Backup and disaster planning should be evaluated as part of an organization’s overall risk management process. There are two elements to disaster planning:
- Business continuity planning—Ensures the availability of critical business resources (including the IT processes that support them)
- IT recovery planning—Ensures the availability of critical IT resources
In the event of a disaster, management must know:
- Where the disaster recovery plan documents are located
- Which employees must be contacted immediately
- The skill sets needed to continue critical business processes
- Which service providers and other outside agencies may be contacted to provide emergency assistance and services
- What information needs to be imparted to customers and clients regarding changes to business processes that will be followed during the disaster recovery period
The role of IT in business continuity planning continues to grow as organizations become more dependent on automated systems and instantaneous responses in routine operations. For example, retail customers increasingly expect almost instant transaction processing, payment approval, and order fulfilment feedback. Business customers expect immediate information about inventory availability and order tracking. The success of a business is often determined by automated, IT-driven response times.
The following chart shows the relationship between business continuity planning and information technology recovery planning.
| Business continuity planning | Information technology recovery planning | |
| To ensure that critical business processes can continue, or be resumed promptly, in the event of significant disruption to normal business operations | To ensure that critical information systems processing functions can continue or be resumed promptly in the event of significant disruption to normal computer operations | |
| Responsibility | Business units | Service providers of computer operations and systems support |
| Focus | Critical business process continuity and recovery | Continuity and recoverability of supporting IT resources |
| Cost/benefit considerations | Cost of providing continuity and recoverability should be commensurate with the risk of unavailability | |
| Resources addressed |
|
|
| Documentation required | Business unit recovery plans, in as much detail as practicable | IT recovery plans, in as much detail as practicable |
| Testing | Critical business process recovery | IT resource recovery |
Your disaster recovery team
Disaster recovery planning (DRP) for IT processes must be driven from the top. It can be a challenge for busy employees to focus on disaster planning issues. Accordingly, the planning process must be led by IT professionals who have been given a clear mandate and the required resources by executive management. The disaster planning team (DPT) will work with employees directly involved in developing, implementing, and executing IT applications, and with other employees as required, to develop the plan.
A disaster planning team (DPT) should be established with a clear mandate regarding:
- The team members, and their specific roles
- Additional resources provided from each company IT site to develop that site’s disaster recovery plan (DRP)
- Specific expected deliverables
- The schedule for completion of each site’s DRP
- The percentage of each DPT member’s time to be devoted to the development of the DRP to meet the required schedule, since a full-time DPT may be difficult to justify
- What constitutes satisfactory testing of a site’s DRP
If insufficient resources are available to develop a DRP within the required schedule, the company may consider hiring contract personnel to establish the initial DRP under the direction of the company DPT leader. It may also choose to hire a professional consultant to develop the DRP with more limited involvement of the company’s IT staff.
Because a disaster can affect not only IT processes but also other critical processes, an IT disaster recovery plan must be developed as part of an overall organizational DRP. This overall plan should consider:
- Employee and customer communications
- Office and manufacturing space and furniture
- Personnel accommodation (e.g., temporary housing)
- Transportation
- Electrical power supplies
- Telephone systems
- Food supply and preparation
- Relief personnel to handle additional workloads during the recovery process
Learn more about IT recovery planning in Information Technology PolicyPro co-published by CPA Canada and First Reference.
Jeffrey is a popular presenter, and was an adjunct professor at York University for 15 years. He is a frequent course director and course author for many organizations, including provincial bodies of Chartered Professional Accountants across Canada.
He has written over 20 books including: Canadian Treasury Management, Canadian Risk Management, and Financial Instruments: A Guide for Financial Managers (all published by Thomson-Reuters/Carswell), as well as Finance and Accounting PolicyPro and Information Technology PolicyPro (guides to governance, procedures, and internal control), and Cash Management Toolkit for Small and Medium Businesses (all published by Chartered Professional Accountants of Canada [CPA Canada]).
- How does IT recovery planning differ from business continuity planning? - August 4, 2015
- How to manage bank accounts: the basics - July 6, 2015
- Refresher on financial statistics and metrics - April 6, 2015
