P&N is now EisnerAmper

Effective May 21, 2023, P&N has joined EisnerAmper. Read the full announcement here.

Consulting Services • Published 6/07/2021 Internal Controls for Disaster Preparedness


It is difficult to predict the timing, velocity, and resulting impact of events like hurricanes, floods, a pandemic, and other disasters that affect the continuity of an organization’s operations. However, with the implementation of strong internal controls and disaster preparedness and recovery plans, the impact caused by these events can be minimized. Hurricane season is upon us, and it’s critical for organizations to plan ahead for brief and long-term disruptions to operations in order to support continued success.

At a high level, disaster preparedness and recovery internal controls for your organization should include:

  • Risk analysis and identification of those processes and resources which are critical to continue operations;
  • Development of business continuity/disaster recovery plans for those processes identified; and
  • Regular evaluation and testing of those plans.

Risk analysis and key process identification

The basis for disaster preparedness for an organization begins with planning. Scenario planning of what could go wrong and the resulting implications is key to creating a plan for continued operations and success of an organization. Obviously, the number of risks you identify may be astronomical, and you cannot manage them all. So, it’s necessary to identify those key processes and activities that drive your organization and prioritize those when considering risk and business continuity plans.

Identify those key processes and activities that drive your organization and prioritize those when considering risk and business continuity plans.

To have a robust risk analysis process, consideration should also be given to the ripple effect caused by a single event. For example, with the coronavirus pandemic causing non-essential businesses to close their offices, much of the workforce switched to a remote, work-from-home method. Organizations may have had a plan and made arrangements for remote connections for their workforce. But, with schools and day cares closed as well, regardless of having a remote connection, many employees with young children may not have had as much availability for crucial organization activities. This residual effect probably wasn’t originally evaluated and planned for.

While the priority is placed on key processes and resources, it’s important to keep in mind how those may work with or rely upon other processes for efficiency and continuity. 

Business continuity and disaster recovery plan development

Once the risk analysis has been completed and key processes and resources have been identified, detailed plans for how these processes will work must be documented. Consider everything from what software is needed to process critical data to how your team will communicate. When updating policies and procedures for business continuity plans, it’s important to retain sound internal controls. There may be situations that require modification to existing internal controls during these disruptions, but you should not eliminate them completely.  

One main consideration when developing a business continuity and disaster recovery plan is how quickly your essential processes and resources need to be available. Does your organization have a disaster recovery plan that allows restoration of your IT systems within an appropriate timeframe for your operations? Does your organization rely heavily on computer access or data processing programs? How will the organization resume operations following a disaster when many of its employees may still be working in a remote environment?

Evaluation and testing

Risks to organizations are constantly evolving along with the other internal and external factors that make up an organization’s environment. Updated technology, regulatory changes, and key employee turnover happen often. Frequent evaluation of the established plan should be performed and plans amended as necessary to align with the current environment. Performing periodic audits, or testing, of these plans to evaluate their effectiveness will help provide assurance that the plans reflect the current environment and that they are operating as intended.

The coronavirus pandemic inherently brought more attention to the importance of disaster preparedness and overall risk management. Even organizations with established risk management plans realized they may not have been robust enough. And while organizations with robust plans may still feel the impact of an unprecedented event such as a pandemic, it’s likely they are in a much better position to recover and will be better prepared for the next disaster when it happens.

Does your organization need assistance with any of the elements of disaster preparedness? P&N has a number of resources that can assist you in preparing your organization for the next disruption. Contact us to start a discussion.

Scroll to Top