Auditing Business Continuity Management

Conclusion

Written by Moh Heng Goh | Jul 7, 2021 8:48:30 AM

Introduction

Planning for recovery from a disaster in most organizations has evolved from data center recovery to the present recovery of the business itself. BC Planning should never be treated as a project whereby the business develops a BC Plan and moves to the next assignment. Rather it is a program by which the Executive Management designs, develops implements and maintains a strong BCM commitment at all levels in the organization.

Why Audit?

It is acknowledged that organizations are not immune to Murphy's Law. However, even the best BC Plan is subject to an immediate mellowing process because disasters do not occur often. Therefore, in addition to designing a test plan to ensure the effectiveness of the BC Plan, it is also essential to develop an audit procedure to assess the BC Plan for its effectiveness. The audit process ensures that the BC Plan is adequate as well as current.

Professional Competency of Auditors

In order for any audit to be effective, the Auditor or team members should preferably be knowledgeable in auditing, business continuity, IT application systems and business entities.

At the initial stage, the Auditors' evaluation of the completeness and effectiveness of the BC Plan will need to rely on both their knowledge of business objectives and evidence created by the BCM Planning Methodology. Evidence of this broad-based involvement in developing the priorities and recovery strategies is likely to exist in various forms of documentation. These may include minutes of meeting, proposals, priority summaries, presentation materials, and memos. The specific type of documentation will depend on the operating style of the individual management team. Sufficient documentation must be available to validate that the consensus presented in the BC Plan represents appropriate input from the various elements of the organization.

Once the Auditors are satisfied that both the priorities and their corresponding strategies have been identified and documented, they must now be assured that they can be achieved. A review of the BC Plan documentation to answer the following questions will help to provide this assurance.

  • Have specific responsibilities of the Executive Management, recovery managers and team members been documented?
  • Have specific recovery tasks been defined?
  • Are recovery procedures in place to support the execution of these tasks?
  • Have recovery resources been defined?
  • Are the resources that are not currently in place documented?

These questions will assess the completeness of the documentation and whether it is current. Since the focus is on the assessment of the organization’s ability to meet the resumption and restoration timing objectives, the review of the document should be considered as the starting point and not the end of the audit. A more detailed assessment of the readiness will be required.

Objective Evidence

The key word in auditing is Objective Evidence[1]. The challenge of having hard evidence on the ability to recover can be impossible to observe without an actual recovery. A careful analysis of the BCM Planning Methodology that considers the Minimum Business Continuity Objectives (MBCO) of the organization, the people involved and the steps followed will be required. The starting point is the BC Plan documentation, from which the Auditor will work with the reasonable assurance that the process has been effective.

It is important that these additional questions be answered so as to provide a reasonable level of assurance to an organization.

Prioritization of Recovery

  • Do the documented priorities support objectives of the organization, meet regulatory requirement e.g. the Central Bank, and support conformance to any contractual requirements?
  • Will their achievement support the survival of the organization?
  • Is there evidence that the priorities have been reviewed and accepted by the appropriate levels of management?

Responsibilities and Tasks

  • Do these support the priorities and strategies?
  • Did staff members who were assigned responsibilities and tasks participate in their BC implementation?
  • Are they clear and understandable to alternates who might have to perform them?

Recovery Resources

  • Are the resources identified in the Business Impact Analysis (BIA) and Business Continuity Strategy, specified in the BC Plan tasks and procedures?
  • Are the resources as described in the BC Plan available?
  • Are resources, which are available outside the business unit but within the organization, being appropriately utilized?

Awareness of Recovery Objectives and Tasks

Evidence of action is also required. BC Plans must be tested for a variety of reasons. The organization must determine the following:

  • Is the recovery team aware of and be able to achieve their recovery objectives?
  • Is the staff members prepared for the activation and recovery tasks?

Exercises

Testing and exercising the various elements of the BC Plan allows staff members to practice and rehearse. This will ensure that during an actual recovery situation, the recovery team will not be breaking new ground while in a stressful situation. Evidence from recovery exercises and testing are invaluable for supporting an audit's analysis of the potential effectiveness of the BC Plan.

Preparedness of Staff Members

One of the most challenging task or perhaps a missing step in the audit of a BC Plan or a BCM program is to focus on the preparation of the staff who will accomplish the recovery. One must bear in mind that documentation of the BC Plan is but a by-product of the BCM Planning Methodology. Auditors cannot limit their focus to "the plan," meaning the BC Plan documentation, but must also review and evaluate the BC Plan development and enhancement process. The resulting knowledge and commitment that have been developed and maintained by the staff should be assessed by the Auditors.

In conclusion, the Auditor acts as the representatives of the Board of Directors and senior corporate management in reviewing the process of BCM Planning Methodology throughout the organization. They must evaluate and assess the viability of the planning. They must provide their best professional answer to the question "Has this organization taken the appropriate planning steps to develop and maintain its ability to survive a disaster?" Through the performance of this review, the Auditor is expected to provide an independent and knowledgeable assessment of the planning process as well as guidance and support for the Executive Management of the organization in business continuity.

Training in BCM Audit

The content of this book is developed in conjunction with the two set of courses that are offered by BCM Institute. These courses lead to the Business Continuity Certified Auditor (BCCA) and Business Continuity Certified Lead Auditor (BCCLA). The generic course curriculum is as shown in Appendix 13: Auditing BCM Course. The content will assist heads of Audit Teams to develop its internal BCM Audit courses.

Pitfalls And Difficulties from Audit

A BCM Audit is seldom easy, as it is full of challenges. These are some of the reasons gleaned from past audit failures.

  • The scope of the audit is designed to be too broad for the time span that has been allotted.
  • The audit plan is too specific for a time span that has been allotted.
  • The selection of the sampling size is inappropriately large.
  • The audit is poorly managed with inadequate or no audit checklist.
  • There is a lack the discipline in following the audit checklist and audit schedule.

Maturity of BCM Program

The audit for BCM program is dependent on a factor is known as maturity. To illustrate, when an organization has just embarked on their BCM journey, the initial requirement for testing would be acceptable if they have completed the notification call tree test and also the walkthrough test for all their critical business functions. However, if the organization has its BC Plan tested and exercised for more than three years, this level of testing will no longer be deemed as acceptable. A more complex set of test would be required to be accepted.

 

 

Resource

Goh, M. H. (2016). A Manager's Guide to Auditing and Reviewing Your Business Continuity Management Program. Business Continuity Management Series (2nd ed.). Singapore: GMH Pte Ltd.

Extracted from "Conclusion"

 

Singapore Government Funding for BCM-8530 Course

The next section applied to Singaporean and Singapore permanent residents.  Click button "Government Funding Available" to find out more about the funding that is available from the Singapore government.  This include the CITREP+, SkillsFuture Credit and UTAP.

 

Find out more about Blended Learning BCM-8530 [BL-A-5] & BCM-8030 [BL-A-3]

Please feel free to send us a note if you have any of these questions to sales.ap@bcm-institute.org