Blog - The Modern Financial Advisor

How to Create a Business Disaster Recovery Plan: 10 Things You Must Include

Written by Carla McCabe | Oct 16, 2017

Disaster recovery is a hot topic of discussion for managers as financial advisory businesses become increasingly reliant on technology. But technology is not the only threat to business continuity. This year, in particular, has shown us that many other variables have the potential to disrupt, including employees, suppliers, or extreme weather. 

It's not enough just to talk about it; a robust business continuity plan is required. The plan will describe exactly how the business will weather the storm during events that threaten to leave its critical functions in disarray. Make sure you have a business continuity plan in place that includes the following 10 areas.

Scope

Depending on the size of your wealth management firm, you may need more than one business continuity plan. Clearly define what is in scope for the plan and what is not. It may be appropriate to describe physical locations, such as sites or buildings, as well as groups of people or functional departments. If there are co-dependencies between different plans, such as those of an operational team and IT department, describe those here.

Invocation procedure

Articulate the rationale that will be used to decide when the plan should be invoked. It's common to use a traffic light system to illustrate invocation steps, and provide a simple visual status that's easy to understand. For example, green indicates business as usual, amber represents a state of readiness, recognizing a situation exists that may require invocation of the plan should things deteriorate, and red means the plan has been invoked and is actively being followed. Describe how the current business continuity status will be communicated to the business, such as on an intranet page or on physical noticeboards.

Roles and responsibilities

During any incident, it's essential everyone knows the part they play. All employees have a responsibility to know about the plan and who to tell if they identify a set of circumstances that threaten the business. There are also specific roles, such as the business continuity manager, who will be responsible for making the decision to invoke the plan. You will also need coordinators who will ensure all employees are acting in line with the plan once invoked. It's advisable to use job titles rather than individuals' names, as that makes it clearer that the responsibility sits with whomever occupies that position.

Backup location

If it is possible to recover critical functions at an alternative location, you must describe where this is and how employees will get there and gain access. If you have a secondary site that is fully equipped, you may only need to think about transporting employees. However, if it is not fully equipped, or if your fall-back option is for employees to work from home, then you must describe what equipment is to be taken when leaving the site, and how to set it up. For example, how to connect laptops to the company network through a domestic internet connection.

Technical processes

There will be processes involved in enabling continuity of technology systems. For example, how to reconfigure phone lines to direct them to an alternative site, or how to shut down computer servers in a safe and secure way. Responsibility for enacting these may sit with engineers in an IT department, or with operational managers. It is critical that guidance in the form of step by step instructions or flowcharts, is included in the appropriate business continuity plan.

Prioritization of personnel

It is likely during a business continuity event that there will be a period of time when some employees will be surplus to requirement. This might be because they cannot access computer systems or because you have re-located to a backup site that does not have the capacity to accommodate them all. Your plan must describe who the critical personnel are and the expectations of them. Managers may need to send some employees home for a period of time, so the plan must clearly prioritize people against functions, to ensure the right people are in the right place at the right time.

Health and safety

Employees are your most valuable resource. The level of risk to their health and safety will be determined by the circumstances, but the well-being of your workforce during an incident should be paramount. When determining evacuation procedures, or contingencies for loss of fundamental things, such as water supply or heating, make sure that the plan describes how staff well-being is being considered throughout. You must make adequate provision to ensure all employees are treated fairly and not exposed to any increased risk of stress or injury, unless it is unavoidable.

Record of activity

Every invocation of the business continuity plan presents a learning opportunity. Therefore it's important to keep a fully documented timeline of events as they unfold. It's preferable to have an online system to do this, so information can be captured, saved and reported on easily. However, if you need to evacuate a building or site, or lose connectivity to your IT systems, there will be a period of time where you cannot do this. Therefore the plan must include appendices with form templates that can be printed and completed by hand to record activity. This can then be keyed into the online system after the event.

Stand-down procedure

Just as it's important to have a defined invocation process, you must have a set of criteria to be satisfied to stand down the emergency and move into the recovery and review phase. It's advisable to design a checklist for this purpose, so the business continuity manager has a clear template to verify all conditions are met. Standing down the plan too early can be catastrophic. For example, employees could be put at risk by returning them to a previously evacuated site before it's safe to do so.

Post-incident review

The last piece of the puzzle is the post-incident review, which should include a debrief meeting for all those who held key roles during the event. You should also gather feedback on the experience of other parties who were present through questionnaires. The plan must dictate how and when this process should take place, and provide template agendas for meetings and questionnaires. If there are internal or external reporting requirements after an event, these should also be stipulated.

A comprehensive disaster recovery plan that includes all these topics will offer reassurance to management, employees, and customers. It will provide a robust process by which the business can guarantee the continuity of its products, services, and commercial success.

More articles related to: Continuity Planning