The Facts and Only the Facts

Using questionnaires is one of the most effective and efficient means to collect information from a wide variety of persons. The ideal situation is one in which the interviewer conducts the interview in person, thereby answering qualifying questions from the interviewee. Work from an organizational chart, workflow chart, and the knowledge of the risk team members are the best methods to determine the appropriate persons to be interviewed.

In the case of critical employees, team members will want to conduct those interviews personally. Personal interviews should be brief and to the point, lasting no more than 30 minutes. Interviewers should take quick notes and complete their documentation after the interview has been completed. Interviews should logically begin with a brief review of the control standard outlining the official policy. Validating that the interview subject is in compliance with those policies can be attempted here, but compliance should really be left to the auditors as it may adversely affect the interview's results. Notes taken during the interview are merely reminders of the content of the interview and are not intended to be a verbatim transcript. Keep a copy of the notes, along with all the completed questionnaires as part of the team's work papers. These documents may be important if the enterprise is targeted for an audit or legal action. Having relevant documentation is the mark of professional due diligence and can prove that a required task was completed.

There are automated questionnaires and programs that facilitate the risk analysis process. They are commercially available and can be used in place of the customized questionnaires (see Exhibit 4 for a sample).

Exhibit 4: Sample Questionnaire

Background

• Date

• Name and title of person completing questionnaire

• Contact information

• Brief description of business function of unit focusing on time-critical processes linked to functions and interrelationships

Operational Impact

• Estimation of impact resulting from business interruption. This category may be divided into sections of time, i.e., 24 hours, 2 days, 5 days, 1 week, etc. (loss of customer service capabilities, loss of internal customer/management services, etc.)

• Loss of confidence (affecting customers, partners, shareholders, regulatory agencies, employees, general public)

Financial Impact

• Estimations of revenues lost due to business interruption. This section should also be divided into sections of time, i.e., 24 hours, 2 days, 5 days, 1 week, etc. These estimates should include revenue losses, lost trade, interest paid on borrowed funds, penalties for late payments to vendors, contractual fines or penalties, canceled orders owed to late delivery, etc.

• Expenses attributable to extraordinary circumstances. These estimates should include temporary employees, emergency purchases, rental or lease equipment, wages to idle staff, temporary relocation of office and employees, etc.

Critical Assets

• List those personnel assets required to maintain profitability for 24 hours, 2 days, 5 days, 1 week, etc. These assets should be listed by position and should include a brief summary of job responsibilities

• List those data assets required to maintain profitability for 24 hours, 2 days, 5 days, 1 week, etc.

• List those physical facilities required to maintain profitability for 24 hours, 2 days, 5 days, 1 week, etc. These assets should include HVAC, equipment, supplies, workstations, software, etc.

Threat Identification

• List those items and their frequency that pose a personnel threat to your business operation such as strike, illness, bombing, criminal action, civil action, extortion, embezzlement, pornography, etc.

• List those items and their frequency that pose a threat to your data such as unauthorized intrusion, data destruction, virus, denial-of-service, theft of intellectual property, data corruption, etc.

• List those items and their frequency that pose a physical or natural threat to your business operation, including physical threats such as flooding, fire, earthquake, loss of electrical power, vandalism, terrorism, etc.

Vulnerabilities (Weaknesses)

• In order of priority, list those specific vulnerabilities that could affect your business unit. These items may be listed as physical security, IT security, training, weak financial controls, weak separation duties, etc.

• In a brief narrative, what has been your experience with those vulnerabilities?

Safeguards

• List safeguards that are already in place that will protect critical assets

• List the initial and continuing costs of those safeguards

• In a brief narrative, what safeguards should be implemented to protect critical assets?

Other

• Are there any other persons you would suggest asking these or similar questions?

A well-written questionnaire will generally provide the structure needed by the team to document the needed information. At first, it is important that the questionnaire is the same for all recipients, as this will greatly help in evaluating and comparing the responses. Team members should formulate their questions based on the organization's documentation and their knowledge and experience. Questions should address those items that will progress toward identifying critical assets, threats and their frequency, vulnerabilities, and safeguards. Be sure to track the completed questionnaire responses, as that will assure the various business divisions and units are adequately represented in the survey.