So you think you can audit a Business Continuity programme?

Lyndon Bird FBCI

As Business Continuity has grown in significance, so has the desire to measure it effectiveness. Hence the internal audit function, who believe themselves to be the “eyes and ears” of the Board, have an increasingly important role to play.  To do this, however, they need to understand the process they are auditing and the rationale for the decisions that they might be evaluating.  This is not easy.

 

Although Business Continuity is in many ways relatively straightforward, it is not really a technical or scientific discipline compared with Security or Quality.  Auditors need fixed points of reference for comparisons.  Standards (in various guises) provide them with a route map to follow.  This allows them to check process but not really effectiveness of the programme.  For example, it is easy to check the number of employees who have been through a BCM induction, but much more difficult to determine if this has had any impact upon corporate resilience.

 

This has often caused full-time BC practitioners to claim that they alone can properly audit a BC plan or programme.   There might be some justification for this.  An ISO inspector could successfully audit a hospital for its compliance against pre-agreed hygiene standards, but would not be credible at determining a surgeon’s technical competence at performing a difficult operation.

 

However few BC practitioners have the formal audit skills that colleagues in internal audit possess. Many consultants try to gain these skills by undertaking various audit training courses, but often find the concentration on process and compliance frustrating.  

 

To be successful in auditing a Business Continuity programme, both professional knowledge of BCM and appropriate audit skills are required.  The goal of a BCM programme is to protect the organization, to ensure adequate levels of resilience exist to withstand the consequences of disruptions and to ensure that there is company wide-scale BCM awareness and operational consistency.

 

To continue with the medical analogy, there is little value in a surgeon claiming an operation was a technical success if the patient died of poor aftercare.  Similarly there is little point in an organization gaining BCM certification from ISO if it goes out of business as soon as a serious problem occurs. Resilience, not process consistency, is the ultimate measure of success.

So given these warnings and caveats what must an auditor do to add value to a BCM programme?  Firstly, he or she must understand the business fully.  There are some good places to start like the company’s annual report to understand missions and values; the external auditors report to highlight weaknesses or exposures; as well as risk registers, previous business impact analyses and other available management reports.  It is rarely useful to start with the Business Continuity plan itself.

The second stage is to familiarise oneself with the BCM process that is in place.  Does it follow any recognized standard (internal or external)?  How well has it documented?  Do people know about it and their role in it?  Conducting selective interviews with senior management and other interested parties can help judge how serious they are in supporting BCM.  Remember a significant budget for commercial IT recovery capability does not in itself demonstrate management commitment to an embedded Business Continuity culture.

Having acquired this level of contextual understanding auditors can start to ask questions and review the applicability of the responses.  Many of the questions are basic but often throw up uncomfortable issues. Typical areas to cover include:

• Do you have plans for all critical systems, processes and functions and how do you  know which are the most critical?
• Are the plans accurate, complete and up to date?
• Is the documentation easy to follow in an emergency?
• Have roles and responsibilities been defined?
• Are the response strategies devised appropriate to the potential level of disruption?
• Are the plans tested and how, when and by whom?
• Are the test results evaluated, lessons learned and plans enhanced?
• Are the initial response structures well-known and fully tested?
• Are appropriate communications with external parties defined and tested?
• If pre-defined alternate locations are designated, do staff know how to access them?
• Are all critical resources backed up and recoverable?
• Are personnel trained in their post-incident roles?

The most important thing for the auditor to reflect on is not the documentation but the resilience capability that can be demonstrated.  A poor audit is one in which the auditor treats it as a document review.  It is not enough to have a well written plan unless that plan is part of a tried and tested process.