James Bourke
James Bourke

Disaster Recovery and Business Continuity Planning

Five key steps reveal when and how CPA companies should begin addressing these issues.

August 24, 2009
by James Bourke, CPA.CITP

When it comes to business continuity management (BCM) and disaster recovery planning (DRP), for most companies, it does not fall high on the radar screen. Talk to a company that has had the unforgettable experience of living through any form of disaster first-hand and they will undeniably tell you that planning for such an event should be a number one priority.

In this year’s AICPA sponsored annual top technology survey, conducted in late 2008 and released earlier this year, respondents identified the most important technology initiatives for 2009. Business Continuity Management and Disaster Recovery Planning made it to the “Honorable Mention” list, falling into the #11 position overall!

The initiatives included in the survey are intended to represent the CPA’s unique perspective regarding the initiatives they believe will impact financial management and the fulfillment of other fiduciary responsibilities such as safeguarding of business assets, oversight of business performance, and compliance with regulatory requirements.

In prior years, voting was limited to an exclusive community including CPAs and IT professionals including the Information Technology Section members and CITP credential holders as well as members of ISACA, IIA (Institute of Internal Auditors) and the ITA. For 2009, the Information Technology Membership Section invited AICPA members to participate in determining the 2009 list.

This year, the taskforce that compiled the results of the survey, defined “Business Continuity Management and Disaster Recovery Planning” as: “the holistic processes organizations use to mitigate the risks to systems and people when unexpected events occur, and include the maintenance of a documented plan that is periodically tested. This process includes identification, prioritization and documentation of key systems, associated risks and individuals responsible for ensuring the maintenance of these key systems.”

So where does your company begin in the process of addressing these issues and where and when does it stop? This diagram (available from Wikipedia, downloaded under the terms of the GNU Free Documentation License) reflects the lifecycle of business continuity planning:

(Source: Wikipedia)

  • Step 1: Analysis. During the analysis phase of the plan creation, the CPA business firm examines, identifies and differentiates the critical and noncritical organizational functions. In addition, the business also attempts to identify the various sources of threats (such as fire, water, wind, cyber, etc.). The identification of the specific type of disaster will assist the organization in the creation of a plan that will best fit the required need.
  • Step 2: Design of a solution. The design of a solution addresses the minimum needs and time requirements, as identified during the analysis phase of the process. The design of a solution will traditionally consider such things as: chain of command, location of the disaster recovery site, the physical infrastructure needs of the disaster recovery site, the process to recover data, the location of and methods to be utilized to backup data created while offsite, contact information for critical support services (such as fire, insurance, Internet connectivity, etc.)
  • Step 3: Implementation. Simply put, implementation is the roll-out of the solution designed in step two that meets the needs of the CPA business organization.
  • Step 4: Test and organizational acceptance. The results of the design of a solution are analyzed as they are being implemented. During this process, flaws that may have taken place in either the analysis phase of the plan creation or the design of a solution are identified, isolated and remedied. In addition, the goal of this step is to obtain buy-in of the process and plan from the stakeholders within the organization. Traditionally, testing of the plan takes place on a recurring basis with larger organizations testing more frequently (monthly-quarterly) than smaller ones (semi-annually-annually).
  • Step 5: Maintenance. The content of the physical disaster recovery plan is examined to insure accuracy and current applicability. In addition, flaws or changes that may have been identified under the testing and organizational acceptance phase are incorporated and remedied during this step. As with step four, maintenance should also be addressed on a frequently recurring basis.


All organizations experience change over time. Some change is small, like changes in personal and job functions, while other changes are extreme, such as mergers, acquisitions, site relocations and applications and/or operating systems.

Change causes this process to be continually reviewed and examined. A disaster recovery plan is a “living” document that grows in size and scope as a business changes.

In summary:

  • Have a plan!
  • Remember the goal
  • Identify stakeholders
  • Identify key assets and processes to protect
  • Devise strategy to provide maximum protection and minimize downtime
  • Document the plan
  • Test the plan
  • Repeat and update!

In the event of disaster, the time and effort that an organization invested into its plan will result in helping to insure the continuity of the operations of the business and the future stability of its stakeholders.

For more information on the Disaster Recovery and Business Continuity Planning, listen to Jim in this podcast.

Rate this article 5 (excellent) to 1 (poor). Send your responses here.

James C. Bourke, CPA.CITP, is a partner at WithumSmith+Brown where he is director of Firm Technology. He is a past president of the New Jersey Society of CPAs and currently serves on AICPA Council and the Chair of the AICPA CITP Credential Committee. He was recently named as one of the Top 100 Most Influential People in the Profession.