How to audit business continuity programs

The purpose of these programs is to prepare the organization to cope more effectively with major disruption. Program managers plan possible responses in advance of the actual incident(s) rather than simply responding in the heat of the moment. This planning increases the quality and consistency of the response regardless of the person who executes the plan.

The programs must cope with a wide variety of potential incidents, from man-made disasters such as power-grid or other critical infrastructure failures to natural disasters such as hurricanes, floods, or fires. Simple incidents also can have huge consequences, so don’t under-plan; for example, expect that your staff won’t make it to work due to an ice storm. It is an unfortunate fact of life that, despite our best efforts, some disasters are simply unavoidable. The quality of an organization’s response to such a crisis can make the difference between its survival and its demise.

Because the BCP and DR efforts are so important, and should fit hand-in-glove, I will talk about effective audits of both as one cohesive unit. But also, because they are so important, I will break the discussion into two columns: one this month, to review what an effective program consists of, what the typical internal auditor’s roles in BCP and DR are, and finally what the key audit-scoping issues are; and a second column next month, providing further guidance regarding audit planning efforts, the audit fieldwork activities, the reporting of results and the related improvement efforts, and finally, leading resources to assist your efforts.

Internal auditing’s role In BCP and DR

Internal audits of the BCP and DR programs are highly recommended. The board and management need assurance regarding the effectiveness of those efforts. They want to know that the DR plan will work when needed, that the investments in BCP and DR are obtaining good value, and that a disaster will not bring the business to its knees. An independent assessment of the BCP and DR programs by internal audit can provide objective feedback that helps ensure the programs are adequate to prevent a business failure. Think about it: While everyone has focused on the requirements of Sarbanes-Oxley for almost five years, have your DR and BCP efforts kept pace with today’s new challenges and expanding requirements? Have an answer, because your board is increasingly likely to ask.

Exactly how internal-audit departments should interact with BCP and DR programs varies widely among companies. With the right approach, audit can deliver real value to the board and executive management by objectively assessing whether the program provides effective coverage to protect the organization from harm when a significant disaster occurs.

An audit of the BCP and DR program can take many forms. At its simplest, auditors can conduct a quick “BCP/DR health check,” reviewing the plans and interviewing key stakeholders. At its most complex, the audit team can analyze almost every aspect of the program, evaluate the risk-based planning, observe BCP/DR tests, assess the completeness of the business-impact analysis, and so forth. The type and the extent of auditing performed depends on the risks involved, management’s assurance requirements, and the availability of audit resources. External specialist resources may be useful on occasion. The auditors might participate as formal observers in mock drills or review the program’s documentation and assess its comprehensiveness and completeness. Your options are numerous.

Internal auditors normally will review what has been planned and achieved against management’s expectations and in comparison to generally accepted best practices in the field. This is where audit objectivity comes to the fore; the auditors have a legitimate purpose to assess whether management’s expectations are reasonable and sufficient, given the level of risk to the organization and in relation to other similar organizations.

The following advice covers the main phases of any audit: scoping, planning, fieldwork, analysis, and reporting. BCP and DR programs, however, come in many shapes and sizes, so clearly the specific details of any given audit will vary according to the situation.

Audit-scoping phase

As with any audit, defining the goals and objectives for a review of the BCP and DR programs is the auditor’s first task. Scoping is best conducted on the basis of a rational assessment of the associated risks. The following aspects are generally worth considering when scoping a BCP and DR audit:

• Overall program governance. How are the programs managed? Are they given appropriate strategic direction and investment? (That is, does the organization place sufficient emphasis on BCP and DR?) Are suitable sponsors and stakeholders involved, representing all critical parts of the organization? Do they take sufficient interest in the programs, demonstrating their support through involvement and action? And most importantly, who is accountable for the their success or failure?
• Ongoing program management. A critical success factor in every BCP and DR effort is the way in which the programs are planned and driven to ensure that they meet objectives despite the organization’s inevitable competing priorities. Does program management balance consideration of the many conflicting priorities managers face with the critical need that corporate resiliency efforts be appropriate? This is not a once a year exercise anymore; being prepared is an ongoing, day in and day out effort.
• Definition and accuracy of the BCP and DR objectives. Have the programs’ requirements been clearly and fully defined by management? Has a comprehensive business-impact analysis been completed? Is it regularly updated?
• Coverage of the BCP and DR plans. Have all the critical business processes been identified and suitable plans prepared? Do the plans take sufficient account of the need to maintain or recover the supporting infrastructure (IT servers and networks, for example)? Are the plans reasonably “tidy” or are they cluttered with non-essential processes, systems, and activities? Are significant outsourced activities adequately covered? Do they need validation as well?
• Management of any system or process changes. Inevitably, changes will be required to implement BCP and DR arrangements. Is change management managed effectively to provide the best assurance that changes are tracked and addressed within the live and DR environments?
• Robustness of the BCP and DR testing processes. Program managers need to demonstrate the organization’s preparedness, build management confidence, and most importantly, strengthen the organization’s BCP and DR capabilities; Is “people participation” identified, approved, and tracked to provide the best assurance that the drills and tests are actually attended, and that those results meet your BCP and DR objectives?
• Plan maintenance. How is the change-management process that keeps the plans up to date governed, even as the organization changes? Are roles and responsibilities allocated within the organization for developing, testing, and maintaining BCP and DR plans?
• BCP and DR procedures. Consider the procedures and associated training, guidelines, and so forth to make managers and staff familiar with the process to follow in a disaster.

In addition to defining what aspects fall within the audit’s scope, equally important is that management and the board clarify any aspects that are out of the scope—particularly any important considerations that, for one reason or another, are not going to be covered at this time (say, perhaps because they will be audited separately). A natural part of the scoping phase is to identify one or more management sponsors for the audit. Audits are conducted for the benefit of the company’s management rather than for audit’s own purposes, so it is important to know who will receive, accept, and act upon the final audit report. Their overt support for the audit can make audit’s job much easier, such as by engaging and gaining the involvement of suitable auditees.