From the Oct. 2009 Issue
Susan, Robert and Gary have a problem. They have to prepare for the unexpected: What would happen if disaster struck and there was a period that they couldn’t get to their systems? And, even though the likelihood of a potentially crippling event was small, how much should their companies invest to try to “protect” their business?
- Susan manages a large group of Quick Service restaurants with locations across multiple states. They have thousands of employees, many who live paycheck to paycheck, and she worries about what those employees would do if the company was late on a payday. Would a delay in payroll cause some to lose confidence and go work for a competitor?
- Robert owns a parts distribution company with one location and 20 employees. His office manager makes a tape back each day and Friday he takes home the weekly back up. What happens if there’s a problem in the middle of the week and he falls behind on orders and shipments? They recently automated a lot of their work flow and clients said it improved their customer service. Would they jeopardize that good will if they were pushed back into their old ways?
- Gary runs a furniture manufacturing company. His big fear is loss of efficiency if their system was unavailable. How they would know what was in stock? Would they be setting incorrect expectations to customers on availability and delivery dates?
Three different businesses in size, revenue, locations and employees. Three different risk factors. Yet while their businesses are diverse, they all have one thing in common: what risk/reward ratio are they willing to live with if they can’t run internal systems? How much does it cost? What’s the right thing to do?
Planning for Disaster Recovery is very much like planning for a fire or a car wreck: How much risk are you willing to take, and how much insurance do you need “just in case.” Disaster recovery and business continuity takes many forms, all of which may be viable solutions, just not for everyone. Since there is no one size fits all - the best solution is the one that is right for the individual business.
There are several good tools and services available, some of which were covered in the September 2009 issue of The CPA Technology Advisor in columns by Scott Cytron (www.CPATechAdvisor.com/go/2489) and Randy Johnston (www.CPATechAdvisor.com/go/2491). The tricky part is to honestly identify exactly what you need and how much insurance you need in anticipation of those “events.”
Here are some ideas to help you prepare and make those decisions in your individual situation or for your unique company:
• Document your manual processes so you can quickly start using them if disaster strikes. Do you have a name and number lists so you can reach key people? Do you have in place a plan for something as simple as forwarding your phones to a remote location or a cell phone so you can keep in touch with customers and vendors?
• Back-ups are the logical great first step. But, how many times have you heard where companies went to their back ups only to find they did not back up the right folders or the tape was bad? Or worse, backups were not really running, they just acted like it. To address this issue it is vital you test the integrity of your backups. Perform a full test restore periodically. How often you test that is directly related to your comfort level. Run some test data in all your software applications. Don’t forget to take old tapes or other media out of the backup rotation.
• Keeping backups off site gives you the security that your backups won’t go up in flames, get drowned or taken by thieves when everything else in the office if affected. Again you need to know your tolerance for how much work you want to do to determine how often you rotate off site.
• If your systems are up and running and your data gets damaged – how much work time can you afford to spend recreating the data since your last backup? Robert’s parts distributor currently holds all shipping/receiving information until the end of the day and enters their sales orders in the morning. They are most vulnerable two times of the day right before posting.
• If your system shuts down due to hardware failure – how long could the business go before the system needed to be back up? Gary’s manufacturing company’s “insurance” is the manual backup systems they still utilize. Gary says he didn’t need to have backups more than once a day and rotating their tape off site to an owner’s house seemed to work well. Just as important to protect their investment, Gary committed to keep their hardware up to date and on current versions of the software applications and operating system. That would make it easier for them to quickly replace their hardware. They also have Terminal Server in place so the server could be anywhere.
• If you run payroll in house – how much leeway do you have from when you get timecards in to when paychecks needs to be in employee hands? If you had to do them manually how long would it take? Getting checks to 25 employees is totally different than paychecks for 3,500, which was Susan’s concern as a restaurant franchisee. She needed a more comprehensive “insurance policy” that in her case led to the decision to store a printer with a MICR cartridge and blank check stock off site with a virtual server image of their install just in case their building was damaged. Their insurance was the ability for an authorized person from their team to actually work out of the remote site and produce payroll.
This was a more comprehensive choice because of the duplicated system, the hardware to support and the services to keep it current. The restaurant company decided that after the initial setup they were fine with testing the system just once a year. This was a fine tuning change that made them feel their “insurance policy” was a good investment.
Be honest with yourself as you assess the business tolerance for what might arise as a result of a disaster. Take the time to list out and understand your most vulnerable processes. Assess what pieces are impacted and what your business would look like if you could not access your systems for 1 day, 3 days, 7 days – you get the picture. At one of those points you “cry uncle” and say I can’t go that long.
Once you know what you can and can’t live with, you’ll know how
much “insurance” you need to consider. The next step now is to decide
on the individual tools and then implement. You then have the assurance of knowing
you really have thought through the contingencies and you can live with and
survive with the consequences.