Sooner or later your company will experience some type of disaster. You don’t know what will actually happen, or when; how long it will last; how widespread it will be; or how it will impact your business or employees. The one thing you should know, however, is that you need to plan for it.

Scope of Disasters

There are many kinds of disasters that can impact your business; from accidental deletion of a critical file (truly a disaster if the file is unrecoverable and wasn’t backed up) to disasters that have a global impact. Consider the following scope of possible disasters a business may experience:

What you should do

Don’t panic! Instead, start planning, now.

Begin by analyzing your business’ use and reliance on systems and data. For example, develop an understanding of –

• How long your business can operate without access to some or all of its data?
• The legal, ethical, and customer relationship implications of being without your data?
• Whether access to all of your data (i.e. email vs. flat files vs. databases) is equally critical?
• How you would differentiate between a “Disaster” vs. an “Outage”

Next, consider the implications that various potential disasters would have on your business operations, and the nature of disasters that are appropriate and cost effective to plan for.

One of our clients operates facilities in Asia and would be unable to function without access to databases located in the northeastern part of the United States. Fortunately, our client’s disaster plan included contingencies in the event of a failure in transoceanic communications. When the primary transoceanic circuits failed in 2012 during Superstorm Sandy, secondary circuits that were included in the client’s disaster planning provided uninterrupted communications, and allowed the operation in Asia to continue functioning normally throughout the storm and its aftermath.

We have another client who provides communication services to municipalities, and is itself part of those municipalities’ disaster planning. As such, the company’s disaster plan includes considerations for regional and national disasters, including planning for business and service continuity in the event of a terrorist attack.

By contrast, we have a New York City accounting firm client (n.b. not Citrin Cooperman). When evaluating the scope of disasters that this firm needed to consider, they specifically excluded regional, national, and international outages; their rationale was that the taxing authorities would grant filing extensions in the event of a widespread disaster (as the IRS did in 2017 following Winter Storm Stella, and as the IRS and various states did following Hurricanes Harvey and Irma). They recognized, however, that the taxing authorities would not accept a disruption to the firm’s Internet connection as an excuse for failing to electronically file tax returns on time - and that this would be a reputational and possibly financial “disaster” for the firm and its clients. As a precaution, they implemented a redundant Internet circuit as a key component of the firm’s disaster plan.

Developing a Business Continuity and Disaster Recovery Plan

Comprehensive disaster planning includes both considerations of business continuity (i.e. how to continue uninterrupted or minimally impacted operations during a disaster) and disaster recovery (i.e. how to restore operations and recover from a disaster that exceeds the protections afforded by the business continuity measures).

Because disaster planning is a significant part of your company’s risk management efforts, it requires participation, input, and commitment from the C-Suite, not just from the IT Department. The planning, development, and implementation processes all require decisions about the company’s operations, staff, and clients, along with budget considerations and allocation of resources. Disaster planning is an ongoing, iterative process that needs to be reviewed on a periodic basis to ensure that changes to your company’s needs are appropriately reflected.

Putting it all Together

The best time to plan for a disaster is before a disaster occurs. Develop and document disaster procedures and protocols. Identify and communicate meeting places, phone call chains, and alternate work facilities. Determine who is authorized to “declare” a disaster. Train your staff on what to do during a disaster. Conduct “fire drills” to test your procedures. To quote the Boy Scout motto, “Be Prepared.”

If you’ve never done formal disaster planning before, consider enlisting the assistance of a professional to assist with the process, preferably a professional who isn’t selling a predefined solution.

Developing a plan that’s specific to your company and business needs won’t prevent a disaster, but can materially reduce the impact of a disaster on your ability to remain in business. For more information on how to develop a disaster plan, reach out to David Rosenbaum at drosenbaum@citrincooperman.com.