Blog

As small and mid-size businesses around the country and the world work to stabilize in the wake of the deadly COVID-19 pandemic, the economic upheaval caused by the coronavirus crisis brings a wake-up call. Just how prepared was your business for such a devastating event and how would your company or organization fare should disaster strike your technology infrastructure?

Such a “disaster” can cause significant disruption in operational and/or technological process capabilities for a period of time for businesses, which in turn affects the ongoing operations of the company and can, in fact, threaten its very existence. That’s why all organizations should be considering disaster recovery, which involves a set of policies, tools/applications and procedures to help enable the recovery and continuation of critical technology and systems following a disaster.

Some examples of potential disasters:

• Natural disasters like floods, tornadoes and hurricanes
• Infrastructure break-down (i.e. utility disruption, pipeline bursts)
• Human error or threats (i.e. cyber-attacks)

According to global IT services provider phoenixNAP, statistics show about 93% of businesses without a Disaster Recovery (DR) plan in place that suffer from a major data disaster are out of business within one year.

As consumers and business operators, we’ve seen an increase in attacks in which companies are locked out of their systems or data was held for ransom. Such attacks can be costly. On average, businesses lose over $100,000 per ransomware incident due to downtime and recovery costs. As these attacks increase, so should your focus on the importance of data back-up and recovery processes and controls. Without sufficient back-ups and defined processes for recovery, companies run an increased risk of delay or error in financial reporting. phoenixNAP says about 96% of companies with proper backups and Disaster Recovery plans in place were able to survive ransomware attacks.

Disaster recovery can be considered a subset of what is considered “business continuity”. Business continuity involves keeping essential aspects of your business functioning when significant disruptive events occur. Disaster recovery focuses on the IT or technology systems supporting your critical business functions.

What Is a Disaster Recovery Plan?

A Disaster Recovery plan is simply defining the strategy for recovering critical technology resources to ensure the continuation of critical/vital business processes in the event of a disaster. 

As most organizations are very reliant on information technology to conduct business, it’s critical to have a plan in place that can be easily implemented to minimize down-time. This plan defines the key processes for recovering critical technology platforms and telecommunications infrastructure within a specified timeframe. 

Tips for Creating a Disaster Recovery Plan

Identify Your Team

Establishing a Disaster Recovery Team (DRT) is a critical initial step in establishing a DR plan. The DRT should be a cross-functional team consisting of IT leadership and other individuals as needed who are responsible for carrying out the tasks outlined in this plan and providing expertise needed to recover from a disaster. It’s also important to involve key business stakeholders who would be involved in helping manage the downtime and recovery and ensure alignment with overall business continuity.

Create an IT Inventory

Ensuring that the organization has a real-time and up-to-date IT asset inventory listing is important in order to focus on the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for critical systems/applications. An IT asset inventory lists all key hardware and software (i.e. applications, servers, databases, etc.) and their relationships with one another. RTO is the goal for how quickly to restore technology services after a disruption, based on the acceptable amount of down-time for the specified technology. For example, a recovery time objective of 48 hours with local accessibility for payroll services means that the payroll application must be up and running within 48 hours as well as locally accessible. RPO is the goal for the point at which to restore data or information after a disruption, based on the acceptable amount of data or information loss. For example, an RPO of four hours for your financial reporting application means that the application data must be backed-up every four hours so that no more than four hours of data entered into the application is lost after a disruption.

Get Your Plan in Writing

Creating and documenting a plan involving these objectives is key to building out a realistic DR plan. Your organization will likely find during this process that there will be gaps between the current IT infrastructure and the determined recovery objectives. That said, it’s critical for your organization to work through these to ensure that the plan can be carried out as needed for the fluid continuity of the business.

What Else to Consider

Other important items to keep in mind when creating a DR Plan include:

• Determining channels for communicating disasters and next steps to your employees
• Obtaining stakeholder buy-in on the plan and its execution in order to ensure that the plan can be followed through on if necessary
• Testing and practicing your plan to help you find and correct issues, as well as enable more accurate and efficient execution 

With these simple actions, you’re on your way to having a plan. COVID-19 reminded us all that catastrophic events do happen. The businesses with a Disaster Recovery plan in place are likely to be the ones to weather IT outages. Now’s the time to pull together your team and establish your plan so should disaster strike, you’ll be ready.

If you have questions creating or cleaning up your DR plan, Gilmore Jasion Mahler’s (GJM) Risk Consulting Team can help guide your business in building out that plan, determining the gaps and testing your DR plan. To start the conversation, reach out to Director Matt Hoverman at mhoverman@gjmltd.com, Manager Tim Schloz at tschloz@gjmltd.com, or Senior Associate Reid Mankowski at rmankowski@gjmltd.com.

GJM Senior Associate Reid Mankowski contributed this blog. Reid joined the GJM Risk Consulting Team in 2019. Reid has significant experience in testing and leading IT general control and business process SOX testing for large and medium size companies, primarily in the manufacturing industry.

Established in 1996, Gilmore Jasion Mahler, LTD (GJM) is the largest public accounting firm in Northwest Ohio, with offices in Maumee and Findlay. Locally owned, GJM offers cloud-based accounting and provides comprehensive services including assurance, business advisory, tax, risk advisory, healthcare management and outsourced accounting. The Firm’s professionals specialize in industries including construction & real estate, healthcare, manufacturing & distribution and utilities.