Prepared or not ... that is the vital question: when unplanned events or full-blown disasters strike, RIM professionals must have a strategy to ensure survival and at a cost that organizations can afford.

• Author: Rike, Barb

At the Core

This article

* defines three types of disasters and explains how to deal with them

* identifies potential natural, mechanical, and human risks

* provides an outline and guidance for creating a disaster plan

Too few organizations are prepared for the emergencies that wait just off stage--their entrances are unrehearsed, but they will happen. Every day, there is the chance that some sort of business interruption, crisis, disaster, or emergency will occur. How prepared organizations and records and information management (RIM) professionals are to handle these events may determine whether those organizations--and RIM jobs--will survive. In fact, according to the U.S. Bureau of Labor, 93 percent of companies that suffer a significant data loss are out of business within five years. A 2002 Gartner survey found that only 35 percent of small and midsize businesses have a comprehensive disaster recovery plan in place.

Another Gartner report, The Business Continuity Readiness Survey, revealed that only 36 percent of the companies and government agencies surveyed have a plan for the complete loss of their physical assets and workspace.

Whether an unplanned event or full- blown disaster strikes an organization, having an adequate, comprehensive, and tested contingency plan can mean the difference between functioning as usual and not functioning at all. Management must implement a strategy to ensure an organization's survival at a cost, in terms of money, time, and effort, that it can afford.

What are Disasters?

The U.S. Code of Federal Regulations (CFR) in 36CFR1236 defines a disaster as "an unexpected occurrence inflicting widespread destruction and distress and having long-term adverse effects on agency operations." An emergency is defined in the same CFR as "a situation or an occurrence of a serious nature, developing suddenly and unexpectedly, and demanding immediate action."

Identifying Potential Risks

In planning to meet potential disasters and emergencies, organizations must identify what those disasters might be and how they could impact operations. The potential severity of these events greatly influences the response and the cost to protect against and recover from them. While the exact nature of potential disasters and their impact may not always be predicted, the benefits derived from identifying potential hazards and then working to eliminate or mitigate them are obvious.

Level of Impact

Most disaster planners divide the possible threats and hazards into three areas:

1. Natural or environmental threats or hazards

2. Technical or mechanical hazards

3. Human activities or threats

Disasters must be identified by the extent of their influence. The broadest range of influence affects large populations. They may be community-wide, such as an earthquake, tornado, flood, power blackout, or terrorist act. These would affect not only one organization, but thousands of others as well.

Disasters that may be local to one building or a few businesses and people might include a water leak resulting from mechanical failure or faulty building construction. Another local disaster could be caused by arson, which is said to be the most prevalent cause of business fire disasters today.

Disasters may be individual, affecting only one organization or department. The disgruntled employee's sabotage of computer record systems is becoming a more common, costly problem. And lost or misplaced files can cost companies tremendous amounts. In fact, lost information often damages an organization more seriously than a major natural disaster. Yet these occurrences are often easy to prevent by educating staff about simple safety and record handling procedures.

Business Impact Assessment (BIA)

In disasters, RIM professionals must have a strategy to ensure the survival of their organization's information. Human life is always the first consideration in any emergency or disaster. The next issue is the risk to mission-critical functions and operations. A business impact assessment/analysis (BIA) is a process or methodology that determines critical functions of an organization's business or mission. The BIA involves identifying such functions and determining the impact of the unavailability of records and information to keep those operations going. The BIA presents findings documenting the financial, service level, or other impacts to the organization.

Sample BIA questions might include:

* If the online computer systems were not available, how would the department continue to operate?

* What is the minimum office space the organization needs to continue to operate?

* Could the organization operate without most of its office equipment for five days?

The BIA also determines declines in service levels, the areas of a company most likely to be impacted, an estimate...