The Importance of a Disaster Recovery Plan: For Compliance Professionals and Company Directors

In today’s unpredictable world, having a robust disaster recovery plan (DRP) is crucial for compliance professionals and company directors. Severe Tropical Cyclone Alfred struck Southeast Queensland in February 2025, causing significant flooding, power outages, and business disruptions. It was a reminder that robust DRPs minimise downtime, while unexpected challenges can become costly without a plan.

This article highlights the importance of a DRP, common mistakes to avoid, best practices for DRP training, and technology’s role in DRPs.

Are You Prepared?

Is your DRP up to date? Ensure your internal and external communication lists are current and staff know about the communication plan. Your DRP should:

• Provide Management Structure: Clear structure to manage the disaster.
• Specify Critical Business Processes: Recovery requirements for critical processes.
• Detail Recovery Procedures: Ensure business operations can continue and minimise disaster impact.
• Ensure Accountability: Business continuity plan (BCP) leaders must accept accountability for recovering critical processes.

Compliance obligations and Director’s duties

The Corporations Act 2001 includes several sections relevant to disaster recovery planning (DRP). Here are some key sections:

1. Section 912A – General Obligations: This section outlines the obligations of financial services licensees, including the requirement to have adequate risk management systems in place. A robust DRP is a critical component of these risk management systems.
2. Section 601FC – Duties of Responsible Entities: This section specifies the duties of responsible entities of managed investment schemes, including acting in members’ best interests and ensuring that the scheme’s property is handled according to the scheme’s constitution and compliance plan. A DRP helps fulfil these duties by ensuring the continuity and protection of the scheme’s assets.
3. Section 180 – Care and Diligence—Directors and Officers: This section requires directors and officers to exercise their powers and discharge their duties with the care and diligence that a reasonable person would exercise. Implementing and maintaining a DRP is part of exercising such care and diligence.
4. Section 189 – Reliance on Information or Advice Provided by Others: This section allows directors to rely on information or advice provided by others, such as experts or employees, if it is reasonable. Directors may rely on expert advice when developing and updating the DRP.
5. Section 295A – Declaration concerning Financial Statements: This section requires the CEO and CFO to declare that the financial statements and notes comply with accounting standards and give an accurate and fair view of the company’s financial position and performance. A DRP ensures that financial records are protected and can be recovered during a disaster.

These sections highlight the importance of having a comprehensive DRP to meet legal obligations and ensure business continuity. For more detailed information, refer to the full text of the Corporations Act 2001.

Common Mistakes in DRPs

1. Lack of regular updates.
2. Inadequate testing.
3. Poor communication plans.
4. Insufficient training.
5. Ignoring third-party risks.

Best Practices for DRP Training

1. Regular Training Sessions: Conduct frequent training to keep staff updated.
2. Role-Specific Training: Tailor training to specific roles and responsibilities.
3. Simulated Drills: Perform regular disaster simulations to test readiness.
4. Feedback Mechanism: Collect feedback to improve the DRP.
5. Documentation: Keep detailed records of all training activities.

The Role of Technology in DRPs

1. Automated Backups: Automated systems regularly back up critical data.
2. Real-Time Monitoring: Implement real-time monitoring tools to quickly detect and respond to incidents.
3. Communication Tools: Utilize communication platforms to ensure seamless coordination during a disaster.
4. Cloud-Native Data Recovery: Utilize scalable, flexible cloud infrastructure for data replication and recovery.
5. AI and Machine Learning: Implement AI/ML algorithms to proactively identify risks and automate recovery processes.

Checklist for DRP Review

1. Risk assessment.
2. Business impact analysis (BIA).
3. Recovery strategies.
4. Communication plan.
5. Testing and training.
6. Continuous improvement.

Now is the time to review your DRP, print out a hard copy in case you lose IT access, and decide to keep yourself, staff, and advisers safe. If you don’t have a Plan, it’s time to talk to us. By developing and maintaining a robust DRP, businesses can protect their operations, data, and reputation, ensuring they are well-prepared to handle any disaster.

Stay proactive, stay prepared, and ensure your DRP is up to date to safeguard your business against unforeseen events.

If you need further assistance, feel free to ask!