Pretty much all organizations are faced with potential disasters, including cyberattacks, political upheaval, and natural calamities. For example, this past April, GM’s plant in Venezuela was seized by the cash-strapped government. Hyatt Hotels, Alliance Health, Wendy’s, Verizon, LinkedIn, the Democratic National Committee, Citibank, and CiCi’s Pizza were among the thousands of U.S. companies experiencing serious cyber breaches in 2016 that exposed millions of customers’ or members’ personal information. Flood damage in North Carolina from Hurricane Matthew last October was estimated at $1.5 billion, causing lost lives and many businesses to close.
Given the many possibilities for disaster, it’s imperative that companies be prepared for such events. But are they? To answer this question, IMA® (Institute of Management Accountants) conducted a survey of senior finance professionals in March 2017 asking how their companies are preparing for disaster risks and recovery afterward.
About one-third of the 42 survey respondents’ companies had experienced some type of major disaster in the last three years (21% in the last year). They are most concerned about the following types of disasters:
- Cyberattacks (81%)
- Natural disasters (55%)
- Financial fraud (40%)
- Technological outages (36%)
- Loss of power (31%)
- Loss of key supplier/customer (21%)
A disaster recovery plan (DRP) is a documented, structured approach with instructions on how to respond to unplanned incidents. We asked how many of the respondents have published a DRP:
- 38% have a written plan (69% of firms with more than 500 employees).
- 26% are working on one.
- 26% don’t have a plan.
- 10% said they didn’t know.
For those with a DRP plan, the following items are most often included:
- Regular data backups, online or offsite (64%)
- Emergency response checklist (52%)
- Arrangements for working off-site (52%)
- Crisis communication plan, such as for employees, customers, vendors, public, and media (43%)
- Potential threats and vulnerabilities and risk assessment (38%)
- Prioritization of business functions (36%)
- Business interruption insurance (31%)
- Prevention and mitigation strategies (29%)
- Routine tests of disaster recovery capability (29%)
Although cyber liability insurance is available, only a couple of the respondents said their DRP included it. About 12% have a contract with an outside disaster recovery firm.
Typically, respondents’ DRPs are assessed and modified about once a year. We asked for the biggest challenges these companies face in developing and maintaining a DRP:
- 67% said resources, including both people and physical facilities.
- 36% said it isn’t in the budget.
- 29% cited technology issues.
- 29% said data systems.
- 26% cited management’s position on risks.
- 12% said hackers.
One person commented the biggest challenge is just “taking the time to sit down and write it”!
We asked respondents what they thought are the best practices in developing a DRP. The most commonly mentioned practices were:
- Regular data backups online or off-site
- Identify potential threats and vulnerabilities and do a risk assessment.
- Develop crisis communication plan, such as for employees, customers, vendors, public.
- Draft an emergency response checklist
- Plan routine tests of disaster recovery capability and backup systems.
- Prioritize business functions.
- Develop prevention and mitigation strategies.
- Make arrangements for working off-site.
Companies and their products are increasingly vulnerable to hackers and other risks. With all the potential threats out there, organizations are well-advised to develop some type of DRP. At a minimum, the plan should include potential threats and risk assessment, safeguarding data and handling cyber threats, backup systems, an emergency response checklist, routine tests of the recovery plan, and a communication plan.
If management needs convincing of the importance of such a plan, a simple Google search will provide many examples of what other companies have experienced and how their preparedness—or lack thereof—affected the subsequent outcome. If your company doesn’t have a disaster recovery plan, consider putting one in place now. No one wants to have to explain to the CEO or board why the company didn’t have one after disaster strikes!