Proactively planning for disaster
Life happens; disasters happen. All organisations nowadays know about the importance of risk management but administrators, dealing as they do with large amounts of data and IT systems, need to pay particular attention to enterprise risk management, especially in an era of heightened cyber-security.
Linked to enterprise risk management are two underlying components - business continuity and disaster recovery.
In essence, business continuity is the ability of an organisation to maintain essential functions during, as well as after, a disaster.
Disaster recovery, which is a subset of business continuity, is a set of policies and procedures which focus on protecting an organisation from significant effects in the event of a negative event such as cyber-attacks, natural disasters, or building or device failures. Disaster recovery helps in designing systems that can restore hardware, applications and data quickly without significant business disruption.
If the disaster recovery plan feeds into the business continuity plan, this in turn feeds into the much wider function of enterprise risk management which as a business function needs to be acknowledged and empowered at the very highest levels of an organisation. This is key to achieving a balance between operational efficiency and a control framework that ensures that all stakeholders are safe.
The COSO provides a good framework for risk management, as well as King III and King IV. Here is a short checklist, in no particular order and certainly not exhaustive, which can assist in your approach to ensuring your organization has a cohesive disaster recovery plan:
Is your disaster recovery plan documented, and do all staff know their roles in the event of a disaster?
Is there a business champion, who is passionate about risk management and who has been strategically placed and empowered within your organisation to ensure that disaster recovery planning is kept ‘alive’?
Does your organisation conduct regular disaster scenario planning, testing and monitoring with feedback loops established to enhance system design and staff training?
Does your organisation have automatic failover for systems, and can it provide sufficient ‘seats’ for its people in the event of a disaster?
Are backups of systems conducted regularly with sufficient consideration of Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO) considered?
We believe that every organisation, regardless of whether it is listed or not, should aspire to the highest levels of governance as encapsulated in King IV. Ultimately however, if the worst was to happen, how would your organisation survive?