"A business interruption could take the form of computer failure or theft, physical or cyber-terrorism, fire, tornado, flood or even employee sabotage," he said. "It runs the gamut of what could happen. A well-thought-out business continuity plan defines the resources, actions, tasks and data required to manage the business recovery process in the event of accidental or intentional business interruption."
To JoAnn Ralph, managing consultant of RK Risk Management LLC, an affiliate of Rothstein Kass, headquartered in Roseland, N.J., it's crucial for a business to have a disaster recovery plan. "Reported statistics indicate that a business that suffers a significant loss in productivity or revenue and whose recovery is delayed due to the inadequacy of insurance or disaster planning runs a higher risk of failure within two years of resuming operations. Without a plan of action, a great deal of time is wasted and the costs to get the business up and running again would be inflated."
She said that since a disaster can take many shapes - such as destruction of property, loss of key employees, loss of key clients or a publicity issue - and since most businesses cannot afford any loss of time, it's vital for every business, regardless of size or the scope of loss exposures, to think about how to get back into business as quickly as possible, and where the funds to do so will come from.
"The business that is highly dependent on a small number of suppliers or customers has to also consider the disaster that strikes those suppliers or customers, how it will impact the business and what will be the response to someone else's disaster." She suggested that developing and maintaining an updated disaster recovery plan could also be a way for a business to differentiate itself from the competition or promote its business to banking or investment facilities.
At the Chicago-based firm of Shepard Schwartz & Harris, CPA Michael Breier believes that the importance of such a plan is often understated. "9/11 seems to have brought into focus the urgent need for a disaster recovery plan. Yet that was the least common form of disaster. It's not the type of event you would go through on an average basis. What are more prevalent are power outages, fire, floods, earthquakes, hurricanes and the like."
Theodore Sarenski, a principal at Dermody, Burke & Brown in Syracuse, N.Y., concurred that continuation of the business is the essence of such a plan. "Let's not lose sight of the fact that we are living in a fast-paced society and information, many times, is needed yesterday."
Roman Kepczyk, chairman of the AICPA's Information Technology Executive Committee, said that companies have become incredibly reliant on their information systems to optimize production and processes in every part of their organization. "Having a system that is unavailable for a week, or even a day, creates a significant amount of lost production capacity. Today, it is much more cost-effective to plan for redundant systems than this downtime, so companies should create and test their business continuation plan accordingly."
Difficult to set up?
Gagne feels that it takes a good-sized effort by everyone in a company to put a solid plan together. "You must develop a cross-functional team to help define which business processes and functions are most critical for the organization to keep available. The next step is to determine which systems need to be brought up first to support these critical business processes and document the step-by-step instructions on how to bring them back on line."
According to Ralph, time is really the greatest impediment to a business developing a disaster recovery plan. "The task is one of identifying resources, determining areas of operation most critical to the business, and writing down the tasks and persons responsible so that the business is not starting from scratch if something goes wrong."
Admittedly, she said, there are templates available for setting up a plan and a variety of resources that are available, but she feels that often the management is so busy taking care of business, the project becomes one that sits on the shelf. "It is extremely useful, therefore, to have an outside advisor involved in the process, so that objective questioning can occur to help management determine the best courses of actions and alternatives available to them."
Breier thinks that the good news here is that it's not so difficult to set up a plan. "It simply requires a commitment, some time, and thoughtfulness." Also, he said that the company must consider carefully what they really have to lose by a disruption, and in which area. "In other words, the type of disaster must be identified and what it could mean."
Sarenski agreed that a business can do a plan on its own, but much depends on its size. In addition, he maintains that the primary drawback to doing it yourself is the required commitment to getting it done. "Moreover, does the business have resources available for off-site back-ups on a daily basis? Is there equipment available? Is there off-site storage?" he asked.
Freedman admitted that it isn't that difficult to set up a plan, but it does take the desire and the discipline to actually do it. In addition, he pointed out that once a plan is established, all elements of the plan must be known by those personnel involved. "And the plan should be periodically evaluated and modified if needed, and it should be periodically tested to make certain that it would function as expected in the actual event of a disaster."
The difficulty of setting up a plan depends upon the size of the business, Folkerth stressed. "Many smaller-to-medium-sized businesses have not had an audit performed, and in some ways, it is much harder to begin at this point. While the scope is much smaller, the business processes for the smaller business may not be documented. Larger companies that have been through an audit have already addressed the issue of disaster recovery, at a minimum."
She pointed to the many off-the-shelf software packages available that can guide a business through developing a disaster recovery plan. However, she cautions that this is risky without the guidance of an outside party to assist in the evaluation, and to deal with the inevitable individual quirks that do not fit neatly into preprogrammed software. "The major obstacle to overcome, and to assure a successful outcome, is the agreement and buy-in of top management and owners. This is a decision and a process that needs to come from the top down in the organization."
Folkerth noted that initially, management may believe disaster recovery pertains exclusively to information technology. "While IT is a critical part of the plan, it is only a part of the picture. All processes need to be considered in the event of a disaster, i.e., where employees will work, what hard copy files need to be protected, where replacement equipment can be obtained in 24 hours, 48 hours, 72 hours, etc."
Kepczyk said that many companies already have network and system documentation created from their installation process, so for these businesses, it is much easier than for those that have not done any documentation.
"However," he added, "a good business continuity plan also takes other elements into account, such as human resources, to ensure continued operations. The AICPA Disaster Recovery Resource Center [on the Web at https://www.cpa2biz.com/resourcecenters/information+technology/disaster+recovery/default.htm] has a variety of resources, including 'Questions for CFOs and Controllers,' that will help organizations evaluate the management aspects of developing a plan. It can also be very helpful if the organization works with their local network integrator to create the plan, as that party will most likely be involved in any recovery scenario. Once the plan is set up, its effectiveness depends upon two key factors: making sure that the plan is communicated to all staff so that they are prepared to implement the plan in case of disaster; and maintaining the plan, so that it is always current."
Wolf's Gagne said that a business continuity plan needs to be clear enough to understand in a crisis situation, but comprehensive enough to enable a quick and full recovery of business systems. "A good business continuity plan will include a business impact and risk analysis, and clearly define roles and responsibilities, including escalation and communication procedures. The plan should also address detailed technology back-up and recovery procedures, disaster scenario responses, technology and facility relocation, critical staff and vendor contact information, insurance requirements, training, and testing."
He pointed out that many times a business will have an over-reliance on a key individual to recover systems, and if that individual is not available during a disaster situation, business resumption could be delayed significantly due to the detailed recovery steps not being clearly documented. "And of course," he added, "you need to make sure you test the plan. Testing will identify any gaps in the plan and will help to ensure that you have everything you need to execute the plan properly and effectively in the event of a real disaster."
RK Risk Management's Ralph believes that there are a variety of issues to be considered, and the unique characteristics of the business can determine what other issues to throw into the hopper. Some basic questions that she raises would include:
* What are the key operations that generate revenue or support the generation of revenue?
* What or who are the resources required to produce the product or services?
* What alternatives to existing resources would be available?
* How quickly can alternatives be obtained?
* Are the needed alternatives temporary in nature?
* What are the costs to be considered?
* What insurance is available or in place to help fund the recovery?
* What other funding sources are available?
* What will happen to the existing facilities and staff during the recovery?
* How will customers be advised of the disaster and the recovery steps being taken?
* Who will deal with public officials and the media?
The AICPA's Kepczyk stressed that it is vital for all critical data to be backed up, verified and tested, and stored offsite, as this is the best insurance against a total loss.
Next, companies should have system redundancy, so there is no single point of failure. Another important issue, he said, is documenting the entire network and having a system in place to not only ensure that it is regularly updated, but also that it is sent offsite in both an electronic and physical format to the appropriate personnel, who can respond in the event of a problem. "This plan should be reviewed and updated annually so that it retains its potency."
Abalos & Associates' Folkerth looks to work in concert with management and the owners. "An emergency response team or committee should be established. This team will assist in the compilation of the data required to create the plan, and will be primarily responsible for the plan's execution."
She believes strongly in defining and documenting critical company functions and their hierarchy. In other words, which company function needs to be restored first? Regarding this aspect, she looks at the following issues to be considered:
* Identify key employees and their job functions. Document what equipment, resources, files and Internet access they require. For example, identify hard copy documents that are required and are not easily recreated electronically, such as executed contracts, insurance policies and client source documents.
* Identify threats and risks. These can be natural, human or technical. It is essential to consider that the business could not continue to operate at its present location. The plan should also address how to deal with lesser risks, such as the brownouts that occur during the summer months due to problems with the West Coast power grid.
* Identify recovery solutions. For each of the critical company functions defined above, and the related identified threats and risks, determine the steps necessary to recover the critical activities. As an example, having access to temporary office space for employees might be considered a recovery solution. Another recovery solution is possibly having a plan to restore the network and data offsite, and providing employees secure access through the use of a virtual private network until more permanent space is acquired.
* Create the plan and related recovery lists. From the information gathered previously, develop a plan with step-by-step processes for restoring critical functions. Each of the steps should be assigned to the appropriate personnel.
Folkerth said that the recovery lists should include personnel, their specific responsibilities and contact information, required equipment, insurance information, selected vendors for replacement equipment, and an equipment inventory list (categorized based on the hierarchy identified), customer lists, emergency services telephone numbers, and storage of a copy of the plan offsite. "Depending upon the size and nature of the company's business, consideration should be given on how to deal with the media and having a plan developed in advance for crisis public relations in the event that it might be necessary."
Moreover, she emphasized that any plan must be tested on a regular basis. "By performing a sufficiently stressful test, you can gauge the reactions of your employees to a crisis. A test will also help identify any holes in the plan. It is vital to educate employees on the existence of the disaster recovery plan and their responsibilities in executing it. Also, keep in mind that change is inevitable. The plan and its components should be reviewed and tested by management and the consultant at least annually."
Other concerns
Freedman said that, of the various elements that have to be considered, there are a few other areas that must be addressed, and they fall into certain categories:
* Personal safety. If disaster strikes during business hours, there should be a plan to make sure everyone is safe.
"My firm is on the ninth floor of a 21-story office tower," Freedman said. "Our plan is that everyone grabs their personal disaster kit that is under his or her desk and exits the building using the emergency staircase. We have a meeting place, which is the parking lot of a fast food restaurant two blocks from our building. Everyone knows that they must meet there. Once we have accounted for everyone, we will use our cell phones to contact a family member out of state. All of our local family members have that number and we will check in there so that we know that our loved ones and family are safe and accounted for."
"We call our emergency kits 'earthquake kits,'" he added, "but they would be useful in any emergency. The contents will enable us to be able to sustain ourselves for 48 to 72 hours. Included, at a minimum, are food, water, flashlights, batteries, portable radios, thermal blankets and comfortable shoes."
* Operating information. Freedman explained that his computer data is always subjected to a download each night and removal from the office.
"So, the worst that will happen is that we will lose one day of data," he said. "We also have a system of retaining weekly, monthly, quarterly and annual data, and moving it off premises. Our data is our lifeline to our clients and their needs. In recognition of that, within the next nine to 12 months, we will have even more protection. We will be going to a paperless office environment. This is somewhat scary, as we are a family office for many clients and we are also a registered investment advisor. Continuity of work and security of data are essential. Once we move to the paperless environment, there will be a computer server in my home that will be recording every transaction simultaneously to those recorded in our office. My home is 25 miles from my office, so in the event my office can't be reached or is destroyed, a skeleton staff will be able to be up and running virtually immediately without any loss of time or data."
* Alternate premises. Freedman admitted that this would be a massive challenge, but many of his employees have modem or Internet access to the office computers.
"I have a spacious home with a fully operational office for me and space to have as many as three to five people work here," he said.
"We also have sharing arrangements with several other firms with similar practices to ours that use a particular proprietary hardware and software configuration to utilize each other's technical resources on a temporary basis if need be. However, concern for clients' privacy is an additional reason that has driven me to plan for the parallel computer system at my home."
Why the CPA?
To DB&B's Sarenski, CPAs are involved on a daily basis with their clients. He points out that they have ongoing service to the client and they look out for the client's business. In other words, they are involved with all pieces of a client's business and are best, therefore, in setting up a disaster recovery plan because they know exactly what's involved.
In fact, he says that most of the state CPA societies have put together excellent brochures and guidelines on developing a disaster recovery plan. "Keep in mind that the CPA has an overall picture of what's entailed in running a business, more so than anyone else," he said.
Ralph maintained that the CPA, especially when serving in a role as a key business advisor, understands how the business makes its money and what it needs to get back in business, as well as having experience and resources based on other business relationships to draw upon. "At Rothstein Kass, our accounting professionals work in conjunction with the risk management/insurance consulting affiliate that I lead and the IT division to bring an added dimension to the process of developing and maintaining a recovery plan. The CPA, and these other resources, are also critical in the event of a disaster in assisting the business in the implementation of their plan. These key advisors are in a good position to assist clients in developing a plan during the normal course of business planning endeavors."
SS&H's Breier believes that the CPA can develop such a disaster recovery policy better than just about anyone else. "The CPA is the best person to do it, because the CPA can formulate a business impact analysis and in what order of priority the system should be developed. The practitioner can also develop recovery strategies with contingency plans, plus testing and training for appropriate employees."
Folkerth agreed that CPAs are masters of business information, and that they know the client's business intimately. "We offer an objective, third-party view that will help guide the client through the process of documenting the business processes and formulating a plan that will have the business up and running again as quickly as possible," she said.
"Who else but a CPA?" asked Freedman rhetorically. "CPAs understand their clients' businesses and know their individual clients more so than any other professional. CPAs usually know the critical elements of their clients' operations as much as, or more than, their clients. CPAs also understand that not only must a business be able to get up and running after a disaster, its systems and accounting must be up to speed, as well."
Kepczyk pointed out that CPAs focus on business continuity, not just from a technical perspective, but from a procedural, business process and informational accuracy perspective, "so they bring in the most comprehensive viewpoint."
How do you fit in?
Gagne notes that Wolf has a special information technology risk assessment that reviews all current technology threats, along with the company's vulnerabilities and controls to determine where the greatest risks are in the organization. This includes the following:
* An information privacy review (Gramm-Leach-Bliley) covering the organization's information privacy program to determine adherence with the federal privacy laws;
* An application security review covering the application software configuration for issues such as valid user accounts, appropriate password restrictions, and other user access privileges;
* An internal network security review that offers a comprehensive scan of network objects and permissions to detect inconsistencies that conflict with the organization's internal security model;
* An Internet intrusion review utilizing Internet scanning utilities to check a range of Internet protocol addresses for potentially thousands of known vulnerabilities and threats;
* War-dialing to provide a detailed scan of the telecommunication infrastructure for unprotected modems that could be used to gain access to the organization's network;
* Social engineering involving interview techniques designed to assess the organization's information security awareness and, if necessary, the development of an awareness training program;
* Business continuity planning affording a detailed review of the organization's plans, including disaster recovery and incident response procedures, to determine if the organization is able to effectively respond to an emergency situation;
* Policy and procedure development covering the development and implementation of comprehensive information security policies and procedures designed to protect against identified risks;
* An internal audit to assist the internal audit department in assessing technology-related risks and provide internal auditor training; and,
* SAS 70 (third-party review) Type I and Type II for an independent review of a service organization's control design and its effectiveness in processing controls.
Rothstein Kass and its affiliate, RK Risk Management, work in tandem, Ralph said, to provide support to businesses at a variety of levels in the development and implementation of a disaster recovery plan depending on the client's particular needs and resources.
"Our professional staff can assist the business as a facilitator to get a plan developed, assist the client in putting a plan into writing, act as a sounding board in reviewing a plan, and assist the client in the development of the financial resources required," she said. "In the event of a disaster, our professionals work with our clients to implement the plan and get them back in business as quickly as possible. We can utilize a variety of our resources to accomplish this, including providing assistance in obtaining funding for the recovery through banking or insurance facilities."
Breier pointed out that Shepard Schwartz & Harris works principally with a formal, written document. "Also, complying with SAS 94," he said, "requires us to obtain lots of vital data about the client's system."
Sarenski said that his firm has audit experience in many different areas, and there is considerable crossover between businesses. "We have breadth of experience from one type of business to another."
Meanwhile, Folkerth's firm can assist the client in developing a plan, "either by supplementing the software they may have already acquired or developing a plan from beginning to end."
Freedman's firm assists clients, both personal and business, to understand the risks involved and how they should plan not only for the possibility of a disaster, but also to help them develop both pre- and post-disaster plans. He believes that a recovery plan must be in existence before the occurrence of the disaster, or else critical time will be lost. "Those with the best plans in place will be in the best position to mitigate the negative consequences of a disaster."
He also works with his clients in the risk-management area. "We are involved with almost all of our clients in the planning for business and personal property and casualty insurance. As we understand such issues more so than most CPA firms, it separates us from our competition. However, CPAs who don't have this expertise can still help their clients by making sure that their clients have competent and proactive insurance professionals on their team."
Freedman's firm is deeply involved in the claims process with its clients, working with insurance adjusters and helping to negotiate and advise on appropriate insurance settlements. "We also offer assistance to victims of disaster by providing expertise, and also handling all paperwork for clients when government assistance is needed or requested."
Said Folkerth, "A disaster recovery plan should provide your staff with the peace of mind that they would continue to have employment in the event of a disaster and with the comfort that management is addressing the issues of catastrophic events."
