Disaster Recovery and Your Business - Could Your Business Take a Licking and Keep on Ticking?

For businesses operating along the Gulf and Eastern Atlantic coasts, hurricane season brings more than just powerful winds and raging flood waters. It also ushers in seasonal anxiety and additional stress, not to mention the extra physical effort required to prepare, plan, and recover.

According to the National Oceanic and Atmospheric Administration (NOAA), hurricanes are the deadliest and most costly type of weather disaster. Since 1980, they have cost over $1 trillion in damage. While physical, structural damage is usually the focus in the aftermath, data integrity, protection, and recovery are just as important to the sustainability of organizations impacted by natural disasters. A recent enterprise survey estimated that 91% of organizations equated a single hour of downtime to more than $300,000 in damages. Can your business survive a one-hour loss at that cost?

Every organization should have a business continuity plan (BCP) that re-evaluated each year and updated as needed. At the very least, every business should have a detailed disaster recovery plan specific to its needs. Without a solid disaster recovery plan in place, your business could become a casualty of the event. When considering a disaster recovery plan for your business, include these 10 things on your checklist:

1. Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
   1. RTO – the maximum amount of time your business can tolerate being inoperable (for example, 30 minutes, 2 hours, 12 hours)
   2. RPO – the maximum amount of data your business can afford to lose (for example, 1 hour of data, 1 day of data, etc…)
2. Hardware and Software Inventory – keep an Up-to-date inventory of IT assets categorized as follows:
   1. Critical – the business cannot operate without these assets
   2. Important – these applications are used daily and can disrupt normal operations
   3. Unimportant – applications that used less frequently than daily
3. Identify Personnel Roles - define who is responsible for disaster recovery processes. Consider these critical responsibilities when assigning roles and responsibilities:
   1. Ongoing backups and maintenance of business continuity systems
   2. Responsibility for declaring a disaster
   3. Responsibility for contacting 3^rd party vendors
   4. Responsibility for reporting to management and communicating with customers and staff
   5. Responsibility for managing the crisis and recovering from it
4. List of Disaster Recovery Sites – specify where the company assets are located and where they be transported if a disaster occurs.
   1. Hot sites are fully functional data centers with IT equipment, personnel, and up-to-date customer data.
   2. Warm sites are functional data centers that allow access to only critical systems, without up-to-date customer data.
   3. Cold sites are used for storage of backup systems and data and do not have the ability to immediately run operational systems.
5. Remote Storage of Physical Documents and Storage Media
   1. To avoid unexpected data loss and potential compliance violations, data must be protected at all times.
   2. Critical documents should be stored in a remote location. If possible, convert as much to electronic copies as possible and consider Cloud storage options.
6. Disaster Response Procedures
7. 1. Craft a disaster recovery policy documenting the procedure for responding to a catastrophic event.
   2. Include clear action steps, in simple language, including how to transition to the recovery site and ensure that recovery is successful.
8. Identify Sensitive Data
   1. May include personally identifiable information (PII), credit cardholder data, bank account information, and/or other valuable data such as intellectual property (IP).
   2. Your DR plan should identify how this sensitive data is securely stored, backed up, and who should have access to it, both during normal business hours and during disaster recovery.
9. Define an Effective Communication Plan
   1. Consider all affected parties including management, employees, vendors, suppliers, customers, compliance authorities, etc….
   2. Use multiple communication channels such as company intranet, public relations, company website, and social media outlets.
10. Physical Facility Needs - determine the minimum facility requirements necessary to restore normal operations. Consider the following:
    1. Office Space
    2. Location
    3. Required furniture
    4. Required IT equipment
    5. Internet capability
11. Test, Test, Test
    1. Plans are great to have but useless if they have not been tested. Repeatedly test and tweak the plan until you have determined it works for all organizational considerations.
    2. Effective DR plans must be reviewed at least annually.

While protecting and ensuring the recovery of important sensitive data and critical operations is essential to recovery efforts, it is paramount that you do not forget about the most important company asset, your employees. Implementing even the most well-crafted disaster response and recovery plan is impossible without the inclusion and support of all staff members.

The immediate health and safety of employees should be a priority, and the protection of their PII should be just as important as that of customers, vendors, or anyone else associated with the organization. Therefore, the most comprehensive plan also includes details on what employees can expect in terms of work and pay when a disaster strikes that affects their workplace. What happens when the business is closed and no work can be done? Do the employees still receive pay? Are they required to use accrued leave? If they can’t work for an extended period of time, do benefits continue and how do they pay for them without payroll deductions? How are employees expected to report during a disaster and when are they expected to return to work?

These and many more questions will be on the mind of employees when disaster strikes. The last thing you want and need during the time of recovery is a scared team without focus. Knowing there is a plan and understanding what to expect will give some structure to an otherwise chaotic time. Whether you have a disaster recovery plan in place that needs review or updating, or you haven’t thought about one at all, contact Empact HR today and let us help you. We can offer additional peace of mind by helping ensure you have the most effective plan in place to protect, recover, and sustain your business before, during, and in the aftermath of a catastrophic event. Don’t be a casualty, call us today to get started!

REMA GRAY
Human Resource Manager, Crescent - HR Advisor, empactHR

Rema Gray has a lifelong interest in relationship management and a deep curiosity for human behavior in the workplace, Rema Gray began her payroll and HR career over 25 years ago. She pursued a degree in Psychology from the University of South Alabama and parlayed her education and training into a Human Resource Management career. Her experience ranges from managing the intricacies of human capital growth and development of small local businesses to developing teams and managers for large national corporations. She has worked in many industries, including chemical plants and oil refineries, business services, retail, and many other spaces. She currently manages HR for Crescent Payroll Solutions, contributing to the creation of policies and procedures, measuring and managing organizational risk, organizing, training, and development of the operations team, and maintaining a high level of employee engagement. Rema’s passion is getting everyone in the proverbial boat rowing in the same direction. She believes employee commitment to the organization’s Mission, Vision, and Values is not only essential to the achievement of its goals but also paramount to the overall health and sustainability of the organization itself.

“Human Resources is a basic term to describe a dynamic topic. Focusing on the human part of it is integral to the success of any employee-based business.”