Planning for recovery from a disaster in most organizations has evolved from data center recovery to the present recovery of the business itself. BC Planning should never be treated as a project whereby the business develops a BC Plan and moves to the next assignment. Rather it is a program by which the Executive Management designs, develops implements and maintains a strong BCM commitment at all levels in the organization.
It is acknowledged that organizations are not immune to Murphy's Law. However, even the best BC Plan is subject to an immediate mellowing process because disasters do not occur often. Therefore, in addition to designing a test plan to ensure the effectiveness of the BC Plan, it is also essential to develop an audit procedure to assess the BC Plan for its effectiveness. The audit process ensures that the BC Plan is adequate as well as current.
In order for any audit to be effective, the Auditor or team members should preferably be knowledgeable in auditing, business continuity, IT application systems and business entities.
At the initial stage, the Auditors' evaluation of the completeness and effectiveness of the BC Plan will need to rely on both their knowledge of business objectives and evidence created by the BCM Planning Methodology. Evidence of this broad-based involvement in developing the priorities and recovery strategies is likely to exist in various forms of documentation. These may include minutes of meeting, proposals, priority summaries, presentation materials, and memos. The specific type of documentation will depend on the operating style of the individual management team. Sufficient documentation must be available to validate that the consensus presented in the BC Plan represents appropriate input from the various elements of the organization.
Once the Auditors are satisfied that both the priorities and their corresponding strategies have been identified and documented, they must now be assured that they can be achieved. A review of the BC Plan documentation to answer the following questions will help to provide this assurance.
These questions will assess the completeness of the documentation and whether it is current. Since the focus is on the assessment of the organization’s ability to meet the resumption and restoration timing objectives, the review of the document should be considered as the starting point and not the end of the audit. A more detailed assessment of the readiness will be required.
The key word in auditing is Objective Evidence[1]. The challenge of having hard evidence on the ability to recover can be impossible to observe without an actual recovery. A careful analysis of the BCM Planning Methodology that considers the Minimum Business Continuity Objectives (MBCO) of the organization, the people involved and the steps followed will be required. The starting point is the BC Plan documentation, from which the Auditor will work with the reasonable assurance that the process has been effective.
It is important that these additional questions be answered so as to provide a reasonable level of assurance to an organization.
Evidence of action is also required. BC Plans must be tested for a variety of reasons. The organization must determine the following:
Testing and exercising the various elements of the BC Plan allows staff members to practice and rehearse. This will ensure that during an actual recovery situation, the recovery team will not be breaking new ground while in a stressful situation. Evidence from recovery exercises and testing are invaluable for supporting an audit's analysis of the potential effectiveness of the BC Plan.
One of the most challenging task or perhaps a missing step in the audit of a BC Plan or a BCM program is to focus on the preparation of the staff who will accomplish the recovery. One must bear in mind that documentation of the BC Plan is but a by-product of the BCM Planning Methodology. Auditors cannot limit their focus to "the plan," meaning the BC Plan documentation, but must also review and evaluate the BC Plan development and enhancement process. The resulting knowledge and commitment that have been developed and maintained by the staff should be assessed by the Auditors.
In conclusion, the Auditor acts as the representatives of the Board of Directors and senior corporate management in reviewing the process of BCM Planning Methodology throughout the organization. They must evaluate and assess the viability of the planning. They must provide their best professional answer to the question "Has this organization taken the appropriate planning steps to develop and maintain its ability to survive a disaster?" Through the performance of this review, the Auditor is expected to provide an independent and knowledgeable assessment of the planning process as well as guidance and support for the Executive Management of the organization in business continuity.
The content of this book is developed in conjunction with the two set of courses that are offered by BCM Institute. These courses lead to the Business Continuity Certified Auditor (BCCA) and Business Continuity Certified Lead Auditor (BCCLA). The generic course curriculum is as shown in Appendix 13: Auditing BCM Course. The content will assist heads of Audit Teams to develop its internal BCM Audit courses.
A BCM Audit is seldom easy, as it is full of challenges. These are some of the reasons gleaned from past audit failures.
The audit for BCM program is dependent on a factor is known as maturity. To illustrate, when an organization has just embarked on their BCM journey, the initial requirement for testing would be acceptable if they have completed the notification call tree test and also the walkthrough test for all their critical business functions. However, if the organization has its BC Plan tested and exercised for more than three years, this level of testing will no longer be deemed as acceptable. A more complex set of test would be required to be accepted.
Goh, M. H. (2016). A Manager's Guide to Auditing and Reviewing Your Business Continuity Management Program. Business Continuity Management Series (2nd ed.). Singapore: GMH Pte Ltd.
Extracted from "Conclusion"
The next section applied to Singaporean and Singapore permanent residents. Click button "Government Funding Available" to find out more about the funding that is available from the Singapore government. This include the CITREP+, SkillsFuture Credit and UTAP.
Please feel free to send us a note if you have any of these questions to sales.ap@bcm-institute.org |