How to Audit Business ContinuityIt's Not About the Process; It's About the Plan
Recent events such as Superstorm Sandy in the U.S. have brought new attention to the business continuity discipline. And, of course, as business continuity grows in significance, so does the desire to measure its effectiveness. Hence, we see internal audit teams, who believe themselves to be the "eyes and ears" of the board, now have an increasingly important role to play. To fulfill this role, however, they need to understand better the process they are auditing and the rationale for the decisions that they might be evaluating. This is not easy.
Although business continuity is in many ways relatively straightforward, it is not really a technical or scientific discipline compared with security or quality. Auditors need fixed points of reference for comparisons. Standards (in various guises) provide them with a route map to follow. This allows them to check the process, but not really the effectiveness, of the program. For example, it is easy to check the number of employees who have been through a business continuity management induction, but much more difficult to determine if this has had any impact upon corporate resilience.
Resilience, not process consistency, is the ultimate measure of success.
This factor has often caused full-time BC practitioners to claim that they alone can properly audit a BC plan or program. There might be some justification for this. An ISO inspector, for instance, could successfully audit a hospital for its compliance against pre-agreed hygiene standards, but would not be credible at determining a surgeon's technical competence at performing a difficult operation.
However, few BC practitioners have the formal audit skills that colleagues in internal audit possess. Many consultants try to gain these skills by undertaking various audit training courses, but often find the concentration on process and compliance frustrating.
To be successful in auditing a business continuity program, both professional knowledge of BCM and appropriate audit skills are required. The goal of a BCM program is to protect the organization, to ensure adequate levels of resilience exist to withstand the consequences of disruptions and to ensure that there is company-wide BCM awareness and operational consistency.
To continue with the medical analogy, there is little value in a surgeon claiming an operation was a technical success if the patient died of poor aftercare. Similarly, there is little point in an organization gaining BCM certification from ISO if it goes out of business as soon as a serious problem occurs. Resilience, not process consistency, is the ultimate measure of success.
So given these warnings and caveats, what must an auditor do to add value to a BCM program? First, he or she must understand the business fully. There are some good places to start, such as the company's annual report, to understand missions and values; the external auditors report to highlight weaknesses or exposures; as well as risk registers, previous business impact analyses and other available management reports. It is rarely useful to start with the business continuity plan itself.
The second stage is to familiarize oneself with the BCM process that is in place. Does it follow any recognized standard (internal or external)? How well has it documented? Do people know about it and their role in it? Conducting selective interviews with senior management and other interested parties can help judge how serious they are in supporting BCM. Remember: A significant budget for commercial IT recovery capability does not in itself demonstrate management commitment to an embedded business continuity culture.
Having acquired this level of contextual understanding, auditors can start to ask questions and review the applicability of the responses. Many of the questions are basic, but often throw up uncomfortable issues. Typical areas to cover include:
- Do you have plans for all critical systems, processes and functions, and how do you know which are the most critical?
- Are the plans accurate, complete and up-to-date?
- Is the documentation easy to follow in an emergency?
- Have roles and responsibilities been defined?
- Are the response strategies devised appropriate to the potential level of disruption?
- Are the plans tested? If so, how, when and by whom?
- Are the test results evaluated, lessons learned and plans enhanced?
- Are the initial response structures well-known and fully tested?
- Are appropriate communications with external parties defined and tested?
- If pre-defined alternate locations are designated, do staff know how to access them?
- Are all critical resources backed up and recoverable?
- Are personnel trained in their post-incident roles?
The most important thing for the auditor to reflect on is not the documentation, but the resilience capability that can be demonstrated. A poor audit is one in which the auditor treats it as a document review. It is not enough to have a well written plan unless that plan is part of a tried-and-tested process.
Bird is the technical development director at the Business Continuity Institute in the U.K. The BCI currently has over 7000 members in 100+ countries.