Prepping for disaster

The year 2012 was a controversial one. Apocalyptic prophecies of how the world would end sparked a great deal of paranoia worldwide. But as New Year’s Day drew to a close with the world still intact, it became apparent that Armageddon would not be happening that year.

It remains a fact, however, that in this past year alone, our country witnessed several tragedies including typhoon Pablo (international name: Bopha). When it hit Mindanao in December 2012, it left extensive damage to properties totaling PHP36.9 billion (USD 900 million)1, making it the costliest Philippine typhoon to date. Internationally, Indonesia, Mexico, and Iran were struck by earthquakes of magnitude 6 and above; the United States was devastated by Hurricane Sandy; and several other countries experienced flash floods and landslides.

As these calamities happen more often every year, it is important that companies reexamine their Disaster Recovery (DR) systems. Since businesses rely on systems for their daily operations, business leaders should ensure that these systems are resilient and are able to withstand catastrophes so as not to hamper the company’s continued growth.

The makings of a sound DR plan

The DR plan is an essential tool in preparing for a disaster. It is a step-bystep guide on how a company can continue or recover its operations once a disruption occurs. Here are the basics of the plan:

1. Conduct a Business Impact Analysis (BIA).

This should be the first consideration in preparing the plan. The Information Systems Audit and Control Association (ISACA) defines BIA as “an exercise that determines the impact of losing the support of any resource to an organization, establishes the escalation of that loss over time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes and supporting system.”

Basically, the purpose of the BIA is to identify which processes and systems are the most crucial for the survival of the company. It also shows the potential threats that might occur and its resulting effects on the company.

2. Define recovery objectives.

There are two important terms to define: (1) Recovery Time Objective (RTO) and (2) Recovery Point Objective (RPO). ISACA defines RTO as “the acceptable amount of downtime for the recovery of systems surrounding a business function or resource, after a disaster occurs;” while RPO “indicates the earliest point in time that is acceptable to recover the data.” To put it simply, the RTO should answer the question, “How long can my company survive before the process/system recovers?” RPO should answer the question, “How much data can my company tolerate to lose?”

Assigning figures to the RTO and RPO should be done realistically. BIA was conducted in the first step because it is important in identifying the most crucial processes and systems; hence, the shortest RTO and RPO should be assigned to the most crucial process and systems.

3. Establish a workforce plan.

The workforce plan should clearly define the responsibilities of each key personnel in implementing the DR plan. Backup personnel should be identified and trained for their roles in the event that the personnel with primary responsibility cannot perform the task. Regularly check the correctness of the workforce’s contact numbers to be able to communicate with them wherever they may be. If it is impossible for some personnel to report to the office for days, weeks, or longer, identify alternate locations where they can continue their work.

4. Document the plan.

When gathering information and drafting the plan, ensure that everyone is involved in order to create a sense of ownership and responsibility. Remember that documentation and dissemination of the DR plan is essential, too. Distribute hard copies of the DR plan to all the personnel involved as soon as it is finalized and make sure that the remaining copies of the plan are kept offsite.

DR templates are available in the internet. But since each company is unique, DR plans should be customized to the specific needs of the company.

5. Test and retest the plan.

Periodically test the DR plan to make sure it works as expected. The DR plan is tested in the following order:  (1) testing by mentally performing each step (paper test), (2) testing different parts of the full plan regularly (preparedness test), and (3) testing by simulating a full-blown disaster (full operational test).

Make sure to involve all employees, including executives, so they know how to respond to an emergency situation. After each test, evaluate and document the company’s performance. DR is an ongoing process. Businesses constantly change and critical processes or systems evolve. Improve the plan by testing and retesting it to find any weaknesses or changes.

Resolve to prepare

Disasters occur, but regardless of its intensity, your business should always be prepared to ride out the waves of catastrophe.

Gianina Mai R. Ortega CPA, CIA is a Lead Consultant with the Advisory Services Division of Punongbayan & Araullo

Tax Brief – February 2013

Punongbayan and Araullo