The Brave New World of Disaster Recovery

Companies are revisiting their disaster recovery plans to cover the harsh new realities of life on U.S. soil.

Dan Torpey has been in New York
since Sept. 11, and the city's affection for sports has influenced him. As national partner leader with Andersen's insurance claims practice in Dallas, Torpey helps companies recover losses after product recalls, business interruptions and, now, terrorist attacks. "Management should think like a baseball player in the field," says Torpey, who sees firsthand how well disaster recovery and business continuity plans hold up. " 'What do I do if the ball is hit to me? What if someone is on first, or second, or first and third? Where do I throw the relay?' Every department head needs to know what they're going to do if a disaster strikes, no matter where it hits and no matter what kind of disaster it is."

Until Sept. 11, few CFOs actively managed disaster recovery plans. That's changing now that new threats have been added to the lineup of potential crises, and businesses are recognizing the importance of expanding the scope of disaster recovery planning (DRP) throughout the company.

DRP used to be viewed primarily as a technology issue; recovery efforts focused on ensuring that an organization's data center would continue to operate during power outages or technology failures. A separate discipline, business continuity planning, focused on the status of people, the paper transactions they conducted and the facilities in which they operated. These terms are now used interchangeably, reflecting the realization that effective, enterprisewide risk management must address both areas, as well as the interconnectivity between them.

Although recovery and continuity experts assert that different companies require different strategies, most agree that effective disaster recovery plans share several common processes: an evaluation of critical assets, threat analyses, a continuous review of insurance coverage, the definition of response procedures and, above all, regular testing. "Disaster recovery planning is not a procedural manual," Torpey notes. "And it's not solely a reliance on an insurance policy. It is many things, and it involves many people. I think companies where the CFO and the top finance people are able to influence awareness at every department level of what different roles should be after a disaster are the companies that respond the best."

Rising Importance

Traditionally, CFOs in only a handful of industries -- those in which disaster recovery has always seemed critically important, such as health care, financial services and utilities -- headed up their organizations' planning efforts. "Many of those companies keep it under the CFO," explains Chris Thompson, partner, global risk management solutions financial services, at PricewaterhouseCoopers in New York City.

"In those cases," Thompson says, "the CFOs are involved because this is a key operating risk that they know they need to manage better. I've also seen some companies that have split business continuity, security, privacy and other risk management-related functions away from the CFO so he can focus on finance and business strategy while others focus on keeping the place secure, bulletproof and ready to run." Thompson adds, "There's really no rule in corporate governance on where it should go as long as there's somebody high enough to focus on it."

In most industries, top finance executives have always tried to keep the disaster recovery planning process at arm's length. "The CFO collects information from all these different groups and encourages, blesses or reinforces what should be done," Torpey says. "I don't want to say that they have typically been far-removed, but they have relied heavily on people who report to them."

But the average CFO's distance from the details of disaster recovery planning began to shrink last September, when the potential cost of disasters became painfully apparent. Suddenly, many high-level finance executives are getting actively involved in disaster recovery planning. According to Thompson and Torpey, this usually means they are
orchestrating the involvement of functions such as facilities management, accounting, risk management and legal in the DRP process.