Have you considered a Disaster Recovery Audit? If not, you should. It is nothing to be afraid of!

There are 3 steps to this process:

  1. Identify all data and IT-related functions (like credit card processing, documents on your file server, member web portal, a CRM system, critical applications, etc.) you have in place.
  2. Classify the importance of the data and functions you’ve identified.
  3. Apply an appropriate backup and disaster recovery plan to match the value and importance of each asset.

Use the following rating system on the impact to your business if you suffered a significant outage or complete loss of the data and processes you’ve identified:

0% = Zero Impact

20% = Annoying but Recoverable

40% = Minor Damage with Loss

60% = Disaster with Considerable Loss

80% = Major Disaster with Significant Loss

100% = Total Loss

When assessing costs, be sure to factor in loss of tangible sales, client goodwill, costs for re-keying (typing) the data (or any other recovery costs) as well as legal costs associated with failure to deliver on contractual obligations, potential lawsuits, etc.


Data Or Business Function

If you lost access to this data/functionality for a week or more, what impact would it have on your business?If you lost this data/functionality permanently, what impact would it have on your business?Estimated Cost
(Include cost of recreating data, entering it, loss of business, etc.)
Accounting Information
Client Data (CRM)
Contracts And Legal Documents
Custom Software and Code
Web sites and content
Video and Audio recordings
<<Add Here>>
<<Add Here>>
Total Costs:   


Determine Your Risk Score

How often do you perform a full back up?How often are your backups tested and validated?
Every hour– 200Every day– 100
Every day– 100Weekly+ 50
Weekly+ 100Monthly+ 100
Monthly+ 200Never+ 200
Do you keep paper records (or scans) you could reference as a source for re-entering lost data?Is your data centralized onto on server or location or scattered across multiple devices and locations?
Yes– 100Consolidated– 100
No+ 100Scattered+ 100
Who has access to your computer network?
(Check all that apply)
How are your backups done?
Trusted, computer-savvy employees– 100Automatically, offsite– 100
Trusted IT support company– 50Manually by a skilled IT person+ 50
Unskilled workers/transitional staff+ 100Manually by an admin+ 100
Cleaning crew, maintenance+ 200Not sure+ 200
Where is your data stored?How long do you keep a copy of your data?
Don’t know– 200Forever– 100
On tape drives, USB devices– 100One year– 50
Onsite hard drive– 50Under a year+ 50
Offsite in the cloud+ 100We use the same tape/device daily+ 100
Do you live in an area or office building that has experienced any of these disasters OR that has a high potential for one of these disasters to occur?
(Check all that apply)
Do you or any of your employees have the ability to do the following? (Check all that apply)
Tornado, hurricane or severe storm+ 100Download files from the Internet+ 100
Earthquake+ 100Install non-company approved software+ 100
Terrorist attack+ 100Delete files from the server+ 100
Fire/problem with another tenant+ 100Access your server remotely+ 100
Flood+ 100Create/change their own password+ 100
Do you store sensitive data that must be protected by law? (Medical records, credit cards, social security numbers, financial data, etc.)Do you have a trusted, professional IT person or firm monitoring your network DAILY for security threats and failed backups?
No– 100No+ 200
Yes+ 200Yes– 200
Do you routinely download and backup all data stored on 3rd party cloud applications (web site files for example)?Do you have a “break the glass” document for what should happen if a senior executive dies or is disabled?
Yes– 200No+ 200
No+ 200Yes– 200
How old is your server and/or other workstations that contain critical data?Do you have the following in place (check all that apply):
Under a year old– 100Signed, acceptable use policy & training+ 50
1-3 years old+ 50Monitoring software for the network+ 100
3-4 years old+ 200Mobile device policy and monitoring+ 100
Over 4 years old+ 300Up-to-date anti-virus & threat monitoring+ 100
A firewall that is monitored & updated+ 100
Regarding disaster recovery and business continuity, check all that apply:
You DO have a written disaster recovery plan– 200You DON’T have a disaster recovery plan+ 200
You review & update your plan regularly– 100You DON’T update your plan+ 100
You conduct periodic tests of your plan– 100You DON’T test your plan ever+ 100
You DO have an inventory of assets for insurance– 100You DON’T have an inventory of assets+ 100