Andrew Fernandes and Douglas Vreeland ask the questions you made need to consider when developing your disaster recovery and business continuity plans

The world after 11 September 2001 and Hurricane Katrina presents challenges to corporate leaders who create plans for disaster recovery and business continuity. Many lessons have been learned about offsite backup systems, system redundancies, and training. Auditors, regulators, and investors increasingly look at a company's ability to weather a crisis as a key benchmark of corporate health.

Here are five key points to consider when developing your disaster recovery and business continuity (DR/BC) plans.

1. Insist on contractual protections: remote suppliers, original design manufacturers, and key vendors should have the same level of DR/BC readiness that your company maintains internally.

If a key supplier loses a factory to fire, tsunami or civil unrest, can they continue to meet your needs – or are they a single point of failure? Incorporate stringent disaster recovery/business continuity language into your supplier contracts – or renegotiate existing agreements to include such language.

Key terms can include the vendor's timeline for recovery; the ability to recover 100% of your production volumes within a reasonable timeframe; and, most importantly, the ability for you to validate your vendor's capabilities and capacity to execute the plan. This is part of an established testing protocol.

2. Is blood thicker than water? So your organisation has contractual provisions in place with its suppliers. Your suppliers assure you that they have multiple sites, and that they can redirect production among their sites in the event of a disaster.

But, here is the catch: you are probably not a 'dedicated' client. Think of your organisation as one family member, whose family subscribes to a mobile phone 'family minutes plan'.

If the minutes in the family plan (your supplier's production capacity) are exhausted (even by your competitors), there are no more minutes, no matter what you do.

If you are forced to scramble during a crisis to ensure a steady supply chain, the charges you will pay for 'going over your minutes' in our analogy could be extreme.

One option is to consider negotiating most favoured nation provisions, or preference arrangements for your firm that will guarantee you a certain percentage of your supplier's capacity in the event of a crisis.

3. Remember Pareto's rule: identify the 20% of potential problems that will cause you 80% grief.

You already have a list of suppliers and key vendors that you rely on for your operational survival. While your first reaction may be to look at a spreadsheet from your finance department as the biggest driver in identifying the highest risk, it is not the only criteria for identifying key failure points.

Tier your suppliers based on a matrix of criteria including: amount of money allocated, whether the supplier is the only manufacturer of a product you depend on, and whether your company relies on one vendor to be its single source supplier of a product.

4. Just drill, baby: No, this is not a plug for increased oil exploration.

Rather, it is a reality check on your organisation's ability to respond right this second to a host of crises.

The possibilities are endless. A foreign government just nationalised a key production site. An earthquake has just disrupted your key supply route. Terrorism or pandemic results in loss of life.

Is your organisation prepared to respond quickly and decisively? If not, then start with the basics:

• Do you have a crisis management team of key business leaders organised and ready to call up at a moment's notice?
• Are key profit centres and support functions represented (manufacturing, supply chain, security, legal, human resources, communications, etc.)?
• Does each member of that team have other member's emergency contact information handy" is it on a PDA or on a card in their purse or wallet?
• Has this team drilled for readiness and tested lines of communication?

There is much more to do to ensure a strong response to a disaster, but if your key leaders are organised and can communicate according to a preset plan, the response to and recovery from a crisis will be much more manageable.

5. Assess your internal resources: regulatory requirements and business necessity have made some industries the models of disaster preparedness. The financial and insurance industries, in particular, are often viewed as models of DR/BC best practices.

But if your company is new to DR/BC, or lacks the size or resources to have an internal team of experts, consider looking to external consultants to help shape your program.

As a general rule, the less manufacturing you do and the fewer sites you have, the simpler your plan will be. Large multinational companies with manufacturing capacity and/or significant supply chain involvement will require much greater planning.

Andrew Fernandes is the global leader of Dell's business continuity and resiliency programme, based in Austin, and Douglas Vreeland is litigation counsel for Dell, and serves as the DC/BC leader for Dell's legal department. A version of this article first appeared in Legal Week's sister title Law Technology News in September 2009.