You already know you should have a disaster plan for your practice. Every time you read about a bad tornado, flood, or fire, you wonder how your practice would cope. But how do you begin? What should a disaster plan include? The good news is that getting the basics in place is easier than you might think.
Emergency management professionals base state- and county-level plans on the emergency management cycle. You can use the same principle when creating your own plans. The cycle has four phases: Mitigation, Preparedness, Response, and Recovery. Mitigation refers to the things you do now to reduce the impact of future incidents. Preparedness entails creating a plan and testing it to see how it works. The Response phase occurs when there is an actual emergency, and it’s what you do to protect life and property at that time. Recovery happens after the fire is out or the waters have receded, when you take the actions needed to get back to normal operation.
Although most people consider a disaster plan to be one thing, you really need two. Your emergency operations plan (EOP) is your Response, while your business continuity plan (BCP) covers Recovery. You can have one comprehensive document to encompass both of these, or you can develop them separately.
Planning starts with a brainstorming session, where you’ll make a list of the risks your practice faces and the types of emergencies that may happen in your area. Most people think of natural disasters like tornadoes, floods, or ice storms. Those will certainly go on your list, but don’t stop there. What if one of the firm’s key personnel was in a major car accident? Would it be a small problem or a large problem if one of your computers was stolen? Also think about risks specific to your location. If your practice is near a highway, could a tanker truck crash lead to an evacuation order in your area?
Once you have your list of emergencies, think about what you might do now to make those emergencies less problematic. The most critical one for most practices today is establishing an off-site data backup. Other mitigation tools include having a sprinkler system in your building and cross-training personnel on key tasks.
This is the point at which you need to decide if you are creating an EOP, a BCP, or both. Assuming that you start with your EOP, you need to decide how to respond if one of the risks you’ve identified actually occurs. Many emergencies will require one of three actions immediately: shelter in place, evacuate the building, or evacuate the area.
Now begin to nail down specifics – if you evacuate the building, which exits are available, and where will you tell staff to meet so everyone can be accounted for? Who is responsible for the head count? If you need to shelter in place, where are the safest places in your building? If you must leave the area, who will lock the door once everyone is out?
Don’t forget to build flexibility into your plan. Who has access to keys and key-codes, and is it possible they might be absent when an emergency occurs? It’s fine to put the receptionist in charge of the company head-count…but what if she is out sick? In that example, your plan might say, “The staff member acting as receptionist when the emergency occurs is in charge of the head count.”
Once you’ve gotten a plan in place for responding to immediate emergencies, you can move on to longer-term concerns – the BCP. This document will be organized a little differently than your EOP. Think about your assets that could be lost or damaged in any disaster. For each one, ask yourself what you would need to do to fix it in order to resume operations. If your building is damaged, it doesn’t matter whether it was due to fire, flood, or civil disorder – you just need to plan for how to acquire a temporary location and know who to call to begin repairs. If your server fails due to water damage or a malevolent hacker, either way you’ll need to know what steps to take to restore normal network operation as soon as possible.
Once your plan is complete, communicate the plan to all staff and test it! Many of us last did a fire drill when we were in high school. When an emergency happens and your adrenaline skyrockets, you don’t want to think, “What do I do now?” but rather, “I know what to do…it’s just like the drill.” By having plans in place to deal with any emergency, you will be protecting your practice.
Camille Oliver is IT manager and a member of the Medical Services Group of Barr, Anderson & Roberts, PSC in Lexington. Ky. For more information, contact L. Porter Roberts, Jr., CPA via email at lproberts@barcpa.com or via telephone at (859) 268-1040.