Disaster Recovery and Business Continuity Planning
Five steps to success.

August 18, 2008
by James Bourke, CPA/CITP

Tune in to see latest Video Snacks on related topics.

Business continuity management (BCM) and disaster recovery planning (DRP) rarely attract attention on most companies' radar screens. It is only when an organization has lived through a disaster first-hand that it will undeniably tell you that planning for such an event should be your number-one priority.

In fact, BCM & DRP was rated the third most-important technology initiative for 2008 according to the AICPA-sponsored annual CPA Top Technology survey. The survey was conducted in late 2007 with participation from the AICPA's IT Member Section, including the (Certified Information Technology Professional) CITP credential holders, Information Systems Audit and Control Association (ISACA), the Institute of Internal Auditors (IIA) and the Information Technology Alliance (ITA).

That study defined Business Continuity Management as: "a comprehensive process that identifies potential threats and the impact they might have on operations." It defined Disaster Recovery Planning as "development and testing of a plan to restore an organization's technology infrastructure after a disaster or failure."

So where does a company begin in the process of addressing these issues and where and when does it stop? This diagram reflects the lifecycle of business continuity planning:

(Source: Wikipedia, downloaded under the terms of the GNU Free Documentation License.)

Successful Steps

Here are five key steps for conducting a successful BCM and disaster recovery initiative:

Step 1: Analysis. The starting point in the process is "analysis." During this phase your company should examine, identify and differentiate the critical and non-critical its organizational functions. In addition, your firm should also attempt to identify the various sources of threats (such as fire, water, wind, cyber, etc.). The identification of the specific type of disaster will assist the organization in the creation of a plan that will best fit the required need.

Step 2: Design of a solution. Designing a solution addresses the minimum needs and time requirements, as identified during the analysis phase of the process. The design of a solution traditionally considers such things as: chain of command, location of the disaster recovery site, the physical infrastructure needs of the disaster recovery site, the process to recover data, the location of and methods to be utilized to backup data created while offsite, contact information for critical support services (such as fire, insurance, Internet connectivity and more).

Step 3: Implementation. Simply put, implementation is the roll-out of the solution designed in Step Two that meets the needs of the business organization.

Step 4: Testing and organizational acceptance. During this phase, the results of the design of a solution are analyzed, as they are being implemented. Flaws that may have taken place in either the analysis phase of the plan creation or the design of a solution are identified, isolated and remedied. In addition, the goal here is to obtain buy-in of the process and plan from the stakeholders within the organization. Traditionally, testing of the plan takes place on a recurring basis with larger organizations testing more frequently (monthly/quarterly) than smaller ones (semi-annually/annually).

Step 5: Maintenance phase. In this phase, the content of the physical disaster recovery plan is examined to ensure accuracy and current applicability. In addition, flaws or changes that may have been identified under the testing and organizational acceptance phase are incorporated and remedied during this step. As with Step Four, the maintenance should also be addressed on a frequently recurring basis.


All organizations experience change over time. Some change are small, like changes in personnel and job functions, while other changes are extreme, such as mergers, acquisitions, site relocations, change in applications and/or operating systems, etc.

Change causes this process to be continually reviewed and examined. A disaster recovery plan is a "living" document that grows in size and scope as a business changes.

In summary:
  • Have a plan
  • Remember the goal
  • Identify stakeholders
  • Identify key assets and processes to protect
  • Devise strategy to provide maximum protection and minimize downtime
  • Document the plan
  • Test the plan
  • Repeat and update!

In the event of disaster, the time and effort that an organization invested into its plan will help to ensure the continuity of the operations of the business and the future stability of its stakeholders.

Rate this article 5 (excellent) to 1 (poor).
Send your responses here

James C. Bourke, CPA/CITP,  is a Partner at WithumSmith+Brown where he is Director of Firm Technology. He is a past president of the New Jersey Society of CPA's and currently serves on AICPA Council and the AICPA CITP Credential Committee.