Too many CPA firms aren’t prepared to handle a disaster or business continuity event, according to technology expert Randy Johnston.
“Our attitude is that disasters always happen to someone else,” Johnston told attendees at his presentation at the CCH Connections 2015 User Conference, held here this week. “I hope that’s the case, but I don’t think we can be sure of that.”
Rather than putting it off indefinitely, firms need to make an effort to get a disaster recovery plan in place, and Johnston, who is founder and CEO of Network Management Group, offered a series of steps they can take to reinforce their ability to bounce back from anything that may come their way – whether it’s a broken water pipe or a full-blown natural disaster.
1. Protect your data. “If you don’t have your data, it’s all over,” said Johnston. Even if you don’t have a formal recovery plan, backing up your data is one of the quickest and easiest ways to protect your firm. He noted that there are now backup appliances available from over a hundred vendors that allow you to save your data every 15 minutes or so, with one appliance on-site and another in a remote location, for a relatively reasonable price. Firms can also save their data in the cloud, either through dedicated backup providers, or through individual cloud-based software applications. He also pointed out that firms might consider a mutual aid arrangement, where two firms in different locations host backup facilities for each other.
Whatever your method, you’ll want to make sure that you’re backing up everything at your firm, from individual PCs and portable devices up to multi-location networks. And Johnston stressed that picking a method was only the beginning: “You can’t set it and forget it. You need to test it on a regular basis.” This can range from spot checks to see that individual documents have been saved, up to full “bare metal restores” of all of your data and applications.
Without double-checking the backups, firms may find themselves in the same shoes as the accountant who provided Johnston’s favorite quote about a failed system: “’Our backup was working perfectly – we just can’t restore from it,’” he recalled. “Until you restore them, you won’t know if you have data or not.”
2. Write the plan. “Get something in writing – if it’s not in writing, it doesn’t exist,” Johnston said. He cited a number of companies he knew of that were able to weather the 9/11 attacks because they were able to dust off and execute disaster recovery plans that they had set up for Y2k.
There are variety of sample DR plans available online, but as part of the process you should review the critical elements of your business and diagram your workflows (most firms have around 40, Johnston said). Once you know what your firm looks like pre-disaster, you can start deciding which operations you need to have back in service first -- not all emergency restorations will support 100 percent of firm operations right away. “Have a categorized list of what you’ll restore first, second and so on,” he suggested. “It’s better to decide this when you’re not in the heat of battle.”
As part of your plan, you’ll want to know where licenses, product key information and user policies are stored, and have an inventory of all systems, workstations and storage devices. This will be valuable for a variety of purposes, not least for insurance claims: “Unless you can document what you had, the insurance policies won’t come across.”
You’ll also want lists of employees, customers, vendors, as well as critical contracts, certificates and policies – and you’ll want them printed out, because in many cases you may not have power.
3. Have a risk management officer. This person will be responsible not just for taking the lead in the event of a disaster, but also for keeping the plan up to date and making sure everyone’s trained and ready to execute. Johnston recommended that it not be your managing partner or chief technologist.
4. Create an emergency response team and assign specific responsibilities. If your firm has multiple locations, you’ll want to have people at each office who can handle those responsibilities. Johnston emphasized the importance of training and education: “You need to train your ERT. If I had to name the top fault in CPA firms I’ve been in, it would be lack of training. You can never have too much extra training on the Emergency Response Team, so they know what to do.”
Among other things, he suggested teaching a group of people how to handle a data restore: “I’ll often take the person who arrives first every day -- or the person who shows up even when there’s a storm.”
5. Test and revise the plan on a regular basis. Besides frequent tests of your data backup, Johnston recommended a quarterly read-through of the overall disaster recovery plan, and an annual physical test, with a debriefing afterward so you can fix what didn’t work and be ready for the next time.
In the end, the important thing is to get started. “Many people have had this on their calendar for a long time, but it keeps getting pushed aside,” Johnston said. “You can do a really simple plan or a really complex plan – the one that doesn’t work is the one that doesn’t get done.”