BCM Audit Series
Blog_Jan_Ban.jpg

List of Commonly Overlooked Areas

This section consists of a list of commonly overlooked deficient areas by an Auditor when examining a BC Plan or BCM Program. These areas include the BC Plan, the people, planning assumptions, telecommunications, and the application system.
Moh Heng Goh
BCMS Audit Certified Planner-Specialist-Expert

List of Commonly Overlooked Areas

This section consists of a list of commonly overlooked deficient areas by an Auditor when examining a BC Plan or BCM Program. These areas include the BC Plan, the people, planning assumptions, telecommunications, and the application system.

Deficient Areas in BC Plan

There are deficiencies in the BC Plan when it does not have:IC_Morepost_List Commonly Overlooked Areas

  • Sufficient serious support of the Executive Management.
  • Adequate implementation of its Business Impact Analysis (BIA) or Risk Analysis and Review (RAR).
  • A clear statement of the key alternative strategies to be used.
  • A provincial view of business continuity as it is limited to IT disaster recovery.
  • Key business users’ involvement in BC Planning.
  • Specific guidelines and standards for testing BC and IT disaster recovery plans.
  • Live participation of personnel supposedly responsible for BC Plan implementation case of disaster.
  • Adequately defined responsibilities for development, implementation and upkeep of BC Plans.
  • Documentation that is up to date.
  • A copy of the BC Plan properly backed up in an off-site storage facility.
  • Sufficient formality and attention to detail.
  • Reflect on the latest changes in its new business operations and IT applications.

The BCM Program is deficient when the organization:

  • Lack testing or insufficient testing of vital areas of the BC Plan.
  • Does not conduct periodic testing of its BC Plan.
  • Provide insufficient training to all concerned.
  • Does not automate its documentation to facilitate BC Plan upkeep.
  • Has inadequate maintenance of all BC procedures.
  • Has inadequate financial resources to implement the BC Plan according to the time frames established by the business impact analysis.
  • Is understaffed with BC personnel to do an effective and thorough job.
  • Does not have an ongoing effort to minimize exposures to disasters and operations systems vulnerabilities.
  • Cannot promptly notify designated user representatives if a disaster occurs

People

These areas focus on the personnel aspect of the BC Plan. These are:

  • An insufficient number of personnel having the appropriate skills to implement BC operations.
  • Lack of critical business operations and systems documentation that should be stored off-site.
  • An insufficient number of qualified people needs to be available to perform the tasks during the recovery phase.
  • Personnel’s lack of knowledge of their roles during the recovery phase.
  • Lack of awareness of their responsibilities as they have not been adequately trained to perform the recovery tasks.
  • Lack of preparedness in the staff support areas to support the recovery operation.

Planning Assumptions

The BC Plan does not cover any event which simultaneously renders both:
  • The primary and its alternate data centre facilities are inoperable.
  • The data centre inoperable and the essential off-site storage inaccessible.

The disaster scenario is that which renders the main business building or data centre inoperable when it impacts large geographic areas, public utilities, the transportation infrastructure or other facilities and/or services

RTO and RPO

From the perspective of the Recovery Time Objective (RTO) and Recovery Point Objective[2] (RPO), these are some of the commonly overlooked areas:

  • Transactions lost between the point of the most recent backup and the disaster event cannot be re-constructed and re-entered into the computer systems within the RTO.
  • Critical application systems and business functions are not periodically evaluated and their minimum essential requirement cannot be provided for during a disaster.
  • A complete listing of the vital records and production files and their backup tapes are rotated off-site on a regular frequency.
  • Off-site storage locations are not intact and accessible.
  • Off-site information backup and rotation procedures are inadequate for implementing full recovery within the RTO time frames.
  • Daily transactions or incremental backups needed to reconstruct critical data are not transferred to off-site with adequate frequency

Telecommunications

These are some of the telecommunications-related areas.

  • Unable to readily access the public network.
  • Untimely access to replacement mobile phones.
  • Delay in re-routing critical telephone numbers to a new
  • Lack of access to other communications hardware (e.g. pagers, fax and email connections.)

Alternate Facility

Some overlooked areas by organizations are when they do NOT have:

  • Alternate processing facilities available as and when required.
  • Access to a fully configured alternate processing site with sufficient capacity to support critical business functions with critical IT applications support
  • BC Plan procedures developed for critical users to resume at the alternate processing facility

A Manager’s Guide to Auditing & Reviewing Your Business Continuity Management Program

Resource

Goh, M. H. (2016). A Manager's Guide to Auditing and Reviewing Your Business Continuity Management Program. Business Continuity Management Series (2nd ed.). Singapore: GMH Pte Ltd.

Extracted from "Appendix 8: List of Commonly Overlooked Areas"

 

New call-to-action

Singapore singapore_flagGovernment Funding for BCM-8530 Course

The next section applied to Singaporean and Singapore permanent residents.  Click the button "Government Funding Available" to find out more about the funding that is available from the Singapore government.  This includes the CITREP+, SkillsFuture Credit and UTAP.

 

Find out more about Blended Learning BCM-8530 [BL-A-5] & BCM-8030 [BL-A-3]

New call-to-action Tell Me More About BCM- 8030 New Call-to-action
New call-to-action TMM [BL-A-5] Register [BL-A-5]
FAQ for BL-A-3 Please feel free to send us a note if you have any of these questions to sales.ap@bcm-institute.org New call-to-action

For Your Comments

More Posts

New Call-to-action