Preparing for a Business Continuity & IT Disaster Recovery Audit

Business continuity and IT Disaster Recovery planning ensures that a business is able to accurately respond to a potential disaster that could damage business operations and IT systems. When a business goes down from a disaster, depending on the size of the business, the damages could impact more than the business alone. For instance, if Google were to not have proper business continuity and IT disaster recovery plans outlined, imagine the impact this would have. If Google incurred a massive breach that it had not planned a response for, a major outage could cause customer damages for those whose businesses rely on Google and for people needing to access their email, etc. It could also have as big of an impact as interrupting the United States stock exchange system if stocks were to lower dramatically. 

Considering that these processes are highly important for the long-term success of any business and can have a wide range of impacts, they are audited to ensure that the outlined recovery processes are legitimate and feasible. An audit consists of a third-party analyzing all business continuity and disaster recovery plans and procedures. In some industries like financial services, there are a specific set of legal and regulatory compliance requirements that businesses must meet for business continuity. These could include regulations mandated by the Federal Financial Institution’s Examination Council (FFIEC), the Federal Deposit Insurance Corporation (FDIC), and/or various other regulators. 

To ensure that your plan is in its best condition before an audit, here are a few tips: 

Be sure to document complete and realistic processes. The audit will be checking to make sure that the processes and procedures all make sense and are logically able to be completed as documented. Keeping the business continuity and disaster recovery plans up-to-date and implementing continuous testing will help ensure that the documents are truly actionable. The plan should include a complete overview organizational and performance details including staffing, incident management and communications, metrics, coordination with internal and external resources, technology and business recovery, and program structure. 

Ensure that you have the right people in the right positions. Most importantly, the disaster recovery officer should have verifiable experience, skills, and training that enables them to effectively analyze the team’s ability to complete assigned tasks.

Ensure that you have a back-up process in place for staff as well. Just as the systems should have a backup in place, your stakeholders should as well. Multiple people should be trained and capable of doing each required action in the continuity and recovery processes. If a disaster were to occur and there is only one person that knows how to do each process, the process will no longer be actionable (or at best would be less successful) should a disaster occur when important stakeholders are unavailable. By having more than one person who is able to complete a recovery process, the business can be better prepared to respond within the outlined recovery point objective (RPO) and recovery time objective (RTO). Additionally, each member should know their role well. Capitalize on each members strengths, such as their problem solving abilities, resourcefulness, or knowledge of the business. 

Implement record-keeping schedules and processes. By detailing specific processes and timeframes for updating records, the business will be able to ensure that contracts, vendor and asset lists, billing, and other records and data are preserved and kept up-to-date. This also includes ensuring that all records meet any necessary minimum requirements, including insurance coverage. 

Verify compliance with any industry- or location-specific regulations. Because there are a range of regulations and laws that the business’s continuity plan may need to follow, it is important to know beforehand which are mandatory for the business and should complied with. Failure to implement these requirements could even result in a fine. 

Create a business impact analysis (BIA). As a part of your business continuity plan and disaster recovery processes, you should research and document all potential impacts that various disasters could have on the business as well as recovery solutions. 

For an audit, preparation is key. By ensuring that the business maintains accurate, complete, up-to-date, and consistent business continuity and disaster recovery processes, everyone will be more prepared for a smooth and successful audit.