Home > RSM Resources > Articles > Advantage > Risk Management > Is your midsized company prepared for a business disruption?

RSM Resources

Back to RSM Resources
Risk Management
Is your midsized company prepared for a business disruption?
 
Is your midsized company prepared for a business disruption?

In the wake of unexpected and devastating events such as the terrorist attacks in 2001, blackouts in 2003 and Hurricane Katrina in 2005, more and more companies are making the paradigm shift from disaster recovery to business continuity planning (BCP).

Disaster recovery is about restoring infrastructure such as buildings or computer networks in the short term. BCP is about long-term sustainability of an organization, identifying risks and establishing processes to ensure the continuity of critical operations and services to end-user customers in the event of a disaster.

Why the shift? To meet the very real and challenging expectations that companies typically face:

  • Customers expect supplies and services to continue or resume rapidly in all situations.
  • Shareholders expect management to remain in control during any crisis.
  • Employees expect employers to protect their lives and livelihoods.
  • Suppliers expect their revenue streams to continue.
  • Regulatory agencies expect companies to comply with requirements, regardless of circumstances.
  • Insurance companies expect due care to be exercised.

What makes up BCP
BCP is not a project but a continuing program that has to reach across and include the entire organization. It involves the following phases:

  • Identify relevant risks and rate them according to their probability of occurrence and potential effect.
  • Determine the company’s mission-critical business functions and recovery-time objectives.
  • Craft integrated, company wide strategies and action plans to ensure continuation of mission-critical business functions.
  • Provide ongoing evaluation, testing and updating of those plans to ensure they keep pace with the risks prevalent in the business environment and changes within the company.

Getting buy-in
The key challenge of BCP is not technology, experts say. Rather, it’s the organization’s top-down commitment to the process, including the updating and testing necessary for maintenance. Because BCP spans operational and support units, it must align closely with the strategic objectives of the company. It also requires clear executive support and resource commitment from all stakeholders.

Performing risk assessment
In order to create a plan, the BCP team needs to thoroughly understand the business and its processes, technology, networks, systems and services. The team will gain this understanding by preparing a risk assessment and business-impact analysis. The risk assessment should include the worst-case scenario of completely damaged facilities and destroyed resources, and should take into account every reasonably possible type of business disruption. These potential calamities include all categories of natural disasters, hardware and communications failures, internal or external sabotage or acts of terrorism, and the failures of supply-chain and sales-affiliate organizations. In other words, "What could happen?" Avoid, however, Armageddon scenarios such as nuclear holocaust.

The business-impact analysis should include an estimate of the financial impacts of operational losses as they equate to business downtime, as well as the cost of replacing damaged equipment, drafting additional resources and setting up extra service contracts. In other words, "What could it cost?" Also consider non financial or less immediate effects such as loss of reputation and employee morale.

Assigning priority
After analyzing potential business disruption, the next step is to define your recovery objectives. This involves determining the true mission of your business (for example, providing goods to customers in a timely manner) and identifying the essential mission-critical functions your business needs to safeguard in order to ensure mission fulfillment. The technologies and applications that support these core business functions will be the ones you must restore first after a disaster. Executives and responsible managers will need to define a timeframe for resuming critical functions after a disaster. The plan also should determine thresholds, such as the minimum level at which the business can operate and the noncritical systems it can forgo for the short term.

Designing the strategy
Recovery objectives make up the nuts and bolts of any recovery strategy. Your BCP planners should ask the following questions to help identify all the necessities:

  • What do we have to do? How will we coordinate essential communication among employees, customers, vendors and suppliers? What are the plans for protecting the health and safety of all employees and their families? What are the alternative back-up procedures for recovering critical business functions?
  • What do we have to do it with? What are our internal and external resources for rapid recovery?
  • With whom do we have to do it? Which individuals will be involved in recovery efforts and what kind of training will they receive? Do we need personnel policies for dealing with issues such as emergency pay, transportation and leave?
  • Where do we have to go to do it? What is our alternative recovery facility or location? Will it be mobile or permanent? Will it be fully equipped for fast start up (hot site) or include just the bare minimum (cold site)?

Testing and evaluating the results
Avery critical aspect of BCP is making sure your strategy actually works and meets expectations. Process recovery procedures, manual workarounds, server build procedures, resource listings and call trees are all great in theory.  However, you can’t count on them until tests prove they’re complete and accurate.

What you do with test results is also very important. If you plan to recover without third-party services, create an action-item checklist from your review of what worked well and what didn’t in a test. If you are working with a vendor, document what went wrong and use that report to outline your expectations for the next test.

Reviewing and maintaining
No recovery plan ever stays complete over time. You must update it whenever business-process, hardware or software changes occur. A plan also requires updates with changes in vendors, customers, company personnel and departments. Review plan documentation regularly, even when you’ve had no significant business or information-technology changes.

Using outside resources
Though the basic requirements of BCP are the same regardless of a company’s size, large companies do have certain advantages over smaller organizations, such as greater financial resources, more internal staff, the ability to have certain locations back up others, and geographic spread of risk.

On the other hand, because of their size, complexity and range of risks,large organizations can spend more time and money just to complete a risk assessment and business-impact analysis.

Thanks to fewer locations, potentially fewer state and local regulations to contend with, less complex business functions and fewer inter dependencies, midsized companies can take a more streamlined approach to the analysis phase of BCP. They can save significant time, money and other resources by leveraging facilitated workshops or outside consultants to assess risks and quantify the potential effects.

Midsized companies also should consider outsourcing BCP functions to third-party providers. This can include storing copies of critical company data,assuming processing operations of critical applications such as Websites and e-mail, supplying PCs and servers on demand, and offering alternative facilities to continue critical business operations. Using managed service providers for certain aspects of BCP also allows companies to keep pace with rapidly changing technology.

The buck stops here
Recovering and restarting business services after a major disruption is the ultimate goal for any organization. Having a strong BCP program that’s regularly tested and updated for all types of scenarios is the best way to make this goal a reality. BCP methodology is scalable; organizations of all sizes and levels of complexity can use it. While companies can outsource much of the work, advisors can assist with baseline assessments and initial plan development; service providers can manage the plan’s implementation, it’s up to the organization to commit to the program.

BCP consulting and planning assistance

  • Software and consulting. Many service providers offer combinations of tactical consulting with business continuity planning and management software, sometimes including full continuity management services and hot-site facilities.
  • Hardware and consulting. Hardware vendors may combine continuity consulting with rapid shipment of replacement hardware, mobile-site delivery or hot-site facilities.
  • Internet e-commerce continuity and consulting. Communications and networking vendors may offer high-availability networking and rapid-recovery solutions with tactical consulting.
  • Product-independent consulting. Consultants provide analyses, audits and tactical recommendations for selecting business-continuity products and services.
  • PC-based planning tools. Many hot-site vendors offer some form of computer-based disaster-recovery plan development tools. In many cases, these packages are part of an enticement to acquire full hot-site services.
RSM McGladrey Inc. and McGladrey & Pullen LLP have an alternative practice structure. Though separate and independent legal entities, the two firms work together to serve clients’ business needs. RSM McGladrey is not a licensed CPA firm.

RSM McGladrey Inc. is a member of RSM International - an affiliation of separate and independent legal entities.

2007 RSM McGladrey Inc. All Rights Reserved. Contact us toll-free at 800.274.3978