Tuesday, 13 November 2012

So you think you can audit a Business Continuity programme?

Lyndon Bird FBCI
As Business Continuity has grown in significance, so has the desire to measure it effectiveness. Hence the internal audit function, who believe themselves to be the “eyes and ears” of the Board, have an increasingly important role to play.  To do this, however, they need to understand the process they are auditing and the rationale for the decisions that they might be evaluating.  This is not easy.
Although Business Continuity is in many ways relatively straightforward, it is not really a technical or scientific discipline compared with Security or Quality.  Auditors need fixed points of reference for comparisons.  Standards (in various guises) provide them with a route map to follow.  This allows them to check process but not really effectiveness of the programme.  For example, it is easy to check the number of employees who have been through a BCM induction, but much more difficult to determine if this has had any impact upon corporate resilience.
This has often caused full-time BC practitioners to claim that they alone can properly audit a BC plan or programme.   There might be some justification for this.  An ISO inspector could successfully audit a hospital for its compliance against pre-agreed hygiene standards, but would not be credible at determining a surgeon’s technical competence at performing a difficult operation.
However few BC practitioners have the formal audit skills that colleagues in internal audit possess. Many consultants try to gain these skills by undertaking various audit training courses, but often find the concentration on process and compliance frustrating.  
To be successful in auditing a Business Continuity programme, both professional knowledge of BCM and appropriate audit skills are required.  The goal of a BCM programme is to protect the organization, to ensure adequate levels of resilience exist to withstand the consequences of disruptions and to ensure that there is company wide-scale BCM awareness and operational consistency.
To continue with the medical analogy, there is little value in a surgeon claiming an operation was a technical success if the patient died of poor aftercare.  Similarly there is little point in an organization gaining BCM certification from ISO if it goes out of business as soon as a serious problem occurs. Resilience, not process consistency, is the ultimate measure of success.

So given these warnings and caveats what must an auditor do to add value to a BCM programme?  Firstly, he or she must understand the business fully.  There are some good places to start like the company’s annual report to understand missions and values; the external auditors report to highlight weaknesses or exposures; as well as risk registers, previous business impact analyses and other available management reports.  It is rarely useful to start with the Business Continuity plan itself.

The second stage is to familiarise oneself with the BCM process that is in place.  Does it follow any recognized standard (internal or external)?  How well has it documented?  Do people know about it and their role in it?  Conducting selective interviews with senior management and other interested parties can help judge how serious they are in supporting BCM.  Remember a significant budget for commercial IT recovery capability does not in itself demonstrate management commitment to an embedded Business Continuity culture.
Having acquired this level of contextual understanding auditors can start to ask questions and review the applicability of the responses.  Many of the questions are basic but often throw up uncomfortable issues. Typical areas to cover include:
  • Do you have plans for all critical systems, processes and functions and how do you  know which are the most critical?
  • Are the plans accurate, complete and up to date?
  • Is the documentation easy to follow in an emergency?
  • Have roles and responsibilities been defined?
  • Are the response strategies devised appropriate to the potential level of disruption?
  • Are the plans tested and how, when and by whom?
  • Are the test results evaluated, lessons learned and plans enhanced?
  • Are the initial response structures well-known and fully tested?
  • Are appropriate communications with external parties defined and tested?
  • If pre-defined alternate locations are designated, do staff know how to access them?
  • Are all critical resources backed up and recoverable?
  • Are personnel trained in their post-incident roles?
The most important thing for the auditor to reflect on is not the documentation but the resilience capability that can be demonstrated.  A poor audit is one in which the auditor treats it as a document review.  It is not enough to have a well written plan unless that plan is part of a tried and tested process.

Friday, 9 November 2012

‘Temporary disruptions’ can have serious consequences - BCM is vital for Kuwait's business environment

Muhammad Ghazali MBCI

IN A COUNTRY like Kuwait which has oil production as the backbone of its economy, even a temporary disruption in production can have serious consequences for the economy. That’s where Business Continuity Management (BCM), a fast developing management discipline, becomes extremely crucial. Muhammad Ghazali, Associate Director, Head of BCM Services, Protiviti Member Firm (Middle East Region), in this interview, talks about BCM and its applications and advantages in Kuwait’s business environment. He says that with increasing complexity of businesses, BCM will become an inevitable entity in any business firm or organization.
Question: What is Business Continuity Management (BCM)?

Answer: Business Continuity Management is a management domain that focuses on development of strategies, plans and capabilities that provide protection or alternative modes of operation for those activities or business processes which, if they were to be interrupted, might bring about a serious business or potentially fatal loss to an organization.
An increasing number of organizations and their Executive Management are recognizing the importance of the Business Continuity Planning, Resiliency and Crisis Management as part of Enterprise Risk Management program. Many governmental agencies and all regulators around the world have recognized and incorporated Business Continuity and Crisis Management Planning into their requirements. Investors, as well as Boards of Directors, are increasingly interested in management’s capability to continue critical operations through a disruption and their plans to ensure a resilient enterprise.
Q: What do you mean by: “… critical operations through a disruption…” please explain?
A: Critical operations are those activities which facilitate the organization to deliver its key product and services. The critical activities should be delivered to clients even when its primary method or mode of delivery is affected due to any disastrous event. For example, for an internet service provider, it is critical for them to provide internet access to its customer, at an acceptable level, even when its primary method or mode is disrupted.
Q: Does BCM cover even financial crisis? If yes, could effective BCM have averted crises like the subprime mortgage crisis in the US and the more recent Eurozone debt crises etc.? Explain how?
A: BCM preparedness does not directly cover financial crisis. Subprime mortgage and Eurozone debt crises are effectively covered by Financial Risk Management initiatives such as Credit and Market Risk management. BCM focuses on developing resiliency to those activities that are ‘time’ critical and required to be ‘available’ all the time. However, BCM does assist Financial Risk Management in an indirect manner by developing resiliency or fail-over options to time critical activities that come under Financial Risk Management processes, thereby indirectly protects an organization from financial losses.
Q: Which sector in Kuwait do you think is in most need of BCM? Logically organizations that contain the most risk, like oil companies etc, should have the greatest need for BCM, isn’t it?
A: Absolutely correct. As Kuwait Economy is largely driven by Oil and Gas sector, BCM assumes larger importance at the national level. However, Business Continuity preparedness is equally important for other sectors as well. In today’s world, how far can we afford to be without a telephone connection or Internet? In modern e-Government environment, where every single national and resident is connected, can we tolerate the downtime of e-Government services? In a technology driven banking business operation, how long can we tolerate the ATMs to be down and not working? In our modern lifestyle where electrical utilities and gadgets become inevitable, how far can we go without electrical power? Therefore, in my opinion, BCM is needed in every sector that has time-critical processes and activities.
Q: What systems are currently in place in the various companies of Kuwait for Crisis Management? As these companies have been functioning well so far, don’t you think the existing system is fine? Then, what is the need for BCM?
A: Crisis Management is an important element of BCM. In my personal view, the BCM and the Crisis Management disciplines are catching up progressively in Kuwait. Though BCM preparedness and capabilities are established within an organization, they operate in isolation and at times limited to the technological recovery only. BCM, like any other management function, requires equal attention and recognition. BCM activities should be integrated with all other business processes. For example, at the time of acquiring or upgrading an application system, an assessment should be carried out to identify all threats which may cause interruptions to the system or to any of the business process being supported by the system. This type of integration can only be achieved by implementing a Business Continuity Management framework within an organization.
Q: How vast is the paradigm of Business Continuity for organizations today?
A: In a highly competitive and dynamic business environment, it is important for every organization to remain ‘available’ and serve customers virtually every minute. Take an example of the banking sector. Few years ago, banking business was limited to business hours only. But now with the advent of Mobile Banking Apps in addition Internet Banking and ATMs, the banking operation needs to be available 24 hours in a day. Likewise every organization is expected be available all the time to retain and serve their customers. If they are not available for some reason or other, they may run the risk of losing their market share and migration of customer base to competitors providing better availability. Therefore, any organization that has time critical operation will have to embrace BCM discipline to be available for the customers.
Q: Give an example as to how BCM can prevent events like the recent fire in a popular warehouse in Kuwait. Take us through it in a step by step fashion.
A: Excellent question. A well-structured BCM function can prevent such incidents and more importantly, it can contain damages and financial losses. BCM involves a number of work procedures. As an important initial step, BCM identifies critical business processes and availability risks challenging those critical processes. Based on the risk assessment, control measures are established to prevent such incidents and to reduce damages arising out of such incidents. In the specific case referred, the concerned organization had BCM plans in place which assisted them in containing the damages and resuming the business operation within the acceptable downtime period.
Q: How does a BCM structure fit into an organization? Will there be a separate BCM team or will the employees be trained to handle it?

A: As of any management function, BCM has both strategic and operational sets of activities to be performed on a continuous basis. While the organizational fitment will have to be specific based on its nature of business, it is ideal for organizations to assign the responsibility of establishing and maintaining the BCM strategies and plans to a dedicated corporate-level entity. Good practices recommend formation of a number of committees and a cross-functional recovery teams to work as needed. BCM training is absolutely required for both dedicated BCM strategy unit and operational teams, and the training program should be provided periodically.
Q: How is business continuity different today than it was a decade ago?

A: A decade ago, the initial paradigm was much focused on Technology recovery and was popularly referred to as ‘IT Disaster Recovery Planning’. However, organizations slowly recognized that BCM will have to equally focus on elements such as people, process, premises, records and suppliers. Hence, the concept of a cross-functional Management System for Business Continuity started evolving and are maturing over the period of time. Leading organization don’t consider the BCM program relating only to the Technological recovery.
Q: What are the international best practices available for Business Continuity? And how feasible is it to apply all of them in the Kuwait market?

A: Fortunately, there are a number of best practices available as of today. There is an ISO Standard for Business Continuity Management System popularly referred to as ISO 22301:2012. Besides, there is a ‘Good Practice Guidelines’ released by The Business Continuity Institute (BCI), UK. Besides, there are a number of other Standards for Data Centre, ICT Readiness, etc. These Standards and Guidelines are equally useful for the organization operating in Kuwait and provide an adaptable model to structure the BCM function as per the organizational requirement and Kuwait specific requirements. 
Q: What is the role of leadership in the implementation of Business Continuity Management?
A: Organizational leaders play an important role in establishing, managing and operating the Business Continuity Management function. They provide strategic direction to the function by reviewing and approving BCM strategies and plans. They also allocate required resources and investments in developing the required capabilities and arrangements. More importantly, they are responsible for analyzing and declaring emergency situations, and accordingly advising business recovery teams to continue business operations from the alternative workspace. They conduct periodical reviews over the operating effectiveness of the BCM strategies and plans with an aim to improve its preparedness and effectiveness. Protiviti Member Firm for the Middle East (Protiviti) considers the role of the leaders in the BCM program as crucial for the success of the BCM program. The ISO Standard (ISO 22301:2012) also mandates their involvement as a major requirement to qualify for certification and compliance. 
Q: In your opinion, how can corporates in Kuwait establish and implement effective BCM Program?
A: Leading organizations have already established and are effectively practicing BCM programs. However, the level of implementation with the rest of the organizations in Kuwait is not very encouraging. Many of them are under a false assumption that they will not be impacted by any contingent event and even if any contingent event strikes them, they tend to believe that they can respond back to it on a reactive manner. Therefore, they consider any investment in the BCM capabilities may not yield the required returns to them. However, the fact is quite opposite. Available statistics prove that marginal investment in resiliency and fail-over capabilities insure them from major damages, financial losses, regulatory non-compliance and reputational risks. Protiviti encourages organization in Kuwait to take the first effective step - determine the organizational availability requirements and assess the availability risks. Protiviti believes this initial first step will enable them to understand their risk exposure and accordingly take a cost-effective continuity measure. It is not necessary that risk mitigation activities may not be prohibitively expensive. There are many international best practices such as ISO 22031:2012 Standard and BCI’s Good Practices Guidelines that provide a comprehensive framework to take effective measures.      
Q: Being the official leader of Business Continuity Institute Kuwait Forum what are the plans during the year 2013?
A: The BCI Kuwait forum was the first country forum from the Middle East that participated in the ‘Global Business Continuity Awareness Week’ in 2012. The BCI Kuwait forum plans to participate in Global Business Continuity Awareness Week 2013 that is scheduled in March 2013. During this week, the BCI Kuwait forum will conduct a full day conference in Kuwait inviting local, regional and international speakers to share their valuable experiences and their knowledge. Besides, there will be quarterly knowledge-sharing events for the BCM professionals to share case studies through general awareness workshops to the existing and potentials members of the BCI in Kuwait.
Q: What are the qualifications a person should have to join the forum? How is the training offered, and examination held? Is a BCM certification a lifelong one, or do graduates have to take retests to keep the degree?
A: Any professional can join The BCI Kuwait Forum by signing a simple Membership Form. The BCI Licensed Trainings are offered in the Middle East through licensed training partners. Any professional can attend these training programs and appear for a Certification Examination, if desired. On successfully passing the examination, they can earn the credentials of CBCI (Certified by The Business Continuity Institute). Due to emerging nature of the domain, the certified professionals are required to appear for retest after three years to retain their credentials. The main objective of the retest is to enable the professionals to continue their professional education.