Florida Association of Insurance Agents

Agency Disaster Planning Key Considerations

Table of Contents

• Overview
• Steps to Take Well Before a Disaster
• Steps to Take When a Disaster is Imminent
• Steps to Take After A Disaster Strikes
• Some Final Thoughts
• Additional Resources

Disclaimer

The purpose of this class is to educate agencies in considering issues relevant to developing their own disaster plans. It includes only general information, and is not intended to provide advice tailored to any specific agency situations since this is a dynamically changing area. It is intended solely as a guide to help in planning, and is not a substitute for independently evaluating any business, legal or other issues, and is not a recommendation that a particular course of action be adopted. If specific advice is required or desired, the services of an appropriate, competent professional should be sought.

Overview

After the storms of 2004, FAIA hopes this class on preparedness will inspire you to take steps now that will protect the ongoing viability of your agency should a disaster strike. A disaster can bring your business to a standstill; it can keep you from servicing the needs of your clients when they most need it; and it can jeopardize the ongoing viability of the business you have spent your life building.

Unfortunately, a disaster of some nature can strike any agency. No one is immune; no one is too distant from them. The disaster can result from fire, wind, ice, flood, hurricane, earth movement, terrorism, hazardous material, spyware, viruses, worms, and other causes. To the affected business, the net result is the same because it may not have access to its systems, its phones (land lines or cell), the Internet, nor its fax lines at the very time when hundreds of its customers need assistance.

In the aftermath of the multiple hurricanes in Florida and surrounding states during the summer of 2004, a major problem faced by agents and brokers was getting their computer and telecommunication systems back on line to enable the firm to handle the onslaught of claims. Many agents did not know where to turn for help. An increasing number of vendors, user groups, associations, and consultants offer defined services to agencies to help them in these situations. Where the agency will turn for help in such a crisis needs to be established in advance and made a part of the continuity plan.

The critical things are for the agency or brokerage firm to think through how it will manage the disaster in advance and to develop a continuity plan where its employees understand their role in the emergency and regularly practice responding to the various contingencies. This class will focus on the key, strategic issues agents need to be aware of and take action on to implement an effective disaster plan. In addition, you will find the catastrophe planning tools available on the market to be very helpful as they structure their plans. These are listed under "Additional Resources" at the end of this report.

The following class is divided into three major sections: Steps to Take Well Before a Disaster; Steps to Take When a Disaster is Imminent; and Steps to Take After a Disaster Strikes. As you plan, remember that with some disasters, you will not have any warning to take the steps outlined in the "Steps to Take When a Disaster is Imminent" section, so try to be as prepared as possible in these areas on an ongoing basis. Also, keep in mind that you do your disaster plan in today's world, with today's technology, and that world may very well be significantly changed or gone after a disaster strikes. For example, you may decide to rely on cell phones as a back up, but after the disaster when the phone lines are down, the cell towers also may be inoperable or the cell phone circuits overwhelmed by all of the traffic, or more often than not, the surviving circuits are dedicated to emergency personnel, and those in key roles of government.

Steps to Take Well Before a Disaster

Developing, Instilling, & Practicing the Disaster Plan

Have a staff team develop a disaster plan, which assigns roles to each staff member. Each staff team handling an aspect of the disaster plan can have a coordinator who reports to the agency's president/CEO. The plan can be reinforced regularly in staff meetings, and the staff can brainstorm regarding possible disasters and the steps that should be taken in each situation. Remember, when a staff member leaves your employ, his/her duties under your disaster plan need to be reassigned immediately. FAIA suggests assigning these duties to senior staff for continuity purposes.

Once you put your team together, everyone will need to be assigned a task or "Job Description". This will ensure that there is a clear path to develop a proper plan.

Prepare a list of employees and their contact information that includes their work assignments related to a disaster for the period leading up to the event, during the event, and after. Producers/sales people should be redeployed to greet clients who come in after a disaster since their job rolls will change drastically after a disaster, and there will be virtually no new business written initially.

Develop a phone tree system to contact all employees before and after the disaster. Document this and make sure all employees know their role. Update your call list and telephone numbers frequently (cell and all other numbers). You should also test this on occasion.

Investigate what services are available to assist the agent with disaster planning, as well as dealing with the aftermath of an event, such as the agent's user group, vendors, association, or computer consultant. (Also see the "Additional Resources" at the end of this report.) Perhaps most important, the disaster plan should spell out specifically where the agency or brokerage firm will turn for help to get each aspect of the business operations back up and running.

NOTES:

A hard copy of the disaster plan, including a list of all employee, carrier, vendor and emergency numbers and contact information (addresses and faxes), should be kept in a designated place in the agency known by all employees, in case a disaster occurs and the information cannot be accessed electronically. In addition, you may want each employee to have a hard copy of the disaster plan at home, including this same list of employee, carrier, vendor and emergency contact information.

Different aspects of the disaster plan should be tested and practiced regularly. This should be part of the plan.

The plan should foresee that when the disaster occurs, the agency or brokerage firm will not be dealing in an environment where some or all of the existing services continue to be available.

Make sure the agency has all of their paperwork in order, and in safe locations. All resources that will be needed to survive the disaster, assets that are prearranged, and yes, review the insurance policies of the agency!

Make a list of all active clients, which should include active policies with the policy number, billing and issuing company, and expiration date of policy. You may also find helpful an expiration list of policies to be processed for the next six months. Make a list of all vendors which can help you get your computers, software, phone systems, phone and Internet lines, and any other systems and equipment up and going again after a disaster. You may want to print these lists as well as export them to a portable storage device of one or more senior staff of the agency or brokerage firm, and even copy them onto a disc that can be retained by appropriate senior staff. It is critical that special steps be taken to protect the security of this vital agency information that is taken off-site.

NOTES:

Incorporate as a part of your regular, ongoing communications with your policyholders information spelling out what they should do in the event of a disaster and whom they should contact.

Be prepared to communicate with your policyholders via newspapers and radio ads with pre-designed ads. You may need to direct them to a new phone number or to a specific location. You can also use technologies like reverse 911 calling to contact your customers prior to an imminent disaster.

Have a contingency plan to access additional staff resources to relieve your regular staff during a disaster because typically the normal agency workload dramatically increases when dealing with a disaster situation. Your association has an extensive catastrophe network setup for this specific need. Use it!

Consider a financial disaster reserve to deal with the added costs the agency may encounter as well as the possible losses due to business interruptions.

Find out if insurance companies with which you do business will provide the agency with drafting authority for claims if not already permitted under the agency appointment agreement, and if so, set up the workflows for that processing, and include it as a part of the plan.

NOTES:

Protecting Agency Data & Systems & Preparing to Access Them After the Disaster

Listed below are some key steps you can consider taking to protect your data and systems:

• Not only does your most current data need to be backed-up and stored off-site in a secure way, you must be able to access it from off-site. Contact your agency management system vendor to see what it can do to make sure you have access to your management system remotely after a disaster.
• Develop a relationship with your current agency management system vendor or other third party to back-up your data out of your region where you can access it and your agency management system following the disaster from a secure Internet site.
• Make sure your staff are assigned passwords and are trained on accessing policyholder information remotely from this off-site source.
• Some off-site sources will perform authorized functions for the agency, if the agency is unable to access its systems locally. These contingency arrangements should be established in advance so that the appropriate agreements can be put in place, covering such things as scope of the third party's authority to act on the agent's behalf, agency notification before certain actions are taken, and the privacy and security protections the third party will employ to safeguard client and agency information.
• If possible, load your management system on one or more office laptops since these are easier to power up or recharge than a desktop.
• Consider a relationship with a technology firm that has the capability to provide the agency with emergency services, such as a help desk, on-site assistance and equipment to help the agency get back up and running after a disaster.
• If you use a sophisticated phone system, you will need to make and have copies of your configuration files for this system in the event that loss of power or power spikes corrupt the configuration of the system. Make sure you have staff on hand that intuitively has an understanding of how to get the switch back online since it may be difficult to get your vendor on site after a disaster.

NOTES:

Connectivity -- Protecting Internet Access

If you use an ASP (Application Service Provider) over the Internet, find out what they can do for you in the event you have no Internet connection. Some will provide the software and a way to load data on a laptop in emergencies.

If resources allow it, consider having a redundant Internet connection. For example, if you use DSL, get satellite or an Internet wireless service (WAN). Using a combination of WAN and satellite, FAIA was able to keep Internet access most of the time as it set up in areas affected by the hurricanes in 2004.

With the advent of the up and coming EDVO high speed wide area networks, you could also explore the use of these technologies to use such things as you PDA as a high speed modem to access the Internet.

Protecting Equipment & Providing for Continued Electrical Power

Listed below are some important steps you can consider to protect your equipment and continued access to power:

UPS Systems

Have a UPS (uninterruptible power supply) on all equipment. This not only allows a controlled shutdown, it also affords a conditioned electrical circuit when power is restored or you use a generator. Do not run wires directly from a generator to a computer; it has a tendency to "fry" the computer. Make sure you use the conditioning aspect of the UPS first by plugging equipment into it.

Consider a UPS with a power rating that is able to provide continuous power to the workstation for a minimum of 15 minutes, and the servers for a minimum of 30 minutes. This will allow for enough time to properly close all open files and properly turn off the systems, preventing data loss or corruption. Note: Most UPS systems come with software and cables that allow for the automatic closing of files, applications, and the powering off of the workstation/server, if power is lost for a period of time.

UPS units should be tested at least quarterly. This is best performed when the workstations and servers are in an idle state and not being accessed, and allows enough time for the UPS to recharge (end of business day or weekends). Remove the UPS input power plug from the electrical socket, and record the total time that it takes for the UPS to quit supplying output power to the workstation/server. If the total time is not within your expectations, replace the UPS batteries or entire unit. Most of the current UPS systems will tell you when their batteries are not functioning properly. At FAIA, we expire batteries after two years of service regardless of the condition.

NOTES:

Generators

Purchase a generator that can run all mission critical equipment. Don't forget your phone systems. Look into whole office generators. In 2004, 100-200 amp generators cost in the range of $4,000 - $7,000. Carefully assess differing power needs in winter and summer. An alternative approach is to contract with a firm that will drop off and activate a generator in the event of a loss of power. The agency should have a high confidence that the firm will perform before taking this approach. Check the additional resources for information on such firms.

Make sure the generator is located out of the building and away from its windows and doors, since fumes and carbon monoxide can make staff ill or be lethal. Also consider the impact of the elements on the generator, since you may be experiencing a lot of rain after a storm or ice conditions.

Test the generator and check the oil and fuel levels according to the directions with the unit, and at least on a quarterly scheduled basis. Make sure to test the generator under an electrical load to assure that it is producing electricity (rather than the motor just running). Also, make sure you rotate fuel especially in gasoline generators since the shelf life on such products is limited.

Have your generator serviced by an authorized service technician at least annually to ensure proper operation and maintenance.

Have a licensed electrician wire your electric panel for a clean cross-over to generator. Don't try to do this yourself unless you are a licensed electrician.

If the agency has a rented office, find out what plans the landlord has made to power the building in the event of a disaster.

NOTES:

Alternative Communications

Listed below are some important steps you can consider to maintain communications during and after a disaster:

• Understand the phone company's restoration procedures when giving priority to businesses such as insurance agencies even though they play a vital role in handling claims for the public. (Note: Depending on the outage, it's not always a matter of being on the priority list. From a safety standpoint, the phone company may have to restore certain service first to avoid dangerous spikes in power or more outages.)
• If there is a risk that your phone system can lose programmed data, follow the recommended back-up procedures for the system and store the back-up in a safe off-site location, as well as on-site location as mentioned above in protecting data.
• Know in advance how to switch your incoming telephone calls to another line both at the switch in your office and via your telecommunications provider remotely (in case your office is without power or your staff is unable to get into the office).
• Consider having an alternative telephone answering service such as a call center, a branch location (far enough away so as not to be likely to suffer the same disaster), etc. A remote phone call center service could handle the agency's calls after hours as well as during emergencies. In many cases, these vendors have access to the agency's data to answer questions and can provide referrals to carrier claims centers, if so authorized by the agency.

NOTES:

Cell phones will more than likely not be a reliable source of alternative communications given that the sheer volume of cell calls following the disaster may overwhelm the system or the cell towers may be down because of the disaster. Don't rule it out, just don't make it your only alternative.

Make sure those handling your calls have been given appropriate scripts and have the most up-to-date carrier claim phone numbers. Have an escalation procedure for when specific agency personnel should be contacted to respond since they may not be able to handle the personality they are dealing with at that moment.

Buy some inexpensive phones that you could use to bypass your phone system's master PBX in the event you get phone service before electric service. You should route an alternative phone line from where it enters the building directly to a phone jack, to which a simple phone set can be attached.

Have the vendor who installed your phone system develop a crossover for your regular phones to an alternative phone line. Document and test it.

Provisions to Have On Hand

• Listed below are some provisions you may want to have on-site:
• Fans, extension cords, batteries, flashlights, battery-powered lamps and radios, and low heat, low-energy lighting available to use with your generator.
• Sufficient bottled water to handle employees' needs for two weeks.
• Canned or dry food goods that do not require refrigeration or cooking.
• Can openers, paper/plastic utensils, plates and cups, trash bags, bleach, paper towels and cleaning supplies, and hand wipes.
• First aid supplies and blankets.
• Snacks and candies for staff or customers.
• Bug spray.

NOTES:

Steps to Take When a Disaster is Imminen

Pulling The Trigger

It is a luxury in Florida that most disasters are known about well in advance, and we get plenty of time to prepare since most of our disasters come in the form of Hurricanes. If you know the disaster is about to strike, one key process you must have in place is "The Trigger" Sounds similar to an insurance policy. Regardless of any preparations, if you do not act at the appropriate time, the possible outcome could be fatal. Things to think about:

• Create a non-emotional mechanism to implement the plan. For example, "if the storm gets within this range of lat/lon, we execute."
• Do not deter from the plan based on past experience. Hurricanes don't make flight plans! It does not listen to weather reports.
• The worse that can happen by implementing early is you were over-prepared.

Implement Disaster Plan

If the disaster is during the work day, and you have warning about it, take appropriate steps to assure that your employees and office remain as safe as possible. Confirm that your employees know their roles. If it is after-hours or you have employees who telecommute or work from remote locations, you may need to implement your phone tree.

Activate the central number employees can call after the disaster to get instructions and to learn about next steps. This line can include a recorded message with this information. A secondary "backup" number can be added, further mitigating the chance of lost communications. Direction should include what staff should do if they are unable to meet their assignment.

Communicate with customers as to what they should do if a disaster strikes and how they should communicate with you in such an event. Include toll-free numbers provided by insurance carriers for claims and/or customer service and numbers for back-up call services if the agency has contracted for this resource. Research local reverse 911 technologies to call customers for you.

NOTES:

Protecting Agency Data & Preparing to Access It After the DisasterIf a disaster is imminent, double-check these data and systems issues from your Disaster Plan (See above section on data and systems protection). Also, consider these steps with your work-in-progress:

• Be sure all data is backed-up and secure, per the disaster plan you developed.
• Make sure your data is properly backed-up with your agency management system vendor or the third party you developed a relationship with prior to the disaster. You should have at least two backups that are kept securely in separate off-site locations, and preferably, one out of the region.
• Be sure your list of all active clients is complete, per the disaster plan you developed. You should also run an expiration list of policies to be processed for the next six months and contact those renewals that are coming up for action around the time of the predicted disaster.
• Staff should complete processing of all work that is outstanding (consistent with carrier directives), especially that which relates to coverage for the disaster. This includes outstanding endorsement requests; any policies that are not an "automatic" renewal such as E & S placements (paperwork sent in and premiums paid); following up on any policies that are pending cancellation due to non-payment (depending on agency policies for handling such pending cancellations); etc.
• Be sure your list is current of all insurance company addresses, phone numbers and fax numbers with which your agency or brokerage firm does business. Be sure your list is current regarding all vendors that can help you get your computers, software, phone systems, phone and Internet lines, and any other systems and equipment up and going again after a disaster. Touch base with them prior to the disaster to make any plans necessary.
• Print all of the above lists as well as export them to a portable storage device that is kept in a secure and safe location by one or more senior staff of the agency. Also consider loading this information onto the laptop of a senior staff member, provided special attention can be paid to safeguarding the laptop and protecting the security of the sensitive agency information contained on the laptop.
• Disconnect all electrical equipment.

NOTES:

Make sure all surfaces are clear of paper and that work in progress is wrapped in plastic to protect against water damage, if possible, placed in boxes bearing the employee's name, and put in as safe a location as possible.Before packing desks up, make sure all outstanding work that relates to coverage for the disaster has been processed and sent, as discussed above.

Protecting Equipment & Providing for Continued Electrical Power

Consider these important steps to protect your equipment if a disaster is imminent:

• Make sure your generator has fuel and oil enough to run for days, and possibly weeks. (We have seen agents without power for extended periods of time. It depends on the magnitude of the disaster.)
• Test the generator under an electrical load to make sure it is producing electricity one more time (in addition to the motor running).
• Disconnect all electrical equipment from the wall.
• Take reasonable steps to protect all equipment. You could put plastic over it, or store it in an area away from the windows where it may be less likely to suffer water or other damage. Double check to make sure all equipment is disconnected from power sources to eliminate possible heat damage if power is restored.

Alternative Communications

This is now the time to redirect your phone numbers if you have this in your plan. Do this before the disaster, because after the event the telephone companies will be focusing on other issues, such as restoring service based on priority of need. Phone companies will focus on emergency services, hospitals, and other key support mechanisms first, so be prepared to be without power for some time.

Call your phone vendor and Internet provider to advise them that they should try to put your agency on the priority list, since after the storm you will be servicing clients who need immediate recovery help.

NOTES:

Provisions to Have On Hand

Listed below are some provisions you may want to have ready to use during and after a disaster:

• Prepare your office to be without power and phone service for a long period of time. Strategically place lighting and fans around the office at this point since you may not be able to easily find them when you come back. This includes stairwells and entry/exit areas.
• Place lighting devices that come on when power is interrupted to help you see in the dark.
• Fill coolers with ice, water, and Gatorade-type products (better than sodas for electrolytes).
• Make sure you have plenty of non-perishable food and snacks for your staff. Sweets work well since they provide immediate energy. Fresh fruit is also a treat if available. Provide for a method to make hot coffee or tea, if possible.
• Fill your refrigerator with other products if you have the power to run it.
• Have enough cash on hand to meet needs following the disaster for a few weeks, since banks and ATM's may take time to come back on line because of infrastructure damages in your area. Most people will only take cash during a catastrophe, be prepared for this.
• Review your disaster plan as a checklist for all other supplies that may be needed and replenish or purchase whatever is needed.
• Check for full first aid supplies and adequate blankets.

NOTES:

Implementing the Disaster Plan

Listed below are some suggested steps to consider taking after a disaster:

• Do an assessment of the damage to your office, equipment, and staff. Determine what can be done to bring your office back on-line.
• Assess the personal and financial impact of the disaster on your employees, and make sure their needs are being met, so that they can focus on agency operations. Assist them in any way that you are able since they are your number one asset!
• Make your office area as safe as possible to accommodate walk-in traffic. If it is not safe, identify another location to meet policyholders and post a sign to direct them. Have the alternative location information posted on your website and included on a message callers hear. Set aside an area of the office to greet clients and start the information gathering. Remember you may have children present so have some toys/activities/snacks to keep them occupied and comfortable.

Provisions

Have things in place for your policyholders such as water and other beverages, snacks, and most of all…friendly faces. They want you to help them and are there to make a claim. Treat each policyholder as if this were the only claim you received that day because it is their only one. Ask your staff to put on their game face to focus on the policyholder's needs, even though they too are likely to have been affected by the disaster in some way.

Be sensitive to the pressures on your staff in the aftermath of a disaster. There is a high probability that your staff will be taking thousands of claims from a myriad of different personalities each having their own feelings. Your employees will be dealing with their own emotions and losses as well. In this environment, schedule shifts that will give your staff time to rest, take care of their personal needs, and rejuvenate themselves.

Unfortunately, disasters can strike in many different forms and levels of magnitude. People's reactions to disasters vary greatly as well. Some people can handle them, others cannot. The key is for you not to be complacent, because disasters do happen. If you plan for the possibility, work your plan, monitor it, and modify it when you need to, you will be prepared, both personally and professionally, and you will guide your agency through the disaster successfully.

NOTES:

Additional Resources

IIABA has released the Best Practices of Crisis ManagementA Step-By-Step Business Recovery Planner. This tool includes both a written manual and an interactive CD designed to enable you to create an in-house, fully customized plan to lead your agency step-by-step through the disaster recovery process. This guide is available for $99.95 shipping and handling included. (www.independentagent.com, click on Best Practices, then click on Best Practices Product Catalog.)

The Institute for Business and Home Safety (IBHS) has a free "Disaster Planning Toolkit for the Small Business Owner" on its web site which includes a lot of helpful forms. In addition, free single copies of a "Disaster Recovery Folder" are available from IBHS. This tool contains planning advice and can hold the agency's important papers. These tools also make good hand-outs for the agency's policyholders. To access the tools, go to www.ibhs.org and click on "Open for Business."

The National Institute for Occupational Safety and Health (NIOSH) web site contains an excellent list of emergency preparedness resources and emergency contact information at: http://www.cdc.gov/niosh/topics/prepared/.

A search of "Insurance Agent Disaster Planning" and "Small Business Disaster Planning" on www.google.com displays several additional resources to consider.

• Afni Insurance Services provides a state-of-the art call center that can help you should hurricane Frances impact your agency's ability to do business. Lose your power, lose your phones, need additional help...call Afni Insurance Services and we'll set up a temporary emergency service to help your agency. They'll answer the phone calls as your agency, you will be notified of every phone inquiry, all calls are recorded, and we can provide referrals to company claims centers as you designate. AMS, Applied and DORIS users, we can extract your data so it is available to our call center via the Internet. 866-236-4467 www.afniinc.com

• AMS now offers a disaster recovery program exclusively for AfW, AMS360, and Sagitta Browser agencies. Agencies subscribing to DRS that experience a disaster simply ship their most recent backup tape(s) to AMS's data center in College Station, Texas via overnight delivery. Agency employees can be servicing customers using their AfW or Sagitta Browser data from home or from a temporary location within just a few days. http://www.ams-services.com/usercenter/drs.asp (800) 299-1415
  
  
• Applied Systems has LIVEVAULT LiveVault is a leading provider of online data backup and disaster recovery services. The service automatically and continually backs up business server data through a secure Internet connection and stores it in a secure, off-site IBM e-Hosting facility, where it is available for immediate recovery. LiveVault services enhance the data storage and recovery services that Applied Systems provides through its agency management automation. Contact your Client Solutions Representative at 800-999-5368 or email csnews@appliedsystems.com for more information.

• Courtesy Computers (FAIA Endorsed Vendor) has created a "Courtesy Care Hotline" in lieu of Hurricane Francis, to provide agents with emergency 24/7 Information Technology help desk services and support. Call 954-321-8605, and press extension 600. You will then be routed to the next available Courtesy Care engineer.
  
  
• Agility Recovery Systems Can offer your agency complete computer systems, Office generators, and data telecommunications, but a relationship needs to be established in advance for them to place assets aside in the event of a loss Contact: David Van Dyke 321-689-4919 david.vandyke@agilityrecovery.com
  www.agilityrecovery.com
  
  
• Attached is a sample of a plan you can obtain from a company called Right Track Associates at http://www.ittoolkit.com/drp_kit.htm.

IT DISASTER RECOVERY PLAN Enter Company Name or Department Here Version: [#] Enter Author's Name Here Enter Author's Title Enter Company and/or Department Name February 5, 2007 CONTACT INFORMATION Name Title Company Department Location Phone Email

SECTION 1.0 STATEMENT OF GOALS AND OBJECTIVES

As this section is documented, the following questions should be considered:

What are your disaster recovery planning goals? To provide operational continuity and quick recovery for all critical systems impacted by a technology related disaster event. To ensure that the disaster recovery program is properly communicated to all staff, clearly identifying all essential roles and responsibilities.

• To ensure adherence to established safety procedures, exit plans and related emergency requirements.
• To maintain an orderly process for business resumption and systems recovery.
• To ensure that disaster recovery activities and strategies are continually tested and revised as needed.

How will this plan be used and distributed within your organization?

How will this plan be integrated with other business recovery and employee safety plans? Why is this plan important and valuable to your organization?

SECTION 2.0 DISASTER RECOVERY PLANNING ASSUMPTIONS

As this section is documented, the following steps and issues should be considered.

2.1 Requirements Assumptions

• State your technology assumptions (identifying the systems and services to which this plan applies).
• State the business locations and operational units to which the plan applies.
• State your planning and recovery "priorities" assumptions:
• Identify critical business operations and functions.
• Identify critical systems and related IT services.

2.2 Recovery Assumptions

List the systems covered and the capacity to be restored, as in this example:

• 50% of critical functions will be restored within 24 hours.
• 100% of critical functions will be restored within 48 hours.
• List the scenario conditions covered by the plan. (i.e. Business Site Down, Tech Site Down, All Sites Down, Technology Down).
• Specify the outage duration addressed by the plan. (i.e. This plan applies to disaster events lasting no longer than 60 days).
• List the dependencies. (Vendors, external support providers or internal support groups upon which the plan relies).
• List the exclusions. (Identify any disaster conditions not covered by the plan. Example: "This plan is not designed to address disasters occurring in international locations".)

SECTION 3.0 PLAN ACTIVATION CRITERIA

As this section is documented, the following questions should be considered:

3.1 Plan Activation Criteria

• What types of events will trigger plan activation?

3.2 Plan Activation Procedures

• How will these events be evaluated to ensure that plan activation is appropriate
• Who will be involved in this event assessment process?
• How will assessment recommendations be escalated to the appropriate decision makers?
• Who must approve plan activation?
• How will the plan be activated?
• How many approvals are required?
• How will plan activation be communicated?

SECTION 4.0 SCENARIO AND RESPONSE STRATEGIES

This section should be used to identify the disaster scenarios covered by this plan, and the response strategy associated with each.

Scenario Description	Planned Response Strategy	Expected Response Results	Post-disaster Expectations
Describe the scenario: i.e. Temporary loss of access to main office site.	Describe the planned response: i.e. Move to the hot-site.	Describe the expected response result. i.e. 75% of all critical functions will be active at the hot-site in 4 hours.	Describe expected post-disaster activities. i.e. Once the main office is again accessible, data entries created at hot-site will be restored to production systems.

SECTION 5.0 DISASTER RECOVERY REQUIREMENTS

When documenting this section, the following issues and questions should be considered:

5.1 Technology Requirements

• What types of systems are currently in place?
• How are these systems configured?
• Where are these systems located?
• What role do these systems play in business operations? (how are they used, by whom, and for what purpose?)
• Which systems can be deemed critical and essential to business continuity?

What types of hardware and software devices (including data) will be required to establish and maintain critical business operations in the event of a technology related disaster?

• Desktop Computers
• Desktop Printers
• Fax Machines
• Network Servers and Devices
• Specific Software Applications
• Data Files and Databases
• Telephones and Voice Mail
• E-Mail Access
• Internet Access
• Videoconferencing

5.2 Operational Requirements

• How does your business/organization operate?
• What are the most critical business operations?
• What are the most critical job functions?
• How is technology used to support critical these business operations and job functions?
• What types of services does IT provide to the organization?
• What role do these services play in the disaster recovery and business resumption process?
• How will these services be maintained during a disaster condition in terms of the number of resources required, how those resources will be contacted, and what specific skills will be required?
• Will external or temporary resources be required to maintain IT support services during a disaster condition?

5.3 Communications Requirements

• How will effective communication be maintained take place during and after a disaster event?
• How will communications systems (telephones, wireless, email, internet, intranet) be used to communicate during and after a disaster event?

5.4 Backup Requirements

• What types of backups will be required?
• What is the required backup schedule?
• How will backup medium be rotated for re-use?
• Where will backups be stored?
• How much time is required to restore critical data?

5.5 Documentation Requirements

• What types of documents will be required to support the disaster recovery process?

5.6 Supplies Requirements

• What types of business equipment (non-computing) and office supplies will be needed to support the disaster recovery process?

5.7 Training Requirements

• What types of training will be provided to IT staff to support the disaster recovery process?
• What types of training will be provided to non-IT staff and employees to support the disaster recovery process?
• What types of training (and/or information) will be provided to external service providers and customers (if applicable) in support of the disaster recovery process?
  

SECTION 6.0 DISASTER RECOVERY PROCEDURES This section should be used to specify "step-by-step" procedures to be followed in the event of a covered disaster event:

6.1 Communications Procedures

• Emergency contact information for employees, customers, vendors and any other groups or individuals as needed for plan support (including primary and alternate contact designations).
• Communications Step-by-Step: detailing the "disaster-related" use and availability of telephones, wireless devices, voicemail, email, intranet and the company web site
• Escalation procedures to be followed in the event of a disaster condition.
• What is the "disaster" chain of command?
• How will disaster issues be escalated through the established chain of command?
• Ongoing "how-to" information during the crisis event (to keep staff informed on current status, and day-to-day business procedures).
  
  

6.2 Remote Access Procedures

• What types of job functions and internal operations can be performed from a home office location?
• What type of hardware and software will be required for this type of access?
• Will end-users require any special training?
• How will alternate systems and remote access procedures be activated and communicated to end-users?

6.3 Technical Implementation Procedures

• How will systems be installed, configured and administered during a covered disaster event?

6.4 Backup and Data Recovery Procedures

• How will backups be retrieved in the event of disaster plan activation?
• How will data backups be restored for access?

6.5 Temporary Access Procedures

• How will access be provided to "backup" systems? (userids, logins, passwords, applications and data)?
• How will access be provided to any alternate office/business resumption sites?

6.6 Technical Support Procedures

• Who will be responsible for technical support during a covered disaster event?
• What types of technical support will be provided?
• What are the hours of support?
• How will support requests be made?

6.7 Alternative Operating Procedures

Which business operations can be met with the use of standalone computers? How long can these standalone operations be used to serve temporary business needs? What steps will be required by IT staff and end-users for transition to standalone operations? How will critical data files be made available during the crisis period? Which business operations can be met with the use of manual operational procedures? How long can these manual operations be used to serve temporary business needs? What tools will be required to maintain these manual operations (i.e. forms, information, policies and procedures)? What are your standalone hardware and software requirements in terms of…..

• Desktop Hardware and Software
• Telephones and Wireless
• Laptops
• PDA's
• Peripherals (modems, printers, fax)

SECTION 7.0 ROLES AND RESPONSIBILITIES

This section should be used to identify the structure of the DRP Team:

7.1 Organizational Chart

7.2 Resource Roles and Requirements

What types of resources and skills are required to properly plan and support disaster recovery activities? How many staff resources (in numbers and/or hours) are required to plan, develop and test your disaster recovery program? How many additional staff resources (in numbers and/or hours) are required to manage and maintain systems in accordance with disaster recovery and business resumption requirements?

• What are the required DRP roles and responsibilities?
  
  
  • DRP Leadership
  • DRP Planning
  • DPP Technical Design
  • DRP Activation
  • DRP Support
  • DRP Compliance
  • DRP Verification
  • DRP Maintenance

Who will fill these DRP roles and responsibilities?

SECTION 8.0 PLAN ADMINISTRATION

When documenting this section, the following issues and questions should be considered:

8.1 Plan Approval Procedures

• How will the plan be approved?

8.2 Plan Distribution Procedures

• To whom, and how will the plan be distributed?

8.3 Plan Maintenance Procedures

• How will the plan be maintained and updated?
• How should questions and feedback be submitted?
• How will the plan be tested and verified?
  

SECTION 9.0 SUPPORTING DOCUMENTATION

This section should be used to identify all related documents and information needed to support the plan and all related implementation procedures.

Document Title	Date	Version	Location	Contact Information
DRP Team Contact List	1/1/03	N/A	Attachment	Jane Doe
Company Phone List	1/1/03	N/A	Attachment	Human Resources
Organization Chart	1/1/03	N/A	Attachment	Human Resources
End-User Support Procedures	1/1/03	1.0	Intranet	Bob Smith
Service Level Agreement	1/1/03	2.0	Intranet	Bob Smith

APPENDIX A: DRP APPROVAL

To: [Name of the individual collecting approvals] Date: [Enter approval date here] [DRP Title and Version] Approval Terms: 1. I have read and understood all test conditions and specifications as documented in this DRP.

2. I believe that DRP is an accurate reflection of all disaster recovery planning goals, requirements and deliverables.

3. I understand and accept all planning assumptions.

4. I understand and accept all DRP scope inclusions and exclusions.

5. I understand and accept DRP risks.

6. I agree to any and all assigned roles and responsibilities.

7. I understand and approve all DRP costs.

8. I understand and approve all DRP activation criteria and procedures.

Additional Terms and Comments:

Name:

Title:

Phone:

Email: