Your organization has spent a good deal of time and resources establishing a disaster recovery program. Undertaking an audit of your DR program can and should make your disaster preparedness even better, if you take the following steps.
1. Be Clear About Why The DR Audit Is Necessary
First, make sure you have a clear understanding of the motivation and the basis of the review. All stakeholders need to understand clearly whether the DR audit is taking place as a result of regulatory compliance, or whether it has been triggered by other factors, such as increased risk or the demands of new business relationships.
Knowing the motivation for the DR audit helps your organization to decide which standards or guidelines it will adhere to. If the audit is triggered by organizational compliance and certification issues, then it should adhere to internationally recognized industry or trade standards. If the DR audit is motivated by internal requirements, then some custom developed standards may be established.
2. Establish a Well-Defined Scope of Review
You need to firmly develop the scope of the review in order to determine the amount of work to be done. If only one aspect of your DR plan changes or becomes questionable, then it isn’t necessary to audit the entire program. You need to clearly identify whether the whole or isolated elements such as capabilities of individual sites, systems, or tech components need to be audited. External or outsourced services should not be overlooked since you are still accountable for all your IT or cloud suppliers.
3. Use Appropriate Audit Techniques
Your organization needs to adopt the most appropriate techniques for the type of audit you will execute. The most thorough DR audits can be intrusive to the point of annoyance. You may be required to produce all documentation and answer some difficult questions.
4. Find the Right Auditor
It is of crucial importance to assign a competent DR auditor. The appropriate candidate should be truly independent from stakeholders and potential outcomes, and should not be eligible to obtain any follow-on work, so as not to be incentivized to find a specific solution – or problem!. The DR auditor should be fully versed in IT infrastructure, systems and technology integration. If the DR auditor isn’t able to pose intelligent questions to staff, the audit is less likely to be given appropriate, timely, and accurate answers.
5. Invest Just The Right Amount
Perhaps most importantly, your organization needs to be prepared to invest just the right amount of time and money into the audit. The ideal DR audit ought to be relatively inexpensive, fast, and effective. Ideally an average mid-sized organization ($50M-$500M in revenue) should spend no more than three weeks on the process, but it may take up to six weeks in a worst-case scenario.
The DR audit process should take the full-time attention of at least one internal staff member during the audit period. The entire three-to-six week DR audit process – review, analysis and discussion, recommendations, report, and follow-up – should end up costing between $15,000 and $25,000.
If you consider the kind of losses your organization would face if your DR plans are not up to scratch, this is a very low price to pay for the assurance of your business continuity. A DR audit should not be seen as something to be feared. Done properly, it can be a painless process that can add considerable value to your organization.
