 Hello and welcome to the session in which we will discuss disaster recovery plan, which is the fourth component of a business resiliency plan that's going to put you online as soon as possible. What is disaster recovery plan or DRP? Well, this is a documented process or set of procedures for what purpose to help an organization recover and resume its operation after some sort of disruptive event. That disruptive event could be natural disaster like a hurricane Katrina, an earthquake that happened in Turkey, it could be a cyber attack, equipment failure, some sort of a failure. So the disaster recovery plan, the objective is to minimize that downtime as well as protecting critical data and system for what purpose to make sure you are still in business, to ensure business continuity. Now, one of the key components of this disaster recovery plan is establishing an alternative site, basically an alternative place for business operation in case your headquarters or your primary site becomes unusable for one reason or another. And those sites we're going to discuss them, they can be categorized into a cold site, a warm site and hot sites depending on the readiness and level of infrastructure and also depending on how much you want to invest in those alternative sites and how fast you want to get back online, how fast can you afford to be offline a day, an hour, 10 seconds, so on and so forth. We're going to start by looking at steps in disaster recovery plan and we will discuss the alternative sites. Before we proceed any further, I have a public announcement about my company farhatlectures.com. Farhat accounting lectures is a supplemental educational tool that's going to help you with your CPA exam preparation as well as your accounting courses. My CPA material is aligned with your CPA review course such as Becker, Roger, Wiley, Gleam, Miles. My accounting courses are aligned with your accounting courses broken down by chapter and topics. My resources consist of lectures, multiple choice questions, true-false questions as well as exercises. Go ahead, start your free trial today. The first step in disaster recovery plan is risk assessment, which is identifying potential threat and evaluate the impact of those threats on the organization. Simply put, you want to be aware of what are the threats? What could be a risk to your business? Also, you want to assess, you want to say what is the probability of that threat occurring and if that threat occurs, what are the consequences of each different threat, of each different risk and prioritize and respond. But notice risk assessment, we went through risk assessment when we did organization continuing planning and when we did crisis management. Assessing risk is important because the first thing you want to do is are you aware of what you are facing? The next thing you do is you establish recovery objective. You need to determine something called RTO, which is recovery time objective and RPO, which is recovery point objective for each critical system that you have or function. What is RTO? RTO is how much time can you tolerate before you can recover? Like, is the maximum acceptable amount of time it should take to restore the operation after disruption? So how much time offline you can tolerate? Establish that. Is it a day? Is it a week? Is it an hour? Is it a few seconds? For some companies, RTO is few seconds. For example, if you are a company like Vanguard or Merrill Lynch or Charles Schwab, companies that trade stocks or E-trade, well, they cannot afford their system to be down for even 20 seconds. So their RTO is very small. So they have to have an alternative backup system immediately. Other companies, they could have a little bit more leverage. RPO is the maximum amount of data loss that can be tolerated, recovery point objective. How much can you lose of data and kind of still being okay? You need to know this. So you need to know your limits. Establish your recovery objective. Then you identify the critical system and dependencies. List essential systems, software, processes, personnel, application, and data that must be recovered to maintain business continuity. How much data do I need? And basically, you should determine this in the RPO step here. Also, you identify the dependency between the systems. If I have system A up, is that enough? Or they have the system B? Or do I have A, B, and C in order for the company to function? Or can I have only A and I can function with one system? And develop and prioritize recovery sequence. And A, B, C, which one I should bring online back first? Then you assign people and responsibilities. You designate a disaster recovery team just like with any source of a team like crisis management with clearly defined roles and responsibilities. The team should be responsible for executing the plan, coordinating communication and making decisions during the disaster. So during the disaster, you don't try to identify the people. You want to identify them up front. Why? Because you want to train them. You want to make sure they are ready for this. Then you develop a communication plan, which is you outline a communication protocol to ensure that relevant stakeholders, employees, suppliers, vendors, are informed about the disaster in the recovery process here. The plan should include communication channels, how am I going to contact you, email, telephone, online, social media. I should have a contact list of important people that need to contact and template for announcement. I should not be writing those announcements right there. I should be, I have prepared template for each type of crisis. Is it a natural disaster? Is it a cyber attack? Is it a, is it hackers? What's going on? I need a template for each. You want to document this, obviously create a detailed written plan that include all the component mentioned above, along with the instruction checklist contact information in this document should be accessible and easily understood by all people who are involved. Now the people are involved. They need to be trained and educated, okay, ensure that the employees and member of that team are familiar with the plan, as well as the responsibilities and conduct regular training session and workshop to keep them informed. At the end, you test and update the DRP on a regular basis to ensure its effectiveness. This is how you know. And during testing, you might identify gaps or weaknesses. What do you do? You, you fix those gap and weaknesses. You conduct simulation drills or tabletop exercises to evaluate the plan feasibility and you update the plan as needed in response to those testing. Now we talked about alternative sites. There are three types of alternative sites, a cold site, a warm site and a hot site. Simply put, if your site went down and this became critical after 9-11. After 9-11, the New York Stock Exchange, because the area where the terrorist attack occurred, they could not function. New York Stock Exchange could not. So they needed a hot site that they can operate almost immediately. But let's see the difference between cold, warm and hot. A cold site. A cold site is a basic facility with minimal infrastructure and no pre-installed hardware, software or communication equipment. So you have a building, maybe it's wired, but no hardware, software or communication. It provides a physical space, power and cooling system, but the organization needs to provide and install all the necessary equipment. So you have the place wired, but you don't have the equipment. Okay. And you need to still need to configure the system to resume operation. Now cold sites are not expensive. They're the least expensive option, but they require the longest recovery time. So it may take you maybe three to four to five days to get the cold site ready. An example will be a warehouse or an office space that's leased as a backup location in case of a disaster. The organization would need to transport and set up their equipment, establish connectivity and restore data from backup before running the operation. So they can either transport the equipment or they can rent the equipment or they can buy the equipment, but the equipment is not at the cold site. Okay. And if they have the equipment, it's installed, it's configured, they can back up the dead, they can get up and running. That's the cold one. Again, it's the least expensive. Warm site, it's like getting warmer. A warm site is partially equipped with some hardware and software and communication equipment, not everything, some. It has more advanced infrastructure than a cold site, but it's not fully operational. So in case of a disaster, the organization would need to install additional equipment maybe and configure the system, restore the data. Warm site will have a shorter recovery compared to the cold site. So you can get up and running faster, but it's going to cost you a little bit more of money. An example will be a data center with servers, storage and network equipment partially set up, but not fully operational. The organization would need to complete the setup, establish connectivity and restore data from backup before resuming operation. So a warmer site, it's going to cost a little bit more money, but rather than three to four days, it may take one or two days to get it ready. Then we have the hot site. Hot site is fully equipped and operational facility with all the necessary hardware, software and telecommunication equipment. It mirrors the organization primary site. Simply put, it just looks the same in a sense that it has everything ready and it's constantly updated with real time data. So an event of a disaster, operation can be quickly switched to hot site with minimal downtime. Again, a case in point here is the New York Stock Exchange. After 9-11, they have a hot site and obviously they don't tell you where the hot site is, right? Because it could be also subject to a terrorist attack and most likely they'll even have a hot site and maybe another hot site or another warm site. Who knows just to make sure they are up and running, but these sites are the most expensive because you are duplicating all the equipment, you are duplicating all the effort, but they offer the shortest time of recovery. So you can be there the following day within one day or the system can be up and running almost instant yet. An instant. A data center with identical hardware, software network configuration is the primary site. This organization can switch operation to the hot site almost immediately after a disaster, ensuring minimal disruption to the business. Once again, the hot site will cost the more least amount of time. You pay for what you get. On the other extreme, the cold site is least less money, but more time and the warm site is in between. More expensive than the cold, less expensive than the hot. It takes you less time to get up and going, less time than the cold. I'm sorry, it's going to take you less time than the cold, but more time than the hot. This is in a nutshell, steps in, this is in a nutshell, the alternative sites. Cold, warm and hot. What should you do now? Studying for the CPA exam or any other certification, CMA or any other certification, go to FARHAT lectures, look at additional resources, multiple choice, true, false. That's going to help you understand this concept better and get you ready for your exam. Invest in yourself. Take your education seriously.