Auditing Business Continuity Management

Conduct Fact Finding and Review Assessment

Written by Moh Heng Goh | Sep 18, 2020 6:44:46 AM

Conduct a Preliminary Fact Finding

Before the start of any BCM audit, there is a series of questions that need to be answered when doing the preliminary fact-finding and planning.

The two sets of questions include the gathering of initial information before the audit and also the evaluation of the BCM initiatives.

Gather Initial BCM Information
  • Are the BCM Manual and BC Plan in place?
  • Is there a BC project team or BCM Program Office?
  • Who is the BC Project Manager or Organization BCM Coordinator?
  • What is the organizational BCM structure?
  • Has internal or external BCM Audits been conducted previously before?
Evaluate Existing BCM Initiatives

If a BCM initiative exists, the Auditors should ask the following questions:

  • What business functions and IT applications are critical to the organization?
  • How long can the organization survive without these critical business functions and IT applications?
  • What is the minimum hardware configuration that these business functions and IT applications can run on?
  • Where the users of these critical business functions and IT applications are primarily located?
  • Are there any special supplies required by these business functions and IT applications?
  • Under what conditions would the organization declare a disaster?
  • Are there any additional factors which would prevent the orderly recovery of critical business functions and IT applications that need to be considered?

Apart from the above questions, the Auditors should find out more about the following areas to have a more thorough BC Planning:

  • What is the Executive Management’s BCM stance on providing support?
  • Is there any Risk Analysis and Review (RAR) or Business Impact Analysis (BIA) study report and documents available?
  • Where is the concentration of critical business functions at specific locations?
  • What is the degree dependence of the organization on the IT system?
  • What is the degree of software and hardware concentration at different locations?
  • Has any business impact analysis and exposure to organization review been conducted should critical business functions and IT applications be disrupted beyond its tolerable time window?
  • Is the Pareto distribution (80/20) rule applied to critical business functions and activities?
  • Has BCM compliance with regulatory mandates, legal and obligations been reviewed?
  • What is the BCM corporate policy and charter of the organization?
  • To what degree is the Executive Management and personnel’s commitment to the BCM effort?
  • Is there a walkthrough review of the business and IT facilities for its organizational vulnerability?
  • Have these organizational risk assessment conclusions and opinions been approved and documented?

Once the basic information is available, the Auditor can proceed to determine the importance of the BCM Audit and the scope and depth of approach needed.

Review of Preliminary Assessment with Management

Before the start of an audit, there is a need for the Audit Team Leader to hold a discussion with the Executive Management. After the meeting, the Auditor should gain:

  • A perspective of the organization’s operations, especially the mission-critical
  • The insight of the performance of the business and its future direction.
  • The insight of the Management is priorities

 

Resource

Goh, M. H. (2016). A Manager's Guide to Auditing and Reviewing Your Business Continuity Management Program. Business Continuity Management Series (2nd ed.). Singapore: GMH Pte Ltd.

Extracted from "Stage 1: Audit Planning and Preparation"

 

Singapore Government Funding for BCM-8530 Course

The next section applied to Singaporean and Singapore permanent residents.  Click button "Government Funding Available" to find out more about the funding that is available from the Singapore government.  This include the CITREP+, SkillsFuture Credit and UTAP.

 

Find out more about Blended Learning BCM-8530 [BL-A-5] & BCM-8030 [BL-A-3]

Please feel free to send us a note if you have any of these questions to sales.ap@bcm-institute.org