Auditing Business Continuity Management

BCM Questionnaires 1: BC Roles and Responsibilities

Written by Moh Heng Goh | Jul 7, 2021 8:48:44 AM

The Board, Executive Management, and Audit Committee

 

Roles and Responsibilities

  • Will the governance framework support BCM?
  • Will the BCM approach to risk arrangement support the strategic goals of the organization?

Review Questions

  • Is the scope of the BCM Planning Methodology appropriate, given the organization’s circumstances and risk management strategy?
  • Are the BC planning activities properly coordinated, taking into consideration other risk management initiatives?
  • Are synergies between other risk management initiatives and BCM fully used?
  • Are the internal and external BCM Audit recommendations properly followed up?
  • Is the Recovery Time Objectives (RTO), determined as part of the Business Impact Analysis (BIA), aligned with the Audit Committee’s understanding of the business?
  • Are the recommended recovery strategies appropriate given other business initiatives?
  • Are BC and, more specifically, BC testing and program management, as part of the review of the internal audit strategic and annual work plans, properly addressed?
  • Are BCM initiatives properly communicated to all levels of management and across the organization?

Chief Executive Officer

Roles and Responsibilities

  • Brief the Board on the business interruption events, expected impact and recovery timeframe
  • Provide a focal point for the organization to ensure that the public and the media receive correct, non-contradictory information
  • Ensure staff and stakeholders are made aware of the problems
  • Ensure Organization BCM Coordinator and recovery teams have the resources and support necessary to do their job

Review Questions

  • Have the Executive Management and staff adopted a BCM attitude that ensures that a positive control environment is maintained?
  • Does the organization regularly communicate the organization’s BCM goals and objectives to staff members?
  • Does the Executive Management take a balanced approach to risk-taking, carefully analyzing and assessing risks and potential benefits before authorizing new ventures or significant changes?
  • Does the BCM program complement the organization’s corporate governance and risk management framework?
  • Is the organization responsible for providing a unique service to the public or the government?
  • What would the implications be if the unique service was unavailable for an extended period?
  • Are BIA practices and procedures in place to ensure timely decision-making during a disaster and do they instil accountability in staff members?
  • Does any BIA that identifies the RTO of the critical business functions exists?
  • Is there a person in the organization that has been identified as being responsible for BCM?
  • Has the organization’s BCM program been subjected to any independent review of either an internal or external audit?
  • Is the BC Plan linked to emergency management plans for the organization?
  • Is there a process in place for periodic BCM reviews?
  • If the organization has a BCM program, does it reflect the current and future needs of the organization?
  • Have the current and future needs been formally evaluated as part of the organization’s overall corporate governance arrangement?
  • Has the organization undergone any considerable organizational change, or changes in its organizational focus and direction, or changes to its business resources (personnel, facilities, information technology and communications)?
  • When was the BC Plan tested?
  • What were the results of the test and was it reviewed by the Executive Management?
  • Were recommendations for change or involvement taken up and tested?

Organization BCM Coordinator

Qualification of Organization BCM Coordinator

When reviewing the BC initiative as a project, it is essential to review the appointment of the Organization BCM Coordinator, sometimes referred to as the Organization BCM Coordinator. The Auditor is required to seek clarifications on the following:

  • What experience does the Organization BCM Coordinator have?
  • Is the Organization BCM Coordinator considered to be a professional (full-time) or is this a part-time function?
  • Was the appointed Organization BCM Coordinator offered the job because the organization does not have another job for this person?
  • Was the appointed Organization BCM Coordinator offered the job because there is a need for someone seen to do the job?
  • Is the Organization BCM Coordinator professionally certified?
  • Did the Organization BCM Coordinator attend any formal BC training?
  • Has the Organization BCM Coordinator ever developed and written a BC plan before?
  • Has the Organization BCM Coordinator ever actively participated in any exercise before, whereby critical business functions needed to be restored?

Responsibility of Organization BCM Coordinator

  • Is the Organization BCM Coordinator a senior manager who has full knowledge of all the business functions in this business unit?
  • Is there a BC plan for the Organization BCM Coordinator and is it current?
  • What is the date of the last review?
  • Has the Organization BCM Coordinator signed on this specific plan?
  • Has the Organization BCM Coordinator’s BC plan been ratified by the Executive Management Committee?
  • Does the Organization BCM Coordinator’s BC plan contain a copy of the authorization from the Crisis Management Team[1] (CMT) approving his/her management of the recovery of the business units?
  • Does the Organization BCM Coordinator’s BC plan call for him to ensure all tasks delegated are completed?
  • Does the Organization BCM Coordinator’s BC plan require him/her to keep the CMT informed of developments?
  • Does the Organization BCM Coordinator review the testing exercises in all plans at least every six months?
  • Have all exceptions noted been monitored by the Organization BCM Coordinator?
  • Does the Organization BCM Coordinator ensure amendments are incorporated into the BC Plan?
  • Has the Organization BCM Coordinator identified all the items required for the Command Centre and had arranged for them to be stored in a readily accessible place?
  • Is the Organization BCM Coordinator fully conversant with his role without referring to the Organization BCM Coordinator’s BC plan?

BC Organization Structure

Roles and Responsibilities

  • Is a member of the Executive Management team responsible for BCM? If not, who is?
  • What is the BCM reporting structure?
  • How does the organization ensure that BC team members understand their objectives and the reporting structure?
  • Is each Head of Business Unit (BU) BCM Coordinator aware of the BC reporting structure and plan?
  • Is there a BCM awareness program that has been developed by the Executive Management, team members and new employees?
  • Have alternates been appointed to replace BC planning team members, should they be incapacitated or otherwise unavailable during a disaster?

Budget

  • Is there a budget dedicated for the BCM?
  • Who is responsible for the budget and is holding it?
  • What is the current budget for BCM and how has it changed in recent years, and why has it changed?

 

Resource

Goh, M. H. (2016). A Manager's Guide to Auditing and Reviewing Your Business Continuity Management Program. Business Continuity Management Series (2nd ed.). Singapore: GMH Pte Ltd.

Extracted from "BCM Questionnaires 1: BC Roles and Responsibilities"

 

Singapore Government Funding for BCM-8530 Course

The next section applied to Singaporean and Singapore permanent residents.  Click button "Government Funding Available" to find out more about the funding that is available from the Singapore government.  This include the CITREP+, SkillsFuture Credit and UTAP.

 

Find out more about Blended Learning BCM-8530 [BL-A-5] & BCM-8030 [BL-A-3]

Please feel free to send us a note if you have any of these questions to sales.ap@bcm-institute.org