How Business Consulting Firms Manage Disaster Recovery Planning (DRP)

Business consulting firms are called on by their clients for a wide variety of purposes. However, at the most basic level, if a valued client suffers major business interruption, especially when preventable, that’s definitely not good for anyone.

In this article, we’ll look at how a consulting firm can jumpstart its clients’ disaster recovery planning…before it’s too late.

Why Disaster Recovery Planning Matters

While there certainly are business consultants and IT consultants specializing in business continuity, disaster recovery planning, and backup and disaster recovery, even generalist business consulting firms need to be prepared to oversee and manage simple planning for their clients who don’t have the budget for specialists.

Fires, flash floods, twisters, hurricanes, lightning storms, earthquakes, and downed power lines. This isn’t some new theme park ride or action-thriller movie. These are risks that are bound to affect one or more of your small business clients sooner or later.

Unlike those who work in insurance, economic forecasting, or contrarian mutual funds, business consultants typically don’t focus on hedging against doom and gloom. However, savvy consultants interested in serving their small business clients’ intermediate- and long-term needs should incorporate some basic disaster recovery planning into every client engagement.

Rolling the Dice Isn’t Recommended

If you’ve attended a seminar or webinar on disaster recovery planning, power protection, or security best practices, you’ve likely heard the usual platitudes and marketing hype, such as:

• “There are only two types of people: those who’ve experienced major business interruption and those who will.”

• “Companies without a sound backup and disaster recovery procedure never fully recover.”

• “Firms without a sound recovery plan are likely to go out of business within months following a disaster.”

Putting the statistics, case studies, media dramatization, and sales pitches aside, ignoring basic disaster recovery planning is like driving without a steering wheel. If one of your best clients were to stumble because of your lack of proactive planning, where would this leave your business consulting firm?

Researching Business Continuity Checklists

While you’ll certainly want to develop your firm’s own business continuity planning checklist, and you’ll get some ideas on that in a moment, let’s first survey some checklists from others that may provide you with basic inspiration:

• A 12-point Checklist for Disaster Recovery Planning – As published in CPA Practice Advisor and written by Scott Cytron of Cytron And Co., this article is geared toward CPAs that are frequently called on to advise clients on a variety of non-accounting-specific issues. 

• AICPA In Crisis- Disaster Preparedness and Recovery – Because so many Certified Public Accountants get involved in business consulting, it’s easy to see why its flagship national trade group, the AICPA, has invested in such as robust resource center and program on business continuity management.

• U.S. Department of Homeland Security (DHS) IT Disaster Recovery Plan – This checklist is from the U.S. Department of Homeland Security (DHS) and the Federal Emergency Management Agency (FEMA) as part of its Ready Business resource site and covers most of the basics that would be especially relevant to business consulting firms with IT expertise.

• U.S. Small Business Administration Disaster Preparedness and Recovery Plan  –This emergency preparedness resource from the U.S. Small Business Administration (SBA) is designed to protect the estimated 25% of small businesses that don’t reopen following major disasters.

• VMware Disaster Recovery Planning: Essential Checklist – As more businesses become highly dependent on mission-critical virtualization services, even generalist business consultants need to have at least a basic understanding of what issues need to be tackled by IT specialists. 

Building Your Own Disaster Recovery Planning Checklist

After you’ve reviewed some or all of the five above disaster recovery planning checklists for inspiration and ideas, you’ll need to develop a basic disaster planning checklist of your own to use with your new and existing small business clients. Here are a few of the more fundamental areas for your business consulting firm to consider:

• Data Backup -- Do you back up individual data files daily? This includes the basics such as Word, Excel, PowerPoint, and Access files. However, also find out what other applications are in use to cover your bases. Do you back up the entire drive, volume, or partition at least once a week? Is there an automated backup schedule that removes the burden of remembering to launch the backup? How often do you test recovery with a full or partial restore?

• Physical Security -- Are all servers physically secured? What about networking-related equipment such as routers, access points, and VPN appliances? Do at least two, but no more than four, people have physical access? How is this controlled?

• Local Security -- Who has access to the root directory on the server? Who has access to the root directory of users’ home drives? Are power-on passwords used? Are passwords used to prevent tampering with BIOS settings? Have laptop users and BYOD mobile users received training on mitigating the risks of traveling with sensitive data? Is disk encryption in place on laptops and other mobile devices? Are service packs, hotfixes, and patches kept up to date?

• Network Security -- How are individual data files secured? Are application-level file passwords used? What kinds of folder and file permissions are used? Is two-factor authentication in place anywhere? What kinds of VPN and Wi-Fi security are in place? Are passwords required for logging into all servers? Does each user have an individual account and password? How often are users required to change their passwords? What account policies are in place to enforce stricter password security, such as a mixture of case and alphanumeric characters? Is a policy in place prohibiting password sharing or posting passwords on yellow sticky notes? Is some form of RAID, such as mirroring, duplexing, or striping, used to protect critical file servers from a single point of failure? Which servers are on-premise? Which servers are co-located off-premises?

• Power Protection -- Is each PC protected by at least a basic data-grade surge protector? Are those workstations with valuable data or mission-critical applications protected by battery backup? Are all servers equipped with battery backup? Are the battery backup units able to send alerts and shut down the server in case of a prolonged power failure? Is there any diesel generator power available for critical servers and related networking equipment? When was the last time a full-blown power outage was simulated to test the solution? Do all network interconnect devices have a battery backup? Are redundant power supplies in use on all critical servers?

• Virus Protection -- Is antivirus software installed on every server, workstation, and supported mobile device? How current is the installed version? Are mechanisms in place that guard against users installing unauthorized software that can carry substantial virus risk? How are e-mail servers protected against viruses, spamming, and spoofing?

• Other Areas to Consider -- Do you have a formal disaster recovery plan? When was the last time it was tested? Are there any upcoming area code changes that will affect your network infrastructure? Do you keep basic spare hardware parts on-site to minimize downtime? Are hot spares ready for critical servers and workstations? If you were unable to get into your facility for several days, what are the most critical functions that would need to be provided immediately? Does everyone on the disaster recovery team have a copy of the business continuity plan at home? Does everyone have a list of key personnel home phone numbers and addresses at home? Is a complete inventory of your hardware, software, and network configuration stored off-site? Who decides whether an event is a disaster? How will key staff and vendors be notified in the event of a disaster?

It’s impossible to plan for every possible contingency or data disaster. However, armed with the guidelines in this article, your business consulting firm can develop a checklist that outlines your evaluation of small business clients’ data safety and disaster recovery planning.

Does your business consulting firm get involved in managing basic disaster recovery planning? If so, what do you think is most important to take into account? Please share your thoughts in the comments section below.

And if you're looking to grow your business consultancy, especially if you also work with SaaS or IaaS, be sure to enroll now in our free 7-day eCourse: Go-to-Market Strategy 101 for B2B SaaS Startups and Scaleups.