As summer nears, those of us in the accounting industry are thankful to have endured yet another tax season. Though most of us can take a short hiatus to recover from the final grueling weeks of season, there can be much to do for firms that choose to work “on” the business rather than “in” the business. Reviewing what worked, what didn’t, improving internal processes, and strategizing for the next year are all significant tasks to accomplish after tax season.  Unfortunately, most firms leave out a critical planning activity – reviewing and updating their Disaster Recovery (DR) plans.

Through our work with CPA firms over the last 15 years, Xcentric has found that few firms have a formal written DR plan that communicates to employees what to do and what’s expected of them  in an emergency or disaster.  Most firms rely on a tape backup as the (and in many cases, the only) key component of their DR strategy.  While having a backup is necessary for recovering data, other foundational components are often overlooked, creating a perilous situation when disaster hits. Following a few simple steps can better prepare your firm for recovering and surviving in the event of an emergency or disaster.

Planning Your Ark: Knowing What to Expect

The first step to proper DR planning is knowing what types of disasters are possible in your location. The most frequently occurring disasters or emergencies include extended loss of power, loss of a key server due to hardware or software failure, natural disasters including floods, hurricanes, tornados, earthquakes, fires, etc., or equipment theft.

After identifying what kinds of disasters to plan for, the next step is to determine how long your firm can afford to be without access to its applications and data. This is typically done by defining a Recovery Point Objective (RPO) and a Recovery Time Objective (RTO). RPO refers to the amount of data loss that is acceptable to your firm and RTO is the amount of time allowed before an application and its data becomes available after a disaster. Knowing this information allows you to properly set expectations of your team and your clients.

Next, decide ahead of time what will be communicated, to whom, and by whom in the event of a disaster.  Some firms choose a multi-pronged approach that can include one or more of the following communication vehicles: email, cell-phone multi-cast voicemails, text messages,  emergency call-in message numbers, and emergency websites.

Building Your Ark: Formalizing and Documenting Your DR Plan

Once you have an idea of the worst possible scenarios for your firm and how you will handle them, your next decision should be identifying the core applications your firm will need in the event of an extended outage.  These could be tax, practice, accounting, or trial balance. Keep in mind that this selection could depend largely on the time of year a disaster occurs so having seasonally-based DR plans may be of use to you.

Next, identify specifically how your firm’s applications and data will be made available. For example, your firm may acquire an alternate set of servers and have them on stand-by in another location or they may use an outsourced DR infrastructure solution. Decide where will your team members will work if your facilities are extensively out of commission or damaged  (i.e. from home, outside office, client’s facilities, etc.).

Documenting information such as emergency contact numbers for technical teams and key vendors, software key codes and usernames, and storing them in a remote location is often useful in the event of an emergency.   

Sailing the Seas in Your Ark: Review and Test Your DR Plan on a Scheduled Basis

Adding your DR plan to the annual partner retreat itinerary is an effective way to ensure that the partners are aligned with the plans, that the plan coincide with the firm’s mission and goals, and (hopefully) that it is budgeted for appropriately. 

Reviewing and testing your DR plan periodically is the only real way to know that your plan works. Scheduling times to test your plan and involving more than one party (e.g., in-house staff, consultants, etc.) can provide you with insight into your plan’s effectiveness from the perspective of multiple audiences.

Finally, thinking through the steps will be necessary to recover from the recovery.  Recovering from a disaster often requires that you utilize alternate servers and data locations.  Technically, it can be challenging to reintroduce data back into the production environment. Documentation of actions taken during an emergency is crucial because without it, you may find it difficult to get the firm running again once the operations are back to normal. 

Getting Off the Ark: Enjoying the Peace of Mind That Comes with Having a DR Plan

By no means is this list of suggestions meant to be the end-all to disaster prevention and recovery planning.  Instead, our hope is that by taking time to do even this minimal amount of planning, you will have much greater success recovering from a disaster in the event your firm is ever plagued by busted water pipes, natural disasters, power outages, etc.. Most firms find it is impossible to prepare for and afford measures to mitigate all of the risks associated with disasters, however, they do elect to establish a base measure of security by implementing simple documentation and action plans.  Protect your firm. Protect your future. Protect the livelihood of those whom you serve and employ. Just like Noah did. 
 

The CPA’s 1-Page Disaster Recovery Checklist

	Yes	No
The partners in our firm are in alignment with and budget for DR planning.
We have a written DR plan.
Our DR plan is reviewed by numerous parties on an annual basis.
Roles and responsibilities are clearly defined and our team members know where to find instructions during a disaster.
We have a written list of contact information for key firm members, vendors, and consultants.
We have alternate technical resources for assisting with recovery from a disaster.
We regularly test our backup solution by restoring files and checking their integrity.
On a weekly basis, we store backup data in an offsite location where more than one firm member has access for retrieval.
Our offsite backup files are stored in a format that we can easily retrieve (e.g. USB hard drive, online backup solution, CDs, etc.) without having to purchase and install specialty tape drives and/or other legacy hardware and software.
We periodically inventory and document our production network environment to catalog application versions, data and server locations, and administrative login credentials.
We have copies of our key application install media (tax, practice, Microsoft Office, etc.) and their license keys are stored at an offsite location.
We have copies of our Server install media (Windows Server 2000/2003) and their license keys stored in an offsite location.
We have access to PC server hardware that can be used to provide access to applications and data during an emergency.
Our email server is offsite and will be accessible to our employees during a disaster.
We have the ability to remotely and securely access our applications and data.

Trey James is the President and CEO of Xcentric, LLC, a technology consulting group that specializes in network technology consulting, hosting, and implementation for accounting firms.  He brings 15-years of experience – a blend of executive, strategic, technical, and operational roles including successful roles with the regional firms, local firms, and leading IT consultancies to the accounting profession. Mr. James was selected as one of the forty “Top 40 under 40” honorees in the accounting profession by Technology Advisor Magazine in 2006. He can be reached at 678.297.0066 x117 or at tjames@xcentricgroup.com.