I may have talked about this one before, but Virginia Gambale brought it up in today's general session and I figure it is worth talking about again. She is a huge advocate of auditing the disaster recovery plan or, at the very least, having some sort of assurance that the plan is effective. From the back of the room I shout Hallelujah and Amen!
Lately I have been asking the following question as a part of some presentations: "Within the last couple of years have you either conducted an audit over disaster recovery or been involved in disaster recovery drills?" In this extremely unscientific poll (unless your definition of scientific is based on Einstein's precept that everything is relative – however, even my relatives would know these are unscientific results) the number of hands raised is horrifyingly low. How low? Again, just a ballpark figure, but I'd say it is less than 5%.
Apparently I am living in the past. (Not anything that would surprise most people who know me. Heck, I even remember the Jethro Tull album "Living in the Past".) But I remember a time when one of the most basic audits that was conducted was related to disaster recovery. And I remember when internal audit was an instrumental part of the team that helped ensure disaster recovery was under control.
Now, don't get me wrong. I am about as far from believing that audits should be conducted just because they were conducted in the past as anyone can be. But I have also found that many audits we have thrown in the wastebasket of history because we did them so many times in the past may well represent a risk worth looking at one more time.
Disaster recovery is one of those.
Or, if you want to update it, call it business recovery.
And, you know what? While we're here let's update it even more. "Disaster" may be too limiting; it focuses on the physical. But the bigger risk is reputation risk. And having a crisis management plan (that includes disaster recovery) is probably the best approach. What do you do about the rogue tweet, the rogue finance person, the rogue product? What do you do if the automobiles you built explode when rear-ended? What do you do when you discover someone has poisoned your pain reliever? What do you do when your organization's name is drug through the mud, through the newspapers, through the twitterverse, through the halls of government, through the minefields of public perception?
That is a disaster that most disaster recovery plans don't consider. So, I guess I'm saying I've changed my mind. Don't bother with an audit of disaster recovery. Instead, look at crisis management and help ensure your organization is ready for a "disaster" that may destroy more than the buildings, the "disaster" that will destroy its good name.