Name of Organisation^*

Date of Audit: ^*

Audit Conducted By (Name & Position)^*

Email Address^*

a) Risk Register: Do you have a central log where all known internal threats (e.g., IT failures, fraud) and external threats (e.g., cyberattacks, economic shocks) are captured and tracked over time that ensures no risk is overlooked and owners are held accountable?^*

b) Risk Scoring: Are risks evaluated by likelihood and impact, with early-warning indicators (e.g., anomaly in cyber system usage alerts)?^*

c) Business Impact Analysis: Have you identified the cost of disruptions to critical business functions, mapping them to recovery time requirements and quantifying potential loss, such as financial, reputational, or regulatory?^*

a) Crisis Management Team (CMT): Is there a defined, cross-functional crisis team pre-equipped with clear roles (Leader, Media Liaison, IT Lead, Legal, etc.) and backups to activate a rapid, coordinated crisis response?^*

b) Activation Criteria: Are mobilization triggers defined and tested to prevent delays like those in decentralized responses?^*

c) Plan Review: Is the crisis plan reviewed annually or after major changes relevant in a changing operational landscape, ensuring reliability when needed?^*

a) Crisis Manual/Playbook: Do you have a guide detailing roles, protocols, and stakeholder steps that fully represent a structured roadmap during a crisis?^*

b) Recovery Planning: Are backups, alternative worksites, third-party or vendor failover options to ensure critical services can be restored quickly to limit operational and financial losses?^*

a) Communication Protocol: Do you have stakeholder mapping, holding statements, spokesperson roles to strategically maintain trust and avoid message confusion?^*

b) Channel Readiness: Are internal/external communication methods tested and ready, ensuring timely, controlled messaging?^*

c) Media Monitoring: Do you have real-time tools that track media and social sentiment to ensure swift rebuttals of false narratives before they escalate?^*

a) Business Continuity (BC)/Disaster Recovery (DR) Plans: Are there documented continuity and crisis recovery plans with off-site backups that protect essential operations despite disruptions?^*

b) Drills & Tests: Have Business Continuity (BC)/Disaster Recovery (DR) plans been tested within the past year that validate your response capacity, minimize errors, and boost confidence?^*

a) Simulation Exercises: Are simulations on possible crisis scenarios held regularly to improve team coordination and mindset?^*

b) After-Action Reviews (AAR): Do you conduct structured reviews after such simulations to capture lessons and drive continuous refinement?^*

c) Version Control: Are crisis documentation, plans, scripts, and contact lists updated and tracked that ensure reliance on accurate, current guidance during crises and insight into historical changes.^*

a) Crisis Dashboard: Is there a real-time dashboard that captures incident updates, media mentions, social trends, and public sentiment that supports informed decision-making under pressure?^*

b) Automated Alerts: Do you have trigger-based alerts for key incident indicators to enable quick detection and response?^*

Question