Consumer Information  
NEW ZEALAND NATIONWIDE INSURANCE BROKER SERVICES
AucklandWellingtonChristchurchDunedinQueenstownGisborne
 

Home   |   Products & Services   |   Life & Income   |   About Us   |   Business Insurance   |   Jobs   |   Consumer   |   Contact Us
Consumer Information

Disaster Recovery

It is vital that any organization takes the development and maintenance of their Disaster Recovery Plan "DRP" seriously. It is not a task that can be left until someone finds enough time to deal with it. A serious incident can occur at any time.

PLANNING

If a DRP does not already exist, it will be necessary to initiate the preparation of the first version of such a plan. In order to initiate a planning project for the first time, the Board and/or top level management would normally receive a proposal.

Projects as important as DRP development should be approved at the highest level to ensure that the required level of commitment, resources and management attention are applied to the process.

The proposal should present the reasons for undertaking the project, and could include some or all of the following:

  • Increased dependency by the business over recent years on computerized production and sales delivery mechanisms, thereby creating increased risk of loss of normal services
  • Increased dependency by the business over recent years on computerized information systems
  • Increased recognition of the impact that a serious incident could have on the business
  • Need to establish a formal process to be followed when a disaster occurs
  • An intention to lower costs or losses arising from serious incidents
  • Increased likelihood of inadequate IT and information security safeguards
  • Need to develop effective back up and recovery strategies to mitigate the impact of disruptive events
  • Avoidance of business failure from disruptive incidents.

Having obtained the full backing of the organization, the person or team developing the plan needs to prepare carefully.

A good start is to create a list of all necessary documents and information. Where this includes documents containing sensitive information, care must be taken to ensure that confidentiality is not compromised.

The disaster recovery plan should include a descriptive list of the organization's major business areas. This list should rank the areas in order of importance to the overall organization.

Each item should include a brief description of the business processes and main dependencies on systems, communications, personnel, and information / data.

Useful documents and information to help you create your disaster recovery plan could include the following:

  • Organization chart showing names and positions
  • Existing plan (if available)
  • Staff emergency contact information
  • List of suppliers and contact numbers
  • List of emergency services and contact numbers
  • Premises addresses and maps
  • Existing evacuation procedures and fire regulations
  • Health and Safety procedures
  • Operations and Administrative procedures
  • List of professional advisers and emergency contact information
  • Personnel administrative procedures
  • Copies of floor plans
  • Asset inventories
  • Inventories of information assets
  • IT inventories
  • IT system specification
  • Communication system specification
  • Copies of maintenance agreements / service level agreements
  • Off-site storage procedures
  • Relevant industry regulations and guidelines
  • Insurance information

IMPACT AND RISK ASSESSMENT

A major part of the disaster recovery planning process is the assessment of the potential risks to the organization which could result in the disasters or emergency situations themselves. It is necessary to consider all the possible incident types, as well as and the impact each may have on the organization's ability to continue to deliver its normal business services.

This can be complex and demanding. To assist in this area therefore there are a number of tools available. The most widely known of these is COBRA, which employs a method aligned to various international standards.

The science of risk assessment is currently beyond the scope of this portal, but hopefully the information presented below may give you some insight into this task and some guidance in terms of what is included.

THE THREATS

Part of the risk process is to review the types of disruptive events that can affect the normal running of the organization.

There are many potential disruptive events and the impact and probability level must be assessed to give a sound basis for progress. To assist with this process the following list of potential events has been produced:

Environmental Disasters

o Flood
o Snowstorm
o Drought
o Earthquake
o Electrical storms
o Fire
o Subsidence and Landslides
o Freezing Conditions
o Contamination and Environmental Hazards
o Epidemic
o Tornado
o Hurricane

Organized and / or Deliberate Disruption

o Act of terrorism
o Act of Sabotage
o Act of war
o Theft
o Arson
o Labour Disputes / Industrial Action

Loss of Utilities and Services

o Electrical power failure
o Loss of gas supply
o Loss of water supply
o Petroleum and oil shortage
o Communications services breakdown
o Loss of drainage / waste removal

Equipment or System Failure

o Internal power failure
o Air conditioning failure
o Production line failure
o Cooling plant failure
o Equipment failure (excluding IT hardware)

Serious Information Security Incidents

o Cyber crime
o Loss of records or data
o Disclosure of sensitive information
o IT system failure

Other Emergency Situations

o Workplace violence
o Public transportation disruption
o Neighbourhood hazard
o Health and Safety Regulations
o Employee morale
o Mergers and acquisitions
o Negative publicity
o Legal problems

Although not a complete list, it does give a good idea of the wide variety of potential threats.

REVIEW & MAINTENANCE

Performing a regular review and audit of your contingency and back-up arrangements is nothing short of due diligence. It is essential for your assurance - to help ensure that you are able to withstand and recover from a major incident.

As obvious as this is, it is a fact that many organizations rarely if ever perform such a review. This is not a good short cut to take!

AWARENESS

It is good practice for the organization's Board or Governing Body to demonstrate a clear commitment to establishing and maintaining an effective disaster recovery planning process.

All management and staff should be informed that a disaster recovery plan is required in order to ensure that essential functions of the organization are able to continue in the event of serious adverse circumstances
For qualifications concerning the information on this page, please click here.


© Copyright 2008 Rural & General Insurance Broking (New Zealand). All Rights Reserved.