Risk Control
Risk Control
The risk control matrix (RCM) can be used by IS Auditors for identifying the relevant risks,
implemented controls and steps to audit specific areas. This is a sample risk control matrix which
can be adapted as required. The list of risks provides the key areas which are generally
applicable for organisations. The relevant controls mitigate the risks.
Risk
Non Existence of a
Disaster
Recovery/Business
resumption Plan /
improper planning
methodologies used to
create a DR/BCP could
lead to a failure in
resumption of critical
business function.
Control
The organisation should
take steps in formulating a
Business Continuity Policy.
The policy should contain
details regarding the
methodologies used in
formulating a DRP/BCP.
Periodic.
Insufficient Backup
processes could lead to
data not being backed up
correctly and restoration
of data would not be
possible. Backups without
data pertaining to the
software environment
would lead to data being
restored but not possible
to render such retrieved
data due to lack of
software.
Audit Guidelines/Procedure
Identification and
prioritization of the activities
which are essential to
continue functioning.
The plan is based upon a
business impact analysis that
considers the impact of the
loss of essential functions.
Operations managers and
key employees participated in
the development of the plan.
The plan identifies the
resources that will likely be
needed for recovery and the
location of their availability.
The plan is simple and
easily understood so that it
will be effective when it is
needed.
The plan is realistic in its
assumptions.
Determine if information
backup procedures are
sufficient to allow for recovery
of critical data.
Determine if copies of the
plan are safeguarded by offsite storage.
Review information backup
procedures in general. The
availability of backup data
could be critical in minimizing
the time needed for recovery.
Section 3
notification from the
backup utility.
Lack of Required
Resources those are
essential to execute a
DRP/BCP will lead to a
failed execution.
Module 7
revising/formulating a
BCP/DRP.
Gather background
information to provide criteria
and guidance in the
preparation and evaluation of
disaster recovery/ business
resumption plans.
Gain an understanding of
the methodology used to
develop the existing business
impact analysis.
Determine if
recommendations made by
the external firm who
produced the business
impact analysis have been
implemented or otherwise
addressed.
Determine if the plan is
dated each time that it is
revised so that the most
current version will be used if
needed.
Determine if the plan has
been updated within past 12
months.
Interview functional area
managers or key employees
to determine their
understanding of
The disaster recovery/
business resumption plan. Do
they have a clear
understanding of their role in
working towards the
resumption of normal
operations?
Determine all the locations
where the disaster recovery/
business resumption plan is
stored. Are there a variety of
locations to ensure that the
Section 3
Employees should be
given a first preference
while planning the
DRP/BCP. Loss of material
can be tolerable but loss of
life should be avoided.
Buildings, electricity,
telecommunications,
storage facilities, water
and other infrastructure if
not well provisioned will
be a hindrance during the
recovery stages.
As feasible by the
organisation, adequate
measures like having an
alternative site fully
equipped should be made
available. Rent
Agreements/leases to the
alternative facility should
be maintained. Adequate
transport and
telecommunication
facilities should be
available.
Module 7
Inadequate IT Environment
at the alternative site could
lead to late resumption of
the Business.
Section 3
Module 7
Lack of preservation of
key business contacts and
creation of special
reserves could result in an
ineffective BCP/DRP
Execution.