Faster Disaster Recovery E-Book

Faster Disaster Recovery

The Business Owner's Guideto Developing a BusinessContinuity Plan

Cover image: © Andrew Burton/Staff/Getty Images

Cover design: Wiley

Copyright © 2019 by Association of International Certified Professional Accountants. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993, or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

ISBN 978-1-119-57096-7 (Paperback)

ISBN 978-1-119-57102-5 (ePDF)

ISBN 978-1-119-57094-3 (ePub)

This book is dedicated to our families. Thank you, Brianand Eunice Howard, Judith Mernick, Gaynor Sorrell,Dr. Samuel and Sandra Elder, Susan Alders, andChris Elder. Without your wisdom, advice, and support,we would never have survived the disasters!

CONTENTS

Cover

Preface

Chapter 1 Business Disaster Defined

Disaster Timing and Size

Disaster Types

Notes

Chapter 2 Why You Need a Plan

Disasters Occur . . . a Lot

Disasters Happen Quickly

Disaster Response Is Expensive

Impaired Response

Some Industries

Require

Them

Your Reputation and Value Are at Stake

Additional Reasons

Why Businesses Fail to Plan

Notes

Chapter 3 Business Continuity Planning

The Five-Step Business Continuity Cycle

The Business Continuity Planning Process

Getting Started

Note

Chapter 4 Step 1: Obtain Management Support

Management’s Role

Obtaining Management Support and Approval

Note

Chapter 5 Step 2: Assemble a Planning Team

Role of the Planning Team

Who to Include

Organization of the Team

The First Meeting

Chapter 6 Step 3: Collect Data

Identify Your Mission-Critical Functions

Department Evaluations

Policies and Procedures

Regulatory Codes and Requirements

Useful Documents

Sample Forms

Chapter 7 Step 4: Evaluate Operations

Chapter 8 Step 5: Identify and Evaluate Risks

Risk Assessment Process

Three Risk Assessment Methods to Consider

Assign a Chief Risk Officer

Chapter 9 Step 6: Determine Recovery Strategies

Prevention

Incident Response

Business Continuation

Communications During a Disaster

Chapter 10 Steps 7–10: Create, Communicate, Test, and Regularly Update Your Written Plan

A Complete Business Continuity Plan

A Basic Business Continuity Plan

After the Plan Is Written

Practice Your Plan

Chapter 11 Insurance Coverage

Predisaster Financial Planning

Basic Types of Insurance

Understanding Your Coverage

Concepts to Know

Filing an Insurance Claim

Insurance Adjuster versus Public Adjuster

Notes

Chapter 12 Computer Systems: Disaster Prevention and Recovery

Causes and Costs of IT Disasters

IT Disaster Prevention

Laptop and Cell Phone Protection

Network Security

Operating in the “Cloud”

Creating an IT Disaster Recovery Plan

Cyber Insurance

Notes

Chapter 13 Special Disaster Issues

Power Outage

Fire

Hazardous Materials Spill

Flood

Hurricane

Earthquake

Tornado

Winter Storm

Heat Wave

Flu

Conclusion

Appendix A Insurance Coverage Worksheet

Appendix B Risk Analysis Worksheet

Appendix C Damage Assessment Form

Appendix D Summary of Communication Systems

Appendix E Emergency Communications Summary

Appendix F Business Continuity Plan Outline

Appendix G Schedule of Training and Testing

Appendix H List of U.S. Privacy Laws

Appendix I IT Backup and Testing Log

Appendix J Sample Computer Network Map

About the Authors

Index

End User License Agreement

List of Tables

Chapter 2

Table 2.1

Chapter 12

Table 12.1

List of Illustrations

Chapter 2

Figure 2.1 Number of Reported Disasters by Country 

Figure 2.2 Occurrence by Disaster Type: 2017 Compared to 2007–2016 

Figure 2.3 Reported Natural Disaster Events by Year 

Chapter 3

Figure 3.1 Business Continuity Cycle

Chapter 4

Figure 4.1 Evaluation of Management’s Approach to Risk

Chapter 5

Figure 5.1 Members of Your Planning Team

Chapter 6

Figure 6.1 Business Function Summary Form

Figure 6.2 Employee Information Form

Figure 6.3 Finance Information Form

Figure 6.4 Vendor Information Form

Figure 6.5 Key Customer Information Form

Chapter 8

Figure 8.1 Risk Assessment Process

Figure 8.2 Business Function Summary Form

Figure 8.3 Calculation of Risk Tolerance Range by Category

Figure 8.4 Calculation of Risk Tolerance by Stakeholder

Figure 8.5 Characteristics of Risk

Figure 8.6 Blank Heat Map

Guide

Cover

Table of Contents

Preface

Pages

iii

iv

v

xi

xii

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

19

20

21

22

23

24

25

27

28

29

30

31

32

33

34

35

36

37

39

40

41

42

43

44

45

46

47

48

49

50

51

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

153

154

155

156

157

159

160

161

162

163

164

165

166

167

169

170

171

172

173

175

176

177

178

179

180

181

182

183

184

185

186

187

E1

Preface

Every year, disasters, emergencies, and disruptive events take a toll on organizations around the world. They cost money and lives and, too often, organizations never recover.

Although we may not be able to do anything to stop a natural disaster or keep the most sophisticated hackers from attempting to steal our confidential information and trade secrets, there are many steps an organization can take to reduce (and even prevent) damage, enabling them to perform business as usual.

Certainly, a disaster can be created by a massive event, such as a hurricane, fire, or terrorist attack, but it can also be triggered by smaller events, such as a power outage, cyberattack, or even road construction.

And in many cases, disastrous events can be predicted and the extent of their impact expected. For instance, hurricanes like Superstorm Sandy (which hit the East Coast in October 2012), Hurricane Maria (which hit the Caribbean and Puerto Rico in 2017), or Hurricane Harvey (which hit Texas in 2017 and caused $125 billion in damage, mostly in Houston), are often tracked and monitored as they develop.

Although Superstorm Sandy was predicted, no one expected that power would be out for 9 to 12 weeks in many areas of New York and New Jersey. And Hurricane Maria was predicted, but the effect was not something many businesses were prepared to handle. How do you open your store if your employees cannot get to work? How do you find employees when many of the island residents decide to relocate to another country? How do you open your manufacturing facility if you are without power for six months? Would your business survive?

However, although some disasters can be foreseen by experts, they are often overlooked by businesses and organizations. If your organization is located near a bridge, for example, have you ever considered the impact of a closure?

According to a 2018 report by the American Road and Transportation Builder's Association,1 54,259 of the bridges in the United States are rated “structurally deficient.” And one in three bridges have identified repair needs. It only makes sense that if a bridge is known to be structurally deficient before a disaster, the disaster is likely to make it worse, maybe even totally destroying it. This can greatly impact your company, as one business owner in Maryland learned the hard way.

This particular woman was a veterinarian who lived on one side of a small, two-lane bridge; her practice was on the other. One day, the bridge failed unexpectedly, closing it for nine months for repairs and turning her normal five-minute drive to work to a full 45-minute nightmare.

While she personally found this annoying, she discovered that her customers found it impossible, largely because they didn't want to subject their sick pets to a longer car ride, especially in the event of an emergency. As a result, her revenue dropped by a greater percentage each month the bridge was closed. Ultimately, she wound up losing 30 percent of her annual revenue . . . and many of her loyal customers.

Admittedly, this same disaster may not have the same impact on every organization, as what may be an annoyance for one can be a crisis for another. For instance, your computer servers going down is likely to be bothersome, but if you have a bank or brokerage, you may never recover from such a disaster.

Additionally, a winter storm bringing three feet of snow may have no impact on an organization if the employees can work virtually from home, but how do hospitals function if their employees can't get to work? What happens then?

Aside from additional expenses and lost revenue, another often-overlooked impact of a disaster is reputational loss. Your hard-earned, stellar reputation for reliability and dependability can be permanently damaged if you're unable to react quickly to a disaster and address the needs of customers and employees.

That's why this book exists—to help business owners like you protect your company's reputation as well as your finances in the event of a disaster. Each chapter discusses a different area of disaster planning of a business continuity process. At the end of each chapter is “Questions to Ask Yourself” to help you apply what you learn to your organization.

NOTE

1.

The ARTBA 2018 Deficient Bridge Report,

https://www.artbabridgereport.org

.

CHAPTER 1Business Disaster Defined

How do you define a disaster? What about a business disaster? Is it different? Or is it the same?

As pointed out in the preface, although this is a relevant question—especially in this day and age where disasters seem to make the news weekly, if not daily—it’s one that a number of businesses choose to ignore.

Technically, a business disaster can be defined as:

Any unplanned interruption of normal business functions or processes for an unacceptable period of time.

A situation or event that overwhelms capacity and/or necessitates a request for external assistance.

In either case, when an organization or a department within an organization can’t function normally, it’s incurring extra expenses, losing revenue, or both. None of these are good.

When breaking down the definition, it’s important to understand that every company defines “interruption” and “unacceptable period of time” differently.

For example, an accounting firm may be able to function without access to data files for 24 hours, whereas a financial institution may find being without data for more than 20 minutes totally unacceptable.

According to the Federal Emergency Management Agency (FEMA), a disaster is “any unplanned event that can cause deaths or significant injuries to employees, customers, or the public; or that can shut down your organization, disrupt operations, cause physical or environmental damage, or threaten the facility’s financial standing or public image.”1

Based on this definition, a disaster involves any event that disrupts your company’s normal operations, or that limits or prevents access to company information and systems.

DISASTER TIMING AND SIZE

Disasters are inevitable in most businesses, but the problem lies in the fact that their timing is frequently unpredictable. This means that, although they can happen with some notice or warning, they typically happen when we least expect it.

With a hurricane, for instance, you may have several days or a week to prepare. With a tornado, you have seconds. Some disruptions—such as power outages or computer viruses—can occur with no warning at all.

Disasters also come in all shapes and sizes. Although we often think of them as large in scale, affecting thousands or millions of people, even small events can quickly become a disaster for a company.

A computer virus, water main break, the loss of a supplier, or the arrest of a company officer for driving while intoxicated can dramatically affect the finances of an organization.

The size and nature of the company can also affect the impact of a disaster. For instance, a newspaper article describing the discovery of a $100,000 case of fraud might not have a huge effect on a multinational company, but it will likely severely impair the finances of a nonprofit.

DISASTER TYPES

The types of threats that occur when a disaster strikes can be broken down into seven different categories:

Environmental

—hurricane, tornado, or flood

Biological

—illness, such as flu

Deliberate

—workplace violence, bomb threat, or fraud

Utilities

—loss of power or telecom services

Equipment

—breakdown or inability to obtain spare parts

Information Technology

—hardware failure, data loss, or cybercrime

Other

—labor disputes, road closures, or the loss of key personnel

Each of these can have a major impact on how a business runs. Each one can also cripple a company, which is why it is absolutely critical to create a disaster plan, preferably before you need it.

Questions to Ask Yourself

How do you define a “business interruption”?

What would you consider an “unacceptable period of time”?

What disasters do you face that are often predicted, giving you some lead time?

Which disasters tend to creep up, essentially appearing out of nowhere?

What types of disasters could potentially cripple your company?

NOTE

1

“Emergency Management Guide for Business and Industry,” Federal Emergency Management Agency (October 1993), https://www.fema.gov/media-library/assets/documents/3412.

CHAPTER 2Why You Need a Plan

Physical damage from natural disasters is often the first thought that comes to mind. Yet, there are many financial effects that can have a substantial negative impact on an organization.

Employees may not be able to come into work. Customers may not be able to get to your location. Data and records may be permanently lost. Utilities may be down for weeks. Suppliers may be displaced.

A good disaster response plan, also called a business continuity plan (BCP), addresses these potential issues from a broad perspective. But why go through the time and energy to create this type of plan?

DISASTERS OCCUR . . . A LOT

According to the World Health Organization, across the globe 160 million people are affected by disasters and 90,000 people are killed annually.1

According to the Federal Emergency Management Agency (FEMA), in 2017 disasters affected 8 percent of the population of the United States. If you were not affected personally, your family or friends likely were; 2017 saw FEMA responding to 59 major disasters and 16 emergency declarations.2

According to the Center for Research on Epidemiology of Disasters (CRED), 2017 saw 318 natural disasters in 122 countries affecting 96 million people and costing $314 billion.3Figure 2.1 provides a visual representation of the 2017 disasters. The statistics go on and on, but I think you get the idea—disasters are here to stay. Most people have experienced a disaster either personally or professionally (and sometimes both!). Consider yourself lucky if haven’t, but also consider yourself forewarned.

Although the number of geophysical disasters (earthquakes, volcanoes, rock falls, landslides, and avalanches) has remained relatively stable, hydro-meteorological disasters like floods, storm surge, heat and cold waves, drought, and wildfires have increased dramatically.

This means that in order for your organization to cope with the initial event and survive in the long term, you need to be prepared. Or, as the old saying goes, “failing to plan is planning to fail.”

As seen Figure 2.2, during the 10-year period from 2007 to 2016, there were 354 natural disasters. In 2017 there were 335.

Figure 2.1 Number of Reported Disasters by Country 

Source: “Number of Reported Disasters by Country,” Center for Research on Epidemiology of Disasters, March 2018.

Figure 2.2 Occurrence by Disaster Type: 2017 Compared to 2007–2016 

Source: “Natural Disasters in 2017: Lower Mortality, Higher Cost,” Center for Research on Epidemiology of Disasters, March 2018.

Figure 2.3 is a chart showing the number of reported natural disasters from 1900 through 2017. As you can see, the number of disasters is increasing at an exponential rate.

Figure 2.3 Reported Natural Disaster Events by Year 

Source: “Natural Catastrophes,” Hannah Ritchie and Max Roser, Our World in Data, https://ourworldindata.org/natural-catastrophes.

Freak storms are on the rise in the United States as well. In 2004, four major hurricanes—Charley, Frances, Ivan, and Jeanne—all struck Florida in just six weeks.

In July 2011, a dust storm known as a haboob hit Arizona, shutting down the Phoenix airport for 45 minutes. The dust wall was estimated at 5,000 feet high by 60 to 70 miles wide.

And in June 2012, a violent and fast-moving string of thunderstorms, known as a derecho. With peak winds of 91 miles per hour, the derecho was equivalent to a Category 1 hurricane. When all was said and done, it left a 700-mile swath of downed trees and power lines all the way from the Midwest through the mid-Atlantic states. Extensive damage occurred in Indiana, Kentucky, Ohio, Pennsylvania, West Virginia, Virginia, District of Columbia, Maryland, Delaware, and New Jersey. The 2-day storm resulted in 22 deaths, and almost 5 million customers were without power, some for 5 days or more. How would your business respond if you were without power for almost 
a week?

In October 2012, Superstorm Sandy had winds extending 1,100 miles, affecting 24 states (the entire eastern seaboard from Florida to Maine and as far west as Michigan and Wisconsin) and knocking out power to approximately 8.5 million homes and businesses. Superstorm Sandy claimed 233 lives and cost $72 billion.

In September 2013, areas surrounding Denver, Colorado, received upward of 15 inches of rain in one week, resulting in flooding in 14 counties over 200 miles that damaged 1,500 homes.

That entire year was a busy one for disasters, with the German insurance company, Munich Re, reporting that there were 880 major natural disasters around the world in 2013. All in all, they killed an estimated 20,000 people and cost $125 billion in damage.4

Worldwide, 2013 was also the year of at least 11 major earthquakes of 4.7 magnitude or greater. There were also several other “earth-shaking” events, including a fertilizer plant explosion in Texas that created a 2.1 magnitude tremor felt in 36 different zip codes and a meteor explosion in Chelyabinsk, Russia, which generated a shockwave that damaged an estimated 4,000 buildings and injured more than 1,000 people.

Paul Caruso, a geophysicist with the U.S. Geological Survey5 reports that, in the first week of April 2014, Oklahoma—a state known more for tornadoes—experienced 48 quakes of 2.5 magnitude or above. During the prior 30 days, there had been 157 quakes larger than magnitude 2.5, whereas, in 2009, only 50 earthquakes were reported for the entire year.

After 12 years of little to no hurricane activity, 2017 saw the most active and costliest hurricane season since 2005. Hurricane Nate was the costliest disaster to ever hit Costa Rica. Hurricanes Harvey, Irma, Maria, and Nate had their names retired due to their high damage costs and loss of life.

There’s also the issue that some states tend to have more major disasters than others. As Table 2.1 shows, there are 10 states that top the charts for the number of disasters declared since 1953.

Table 2.1Ten States Most at Risk for Natural Disasters

State

Types of Disasters

No. Declared 
Since 1953

1. California

Earthquake, wildfire, landslide, flooding, and severe freeze

281

2. Texas

Tornado, flooding, hurricane, and wildfire

255

3. Oklahoma

Tornado, wildfire, winter storm, flooding, and terrorist bombing

173

4. Washington

Wildfire, winter storm, volcano eruption

136

5. Florida

Hurricane, wildfire, and severe freeze

130

6. New York

Winter storm, flooding, hurricane, and terrorist attack

95

7. Alabama

Hurricane and tornado

82

8. (tie) Colorado

Wildfire, snowstorm

80

8. (tie) New Mexico

Wildfires

80

10. (tie) Louisiana

Hurricane and flooding

79

10. (tie) Oregon

Flooding and wildfires

79

Source: Megan Trimble, “America’s 10 Most Disaster-Prone States,” US News and World Report, June 18, 2018.

DISASTERS HAPPEN QUICKLY

Many types of disasters have little or no warning: sabotage, Internet outages, tornadoes, and earthquakes. When a disaster strikes, you and your employees are dealing with extreme levels of stress, anxiety, fear, and sadness. You may be dealing with information overload or a complete lack of information.

The chaos alone is enough to make it harder to think clearly, quickly, and smartly. According to Earl Miller, a neuroscientist at Massachusetts Institute of Technology, switching between just two tasks can reduce your IQ by 10 points!6 Now imagine the effect if you are multitasking all day, all week, and under extreme stress.

In October 2018, a tropical storm was swirling in the Gulf of Mexico. Many forecasters did not expect much from it. The last time a hurricane had hit the Panhandle was in the 1800s. Forecasters thought it might reach Category 1 status at best. Unfortunately, they were very wrong.