KnowledgeLeader provides best practice articles, tools, guides and other resources on business continuity management (BCM) and disaster recovery. This page contains some examples of the many resources and tools on business continuity management and disaster recovery that are available for download. The tools are provided in downloadable versions, so they can be customized for use in your organization.
Business Continuity IT Process Questionnaire
Business continuity management consists of the processes used by organizations to address unplanned service interruptions. This IT questionnaire can help assess an organization’s business continuity planning strategy. It includes questions on tactical alignment, business processes, technology, results management, human capital, stability and reliability. It also focuses on the continuance, recovery, and eventual restoration of critical business functions to their original conditions prior to service interruptions.
Business Continuity Management Audit Work Program
This audit work program focuses on the appropriateness of enterprise-wide business continuity planning, oversight and support, business impact analysis, and risk management.
Business Continuity Management Audit Work Program: Sample 2
This audit work program assesses the effectiveness of an organization's business continuity management process.
Business Continuity Management Methodology
Business continuity management (BCM) is best addressed by using a proven methodology. The methodology should be based upon the risks related to an organization’s key business processes which, if they were to be interrupted, might otherwise bring about a seriously damaging or potentially fatal loss to the enterprise. This seven-phased BCM methodology adheres to industry best practices and can be tailored to companies of all sizes.
Business Continuity Management Policy
This sample outlines a set of policies and procedures for formalizing a business continuity program, and provides guidelines for developing, maintaining and exercising business continuity plans (BCPs). Such plans will ensure independence of crisis location, crisis duration and availability of any specific person or group of people.
Business Continuity Management Program Assessment
This sample audit report assesses a second generation business continuity management (BCM) program.
Business Continuity Management RCM
This document outlines risks and controls common to the "business continuity management" process in a risk control matrix (RCM) format.
Business Continuity Management Audit Report
This document outlines the critical business processes and incidents that could impact a business’s continuity.
Business Continuity Management Self-Assessment Questionnaire
This a self-assessment tool to use prior to a review of the business continuity management process. It gives the auditee an opportunity to inform internal audit about controls and processes they employ and generates ideas about other appropriate controls and processes.
Business Continuity Plan Exercise and Testing Policy
This policy outlines business continuity plan testing guidelines.
Business Continuity Planning: Guide
This presentation is a guide to various types of business continuity planning, including the objectives of and approaches to BCP. It discusses the variety of objectives that organizations may have for BCP and then links these objectives to different planning approaches that can be used.
Business Continuity Process Ownership Policy
This sample establishes policies and procedures for business continuity process ownership.
Business Continuity Program Charter
This charter establishes a business continuity steering committee and a business continuity plan project team (BCP project team). The steering committee is responsible for providing the direction and strategy for the business continuity program at a company. Overall sponsorship and approval will also be the responsibility of the steering committee. The BCP project team is responsible for developing business continuity and disaster recovery strategies to address critical business processes and supporting information technology systems in all company locations.
Business Continuity Software Research Report
This report assesses various business continuity software solution providers in the global market with the purpose of enhancing the organization’s business continuity management capabilities.
Business Continuity/Disaster Recovery Program Assessment Report
This audit report sample focuses on whether an appropriate enterprise-wide governance structure is in place to manage the ongoing development, enhancement and maintenance of a business continuity and disaster recovery program.
Business Impact Analysis Policy
This sample policy outlines procedures to identify a company’s most critical business processes and support functions and to develop realistic recovery time objectives for each process.
Control Self-Assessment Physical Security
Self-assessment is a recognized best practice that has been applied to risks and controls for many years. This self-assessment questionnaire provides a starting point for a physical security assessment.
Control Self-Assessment Questionnaire: Business Continuity
Self-assessment is a recognized best practice that has been applied to risks and controls for many years. This questionnaire can be used to assess an organization's business continuity management process.
Control Self-Assessment Questionnaire: Business Impact Analysis
Self-assessment is a recognized best practice that has been applied to risks and controls for many years. This questionnaire can be used to assess an organization's business impact analysis process.
Corporate Governance Compliance Questionnaire
The objective of this questionnaire is to assist the board and management in assessing the organization’s current corporate governance environment.
COSO ERM Diagnostic Questionnaire
This tool can be used to assess the effectiveness of a company’s ERM process, specifically senior management’s effectiveness in performing the key elements of the eight components of the COSO ERM Framework.
Crisis Management and Emergency Operations Policy
This policy focuses on the importance of the inclusion of a crisis management process within a business continuity and disaster recovery plan in order to (a) plan and provide for rapid and effective response to emergencies, including appropriate coordination with public safety and law enforcement officials and (b) plan and provide for business continuation as soon as possible.
Database Administration Audit Work Program
This audit work program provides steps for a database administration review.
Develop Public Relations Program Key Performance Indicators (KPIs)
This benchmarking tool outlines key performance indicators for developing a well-crafted public relations campaign that generates not just coverage and visibility, but fosters meaningful relationships with customers, clients, business partners, employees and public constituencies.
Disaster Recovery Plan Assessment Checklist for IT
This checklist serves as a guide for reviewing a disaster recovery plan. The focus of this review is on information technology continuity, recovery, and restoration.
Disaster Recovery Plan Review Audit Work Program
This audit work program reviews an organization’s disaster recovery plan, including the creation of the plan, evaluation of the risks covered, their impact on the business, and whether or not the plan provides for appropriate methods to recover from threats.
Disaster Recovery Risk Assessment Audit Work Program
This disaster recovery risk assessment audit program addresses environmental, man-made, business and IT threats. It focuses on defining the risk assessment scope, gathering base data, performing interviews, analyzing and validating results, creating reports, and presenting findings to the management.
Disaster Recovery Team Policy: Facilities Assessment Team
This policy outlines procedures for the facilities assessment disaster recovery team to follow for rapidly recovering business operations in the event of a business interruption. When possible, the facilities assessment team will enter the facility to quantify damage to the building and all of the equipment. This team will complete a disaster site damage assessment form, describing the damage to the facilities and IT areas. This assessment will be retained as part of the permanent recovery file.
Disaster Recovery Team Policy: Information Technology Team
The information technology (IT) disaster recovery team is responsible for determining the technological impact in the event of a business interruption. The team is also responsible for ensuring the safety, health, morale and welfare of all personnel involved, and for limiting the loss potential associated with financial operations, the company reputation, and service provisions. This policy outlines procedures for the IT disaster recovery team to follow for rapidly recovering business operations.
Disaster Recovery Team Policy: Public Relations Team
The public relations disaster recovery team is responsible for preparing media statements and organizing all internal and external communications in the event of a business interruption. This includes determining the current status of the emergency along with identifying personnel assigned to the command center. The team is also responsible for ensuring the safety, health, morale and welfare of all personnel involved, and for limiting the loss potential associated with financial operations, the company reputation, and service provisions. This policy outlines procedures for the public relations disaster recovery team to follow for rapidly recovering business operations.
Disaster Recovery Team Policy: Recovery Operations Management Team – Continuing Operations
In this policy, the recovery operations management disaster recovery team focuses on the processing of insurance claims and providing damage assessments and required claims filing information in order to continue business operations. The team is also responsible for ensuring the safety, health, morale and welfare of all personnel involved and for limiting the loss potential associated with financial operations, the company reputation and service provisions. This policy outlines procedures for the recovery operations management disaster recovery team to follow for continuing business operations in the event of a business interruption.
Disaster Recovery Team Policy: Travel and Lodging Team
The travel and lodging disaster recovery team is responsible for contacting and arranging, as appropriate, any travel and/or busing arrangements for personnel in the event of a business interruption. The team is also for ensuring the safety, health, morale and welfare of all personnel involved, and for limiting the loss potential associated with financial operations, the company reputation and service provisions. This policy outlines procedures for the travel and lodging disaster recovery team to follow for rapidly recovering business operations in the event of a business interruption.
Disaster Recovery Team Policy: Business Process Recovery
This policy outlines procedures for the business process disaster recovery team to follow for rapidly recovering business operations in the event of a business interruption.
E-Business: Availability – Questionnaire for Audit Committees
Availability risk is the risk that the people, processes and technology that support critical business functions will not be available for business operations. This questionnaire can be used to help assess availability risk in eBusiness.
Emergency Executive Committee Charter
This charter establishes an EEC and outlines its objective, authority, reporting, and pre-event and post-event responsibilities.
Emergency Policies and Procedures Manual
This is a sample of emergency policies and procedures for a business office. It includes procedures for safety teams, fire prevention/drills, disabled assistance, earthquakes, power outages, workplace violence and bomb threats.
ERM Concepts, Process and Objectives – Guide
This presentation defines risk management (what it is, and what it is not). It also outlines a five-part risk management framework: Establish the Context, Identify Risks, Analyze Risks, Evaluate Risks, Treat Risks.
Firearms, Weapons and Explosives Policy
This policy outlines a set of procedures for firearms, weapons and explosives in order to maintain a safe working environment.
General IT Controls Questionnaire
This questionnaire assists with the collection of information regarding the control environment of all aspects of an IT department.
General IT Controls Review: Disaster Recovery Questionnaire
This questionnaire helps you assess disaster recovery preparation by comparing your plans to best practices.
Global Compliance Questionnaire
This questionnaire will act as the starting point for assessing the level of compliance in areas such as: corporate governance; quality systems; anti-fraud programs; business ethics; business continuity; and health, safety and environmental management.
Guide to Business Continuity Management FAQ: Table of Contents
This table of contents and FAQ list is a reference for the Guide to Business Continuity Management FAQ
Guide to Business Continuity Management
Business Continuity Management (BCM) is a management process that provides protection or alternative modes of operation for those activities or business processes which might bring about a significant loss to the enterprise if they were interrupted. Many companies never fully consider potential threats to their business until the damage has been done - during such times, business can come to a standstill. Many of the aforementioned risks are evolving and present growing business continuity and disaster recovery challenges for businesses, particularly with regard to maintaining critical IT systems and processes. In this booklet, our intention is to help companies evaluate and manage these risks through a comprehensive set of recovery and operational plans.
Hotel Site Audit Training Material Guide
This guide illustrates how to conduct a hotel site audit. Key areas of focus include: corporate systems, property-level systems, in-room systems, transaction points, back office accounting system and the overall hotel management process.
Information Technology Infrastructure Questionnaire
This questionnaire can be used to gain a high level understanding of an organization's information technology infrastructure.
Integrating Risk With Managing Operations
Operational risk is the risk that one or more future events will impair the effectiveness or viability of the business model in creating value for customers and achieving expected financial results. These risks relate to the various activities along the value chain within which the organization’s business model operates. What would happen to the organization’s business model if any critical component of the value chain were taken away or altered in a significant way through either a process failure or an unexpected catastrophic event? In this issue of Board Perspectives: Risk Oversight, we discuss key considerations when evaluating operational risks.
Intersecting Risk Management and Crisis Management
Crisis management is an integral component of effective reputation management. A rapid and effective response to sudden, unexpected events can enhance reputation. As astute observers know, even the most respected organizations can be tested. We often think, "What happened to them can’t happen to us.” Well, it can. Because most organizations are unprepared for a crisis, it is a management imperative to build a rapid-response crisis management capability for sudden and unexpected high-impact, high-velocity and high-persistence events. This issue of Board Perspectives: Risk Oversight stresses the importance of being prepared early for a potential crisis, which can improve an organization’s ability to respond to a crisis, reduce damage to a company’s brand image and reputation, and minimize regulatory sanctions, penalties or fines.
Inventory Management – Internal Control Evaluation Questionnaire
This questionnaire evaluates internal controls for the inventory management processes focusing on analytical procedures.
ISO 27001 Information Security Assessment Report
This audit report focuses on a project baselining an organization’s information security practices, with the purpose of identifying opportunities to advance the information security function.
IT Application Security Questionnaire
The questionnaire is designed for the IT application security process. It addresses topics such as access control mechanisms within the application, how users are identified, application security, password length, password history, new user access, user access change, standard access termination, and non-standard access termination.
IT Change Management Policy: Sample 2
This policy defines standardized methods and processes for effective information technology (IT) change management at an organization in order to mitigate risk.
IT Data Management Policy: Sample 2
The purpose of this policy is to ensure that the critical data stored in applications and on servers is frequently backed up, stored and secured offsite. This process allows for prompt recovery of important and critical company data in the event of accidental or intentional corruption, loss or destruction of data. In the event of any computer and/or business operation disruptions, this policy ensures that critical information systems processing functions can continue or be resumed promptly, that information processed and provided by these applications is complete and accurate, and that network server files and non-application data can be restored.
IT General Controls Design Assessment – Work Program
This work program evaluates the design of the IT general control environment, including infrastructure, applications, policies and procedures.
IT Network Access Policy
This sample policy outlines guidelines for granting, modifying and disabling network user access to a company’s network and applications.
IT Risk Management in the Banking Sector
Key IT risks currently threatening the banking industry, including data theft, hacking, state-sponsored attacks, emerging technologies and phishing threats, are discussed in detail in this 19-page guide.
Key Habits of Effective Audit Departments: How Do You Measure Up?
In this article, Ann Butera, president of The Whole Person Project, Inc., outlines the key attributes that make an effective team of auditors—not just a collection of individuals.
Knowing What You Don’t Know
If the financial crisis has but a single lesson, it is this: what we don’t know can be more important than what we do know. This raises the ultimate rhetorical question, "Do we know what we don’t know?” The reality of today’s environment is that management and the board can never be certain that they know everything they need to know. Nonetheless, this issue of Board Perspectives: Risk Oversight suggests eight steps executives and directors can take to manage uncertainty.
Oil and Gas Industry BCM Research
This guide provides an overview of business continuity management elements in the oil and gas industry, including information on outages, maintenance activities, improvement activities, etc.
Physical Security Audit Work Program
This 45-page work program outlines physical security best practices for data centers and information processing/storage facilities.
Rigorous Business Impact Analysis Using Facilitated Methods
This presentation describes a particular methodology for conduction a Business Impact Analysis (BIA). The BIA is the careful study of individual business processes and support functions, as well as the system of business processes in its entirety, to better understand objectives regarding continuity of operations.
Risk, Controls, and Responsibilities for Disaster Recovery and Business Continuity Sample
This guide outlines the risks, control objectives, manual controls, IT controls, and responsibilities related to creating, maintaining and executing disaster recovery and business continuity plans within an organization.
System Backup Review Audit Work Program
The purpose of this audit program is to review an organization’s system backup procedures. This includes identifying all applications key to the organization, identifying the responsible person for the back-up procedure, analyzing actual procedures performed, and determining the appropriateness of handling related media. A key step in this work program is to identify all key applications in use at the company. In this list, include all SOX-related applications as well as any other applications deemed critical to company operations.
To Manage Disruption, Understand Strategic Assumptions
When it comes to managing the risk of disruption to the business model, what executive management and the board of directors don’t know can harm the organization. A recent study determined that strategic risks showed the largest year-over-year increase for 2014, compared to macroeconomic and operational risks. Risks are strategic when they could potentially affect the validity of an organization’s plans to pursue growth opportunities. In this issue of Board Perspectives: Risk Oversight, we discuss why management should identify and consider the key assumptions underlying the drivers that shape the organization’s strategy. Similarly, the board should review and constructively challenge those assumptions when evaluating the strategy.
2014 IT Priorities Survey
Protiviti’s 2014 IT Priorities Survey confirms that IT transformation has become the new normal for companies. More than 1,100 respondents indicate IT functions have scores of significant priorities and likely are being pulled in multiple directions to address countless critical challenges.
User Acceptance Testing Guide
This guide is designed to help with the evaluation of the user performance and acceptance of a product in a controlled setting, so that user experiences can be directly compared and quantified.
Work Papers Guidance - You are as Good as your Work Papers
Work papers are documents produced during an audit engagement. These papers are formally referred to as audit documentation or sometimes as the audit file. The documents serve as a guide to organizing manual audit work papers.