IN THIS ISSUE
Whoever first said, "Life is a risky business!" must have been a CSA practitioner. Each day, CSA experts grapple with diverse risks involving personnel issues, inventory challenges, equipment shortages, and a host of other issues, to help their organizations deal with risks. But while many practitioners routinely use self-assessment techniques for reviewing day-to-day operations, the value of CSA is often overlooked for assessing some of the most important risks and controls of all.
Business continuity plans, also known as business resumption plans or disaster recovery plans, are designed to address critical but unexpected risks, from fires to floods to terrorist attacks. These plans can be essential to the survival of an organization during emergency conditions. Unfortunately, when disaster strikes, many organizations discover too late that their plans are ineffective. Business operations change constantly, but continuity plans are rarely implemented, and disaster recovery drills are too often postponed.
Coordinating a disaster recovery team and keeping the team members' skills current can be challenging. Team members have other responsibilities, and they often work in a variety of different functional areas or locations. It is essential that disaster recovery teams be well versed in risks and controls, and participants need to be skilled at assessing new risks in emergency situations.
CSA workshops can be invaluable for disaster recovery teams because they help participants develop a deeper understanding of risks and controls. Participation in workshops can also lead to a more cohesive, functional work team, which can also be critical in emergency situations.
Generally, advance preparation is important for successful CSA exercises, but our audit team found that the same techniques could be used when tight time frames are involved and critical corrective action is needed. This was the situation when we were asked to perform a review of the organization's Disaster Recovery Center.
The Disaster Recovery Center is a special office where key individuals from major areas of the business report in the event of a major disaster. Disaster recovery personnel normally do not work together at our organization and, in some cases, they may have never met before. Despite limited interaction, these employees must be ready to function effectively as a team during a crisis situation, ensuring that all key business systems remain operational and that customer service is satisfactory.
Our group was asked to perform the review to determine how well the center was prepared to handle a large disaster. Time was short because the company had scheduled a major recovery drill in two weeks' time, which would be attended by upper management and even representatives from the state's Department of Emergency Preparedness. Management and the internal audit team agreed that using a CSA approach would be the most efficient and effective way to review controls and implement corrective action quickly.
One-on-one interviews were held with the session participants and key managers before the actual CSA workshop to determine:
By obtaining this preliminary information in advance, it was much easier to add structure to the session and to determine that the session could be reasonably completed within a five-hour time frame. It also helped us ensure that significant risks identified by the participants, management, and audit would be addressed.
During the workshop, a laptop computer and overhead projector were used to record participants' statements online and in real time, using a standard template. Business objectives were discussed and agreed upon, as well as the results of the preliminary interviews and initial risk assessment.
Disaster recovery plans should always be flexible enough to handle any contingency. We found that flexibility was needed not just within the disaster recovery plan, but also during the self-assessment process. One of the key discoveries in preparing for the first workshop was that half of the people assigned to the Disaster Recovery Center had just been appointed within the previous month, had no idea of what their roles and responsibilities were, and did not even know where the center was located. Because we knew this before the workshop began, we were able to revise the schedule to include a tour of the facility just before the CSA session started.
The tour was an important addition to the agenda because it gave participants valuable firsthand knowledge about contingency operations. It also helped us address problem areas that otherwise might have gone unnoticed. During the tour, participants noted that the recovery plans for individual stations were outdated and contained inaccurate information. Because each station is created for a major function or department that needs to be kept up and running for the business to function properly, this was a major weakness. In addition, the portable radios intended for use in the event of telephone system failure did not work properly. The tour helped to identify these problems, which could then be addressed during the CSA workshop.
When participants returned to the workshop after the tour, there was tremendous enthusiasm, with open dialogue between the new people and old-timers who were more familiar with disaster recovery operations. The group worked together to identify weaknesses and to develop action plans to address problem areas. Roles and responsibilities were discussed and determined, and the more experienced workers put together a mentoring plan to help the newer team members. A plan was developed to ensure that all of the individual recovery plans were updated with the correct information and that the radio problem was corrected.
Everyone volunteered for personal responsibilities and agreed to dates for the completion of corrective actions. The team even scheduled their own follow-up "walkthrough" drill before the official one to make sure all of the corrective actions they had taken were effective and to gain experience working together as a team. Consequently, the company was better prepared to restore critical functions in the event of a real disaster.
The entire CSA process from beginning to end took only five days to complete. The participants left the workshop with a new document that listed the major items discussed, weaknesses noted, action plans developed, and responsibilities assigned for each action, with agreed-to implementation dates. This document was a road map they could use to fix problems immediately, and because the corrective action plans were developed by the participants, they were readily accepted by all. It was relatively easy to develop a summary from this document for audit reporting purposes.
The session participants, management, and the audit team all felt good about the outcome. Management asked why audit had not implemented the CSA approach years before, as they believed the results were much better than results from traditional disaster recovery audits they had experienced in the past. Management even requested audits of additional centers in the state using the same techniques. Audit received glowing customer survey comments about the review, and we had the satisfaction of knowing that we really had added value and helped improve the business.
Because CSA techniques can enhance participants' knowledge of risks and controls, participating in a workshop can be a valuable experience for any employee. But knowledge of risks and controls are especially important for disaster recovery/business continuity personnel. The exercise demonstrated the value of CSA techniques for reviewing contingency plans and for helping disaster recovery personnel work effectively as a group to address unforeseen problems.
The Institute of Internal Auditors - 247 Maitland Avenue • Altamonte Springs, Florida 32701-4201 U.S.A.
+1-407-937-1100 • Fax +1-407-937-1101 • www.theiia.org
All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.