Your Guide to Developing a Disaster Recovery Plan

Transcription

1 Your Guide to Developing a Disaster Recovery Plan

2 Your guide to developing a Disaster Recovery strategy In a discussion of Disaster Recovery and Business Continuity there are five factors that should be addressed in sequence. Those five areas consist of: 1. How much does a disaster really cost? 2. Business continuity and your Bank 3. The Business Impact Analysis 4. The Information Technology Plan 5. The Business Continuity Plan Part 1 How Much Does a Disaster Really Cost? Most companies have not given much thought regarding how much a potential disaster would really cost them. FNTS has a tool to help you calculate what a disaster would cost you. The following is an illustration on how it works. Assume the following: 1. You have a $100 million dollar company. 2. Your net profit margin after tax is 5.77 percent. 3. You fixed costs represent % of your Gross. 4. You have variable costs but cannot just turn them off, they must be ramped down. 5. Therefore, the total cost to the company would be 70.09% of the gross revenue. The points to consider here are that while the cost comes on gross, restoration of the revenue comes from after tax dollars. The fact is that you would lose $269, dollars per day. Additionally, it would take all of your profits from days of revenue just to break even. Gross Revenue In Millions $ $ 384, $ 1,923, Profit Loss 5.77% $ 22, $ 110, Fixed Cost 36.44% $ 140, $ 700, Variable Cost To Shutdown Total Cost To Company 27.88% $ 107, $ 536, % $ 269, $ 1,347, Days to Recover Example represents daily loss of 0.270% of gross revenue Forrester National Survey shows average of 0.380% of gross revenue Ave DR/BC plans cost approximately % to % of gross revenue 2

3 The question to ask yourself is this: Does my company have significantly cash rich resources capable of sustaining this kind of loss? If you have that much cash on hand, you don t need a Disaster Recovery / Business Continuity Plan. However, if you don t carry that much cash on hand, or you intend to finance the loss, read Part 2 and see how the financial community views the situation. Part 2 Business Continuity and Your Bank In today s rough economic times, many companies have opted to either forego development of a comprehensive Disaster Recovery Plan, or at minimum delay updating their current plan due to the desire to conserve cash. While this is an operational conservation effort to conserve cash for credit ratings, it can in fact actually hurt the credit rating or line of credit for the company. Three major changes in Federal banking enforcement can significantly affect your business. 1. FDIC Enforcement of the Individual Business Bank Credit Index Effective February 1 st, FDIC has announced that all banking institutions must comply with the guidelines that require the collective Bank Credit Index to be less than 100. Many banks have exceeded this number and it will take a stiffening of their loan portfolio to get back in line. The credit index is a business credit rating for each loan or line of credit customer based on the current financial condition. The bank index is the cumulative index of their portfolio. This effects you by a possible increase in your interest rate based on your risk. The two risks you face are a significant increase in your rating by your inability to show a plan to continue to generate revenue to pay your loan even if you did have a disaster. If a comprehensive plan is in place the bank is not required to penalize your rate. Secondly, if a plan is in place that shows how you would generate revenue, the bank can calculate your rating differently and you are not penalized by the group that does not have a plan in place unless of course you are one of the group that does not have a plan. 2. The Bank s Commercial Credit Index In order for the bank to comply, they have three alternatives to improve their own index. First, they can increase the interest rate on loans or lines of credit. This could affect you by driving your cost of money up significantly. For example, an increase of only 1% on a $50 million loan or line of credit would cost you $500 thousand dollars annually. Compare this to a plan that cost you even $100 thousand to create. Second, the bank can deny any more funding. If you feel that you will need (or might need!) additional funding or line use, denial could seriously limit or even destroy your business potential in this economy. Business that maintains a current DR Plan is more likely to receive additional funding since the Bank can justify to FDIC auditors that a plan is in place to continue to generate revenue and make the necessary bank payments. Lastly, because some banks have indexes that are so far out of balance they may be required to call the note to reduce the risk and index. Having a DR Plan in place to generate revenue would reduce the likely hood that you would be called. 3. LIBER (London InterBank Exchange Rate) Effective April 1 st, banks are required to use the LIBOR numbers to establish loan rates for each of the credit risk categories the commercial clients fall under. LIBOR is the rate that Banks charge other banks for money and is defined daily. This means that interest rates can rise immediately on any given day rather than the quarterly rate changes governed by the Prime Interest Rate which is a uniquely United States Number. Clients can no longer time the access to funds available based on projections (or reductions) of the prime rate. The question here is: Are you positioned with your financial resources, and have you made provisions to be able to continue to generate revenue to satisfy them while you recover from any kind of disaster? 3

4 Part 3 The Business Impact Analysis It is important to note that the BIA is not a planning component; rather the BIA establishes the guidelines (or road map ) for the development of the Business Continuity Plan (BCP) and related plans. The BIA is a report subject to executive management review and approval. An important component of the BIA is an evaluation, both internal and external, of the natural and manmade risks that threaten the organization. This is referred to as a Risk and Vulnerability Analysis and this analysis is included as part of the BIA. The BIA report identifies risks & exposures, reviews safety & security issues, and identifies the level of planning necessary for the Business to continue. For most businesses, critical operations are either revenue-generating operations or activities that directly support revenue-generating operations. Once critical operations, process flows and interdependencies are identified, strategies can be developed to ensure their ongoing function or rapid restoration. The BIA also reviews the level of existing planning both in the Information Technology department and throughout the other business units. Recommendations regarding additional planning or improvements to existing procedures are identified. The BIA answers the question Does your business need a comprehensive Business Continuity Plan or not? Part 4 The Information Technology Plan The Information Technology Plan (ITP) is often the only portion of the Disaster Recovery Plan that is in place. While corporate data is the asset you are protecting, remember that data that cannot be utilized or accessed is of no value in generating revenue. The ITP includes the need for planning in the following areas: Critical Data Management This is a formal plan to secure, classify and retrieve electronic information and critical applications. Data Center Recovery This is a formal plan to reconstruct systems & communication centers. Alternate Site Plan Management determines the type of Alternate Site Plan that is needed based on the established recovery time objectives, levels of service degradation and the response that is cost justified. Information Security Plan The need for additional Information Security Planning is based upon management's objectives, audit requirements, costs, and the effectiveness of existing controls. The ITP answers the question How will I recover and restore all the critical data, applications, and records that my business needs to continue in operation? Part 5 The Business Continuity Plan Generating revenue in a disaster aftermath is the entire point of the plan. As stated earlier, the ITP restores the data and applications, but the people execute making the money. How do they access the systems? Who is available? 4

5 Where do they work? Who is responsible for recovery? Where does the money go? How do we acquire materials to keep going? These are the keys to maintain the ability to generate revenue. The Business Continuity Plan (BCP) will develop the details of the response to a disaster situation by the business. This is the overarching plan for the business and defines the overall actions of the organization during an emergency. The central focus of a good BCP is to identify and develop solutions to maintain or rapidly restore critical operations. The Business Continuity Plan (BCP) is intended to establish policies, procedures and organizational structure for response to emergencies that are of sufficient magnitude to cause a significant disruption of the functioning of all or portions of the business. The BCP is the official plan of the business and describes the roles and responsibilities of support departments, operational groups and personnel during emergency situations. The BCP answers the question What will my business do to survive a disaster until we can return to normal business operations? Develop your plan today Most companies that do not have a comprehensive plan don t because they are not sure where to start. Find a methodology that will make sure questions get asked, the plan is complete, and the plan is maintainable. Disaster Management Institute (DMI) methodology is very complete and can be instituted in phases. Phasing is important since each phase is contingent on the phase ahead of it. Any disaster will create inconvenience, but a plan will make it survivable. The federal government reports that 80% of the businesses that face a two or more day disaster are out of business within 24 months. Don t let this happen to you. For information regarding disaster recovery or to develop your own plan contact or info@fnts.com 5