What is the best method of auditing Business Continuity Management Plans and Programs?
- Gap Analysis (using a Template)
- Training
- Exercises
- Hire an Auditor or Consultant
Feedback from BCP Builder Community on LinkedIn
Standard
- Have a senior leadership team agreed standard that you want the business to work to. Either a pre-canned one or a home grown one which your business can sponsor. Get all the local teams to self-assess against this standard and then do a quality assurance visit to the businesses, business units, or departments at highest risk and see if they can evidence what they reported in their self assessment. Then between you develop an action plan to bring them up to the required standard.
- The Business Continuity/ Operational Resilience program is ultimately owned, funded and supported by the Business which is led by the Senior Leadership Team. They need to agree the program which will be implemented. That can be an ISO standard or a bespoke self created standard. Hopefully the Senior Leadership Team will see beyond just regulatory compliance and understand the good business sense of having an active program.
Objective
- The first thing that needs to be established is the objective of the program. That way you know what you’re trying to achieve and can measure progress towards that goal.
- It is important to set clear objectives when implementing Business Continuity in an organization. If the objective is to achieve certification, then it is important to adhere to ISO 22301.
- However, if the objective is to make sure that your business is resilient and can be recovered from any disaster then the best method of evaluation is exercising. Ensure you are ready at any time by frequently testing your Business Continuity Plans.
Policy
- Start with the policy. What have Top Management agreed? Usually alignment to the ISO Standard.
- There is no end game for a Business Continuity Management Program, as it is designed for continuous improvement. Only the projects within it have milestones. However, there should still be a policy with a scope to audit against.
Exercise
- An unplanned drill or a surprise test can be a good way to assess the Business Continuity Management Program. It’s readiness can be measured.
- If you are very confident in your procedures, you could conduct a pre-planned simulation test with an actual outage. Pull the power plugs as a test of your Disaster Recovery/Business Continuity Plans. If the test goes well, this would give you confidence in your plans and also build trust in the minds of your stakeholders, shareholders and clients.
- Alternatively, conduct a realistic and low risk exercise table-top exercise.
- Carrying out a simulation exercise, using a business specific scenario should be able to highlight shortcomings in the Business Continuity Planning process.
- Think of your exercise as an audit technique, or a gap analysis to find out what’s missing from your plans.
- It is common to use an exercise, of differing levels, to highlight shortcomings of a plan.
- Good practice is a combination of exercising, maintenance and reviews. Do not confuse self assessment with audit, which is often more formal and compliance based.
Auditing Business Continuity Management Plans
- An External Audit should be completed by a knowledgeable party from outside the organization.
- An Internal Audit can be used if senior management agree that this will satisfy the stakeholders, shareholders and lawyers. You do not have to be an ISO based organization to need an audit.
- Some organizations will have an Internal Audit group, who report directly to the Board of Directors.
- Choosing an External or Internal Audit depends on the objective. If it’s a small company assessing their Plan then an Internal Audit is probably enough. But a larger company who has requested an audit need something more professional and robust.
- Most Auditors are certified and trained thru ISACA and IIA. Both organizations have training in Business Continuity auditing similar to ISO auditing.
- In the United States, ISO is not a major driving force, even for multinationals.
- Hiring consultants or external companies that do not know the overall organization may lead to short comings in an audit.
Resilience
Being compliant with ISO22301, does not automatically mean you are a resilient organisation. This is because resilience is far greater than simply Business Continuity Management.
Resilience is more about culture and having everything aligned and working together. Real resilience comes from a series of controls, directive, detective etc, preventative and responsive controls. Putting them in place and monitoring their effectiveness through audits.
If you want to increase your Organizational Resilience, start with preparing a Business Continuity Plan and check out BCP Builder’s Business Continuity Planning Templates.
