AVAILABILITY RISK QUESTIONNAIRE

Availability risk is the risk that the people, processes and technology that support critical business functions will
not be available for business operations. Audit committees can ask the following questions to assess availability
risks.
• Has the organization been experiencing significant and rapid restructuring?
• Is there high dependency upon information technology (IT) to support or drive business strategy and key
business processes?
• Have significant new web-enabled systems been implemented?
• Has the organization received complaints or other evidence regarding poor IT system performance, availability
and capacity issues (especially after implementation of major new systems or other business and technology
changes)?
• Is management considering the outsourcing of IT (or key IT functions) to third-party providers?
• Is the introduction of significant new information and other technologies having strategic business impact?
• Are the IT infrastructures highly complex, fragmented and immature?
• Is there significant turnover of IT personnel, causing open positions and gaps in key technical and
management positions?
• Is there high turnover in the chief information officer (CIO) or management information systems (MIS) director
position (e.g., change every 12-18 months)?
• Are there significant or rapid changes in the business, such as:
1) Expansions (geographic, products or services)
2) Contractions (spinoffs, discontinued businesses or products)
3) Consolidations (particularly relating to multiple IT operations)
4) Mergers and acquisitions
• What are the management concerns about IT cost containment and return on investment (ROI)?
• Has the organization experienced any significant system outages producing economic loss, reduced credibility
in the marketplace and impairment of key business functions, resulting in delays or abandonment of strategic
business initiatives?
• Has the firm mapped the strategic e-business plan against the IT plan to assess scalability needs?
• Are there practices or tools in place for monitoring availability and capacity of the system?
• Are there service-level agreements (SLA) present that concentrate on availability?
• What type of security/firewalls are currently in place?

1 Source: www.knowledgeleader.com