Auditing business continuity capabilities
Continuity is an essential requirement for any business today. What are the priority aspects to planning such an audit, asks Dan Swanson?
As I’ve indicated many times, ensuring that an organisation can recover from disaster is a basic business requirement the board should explore regularly with management. Nowadays, leading organisations are taking this requirement and turning it into a strategic advantage: namely, investments in operational resiliency are assisting organisations to become more responsive to client needs as well as improving operational reliability, quality, and efficiency. It’s an effort you should consider.
As organisations face increasingly complex business and operational environments, functions such as information security and business continuity keep evolving: indeed, they need to keep evolving. Today, successful information security and business continuity programmes (BCP) both address the technical issues involved and strive to support the organisation’s efforts to improve and sustain an adequate level of operational resiliency. Cybersecurity protection efforts are the latest extended improvement effort pretty well every organisation needs to invest in.
Internal auditing’s contribution
Regular internal audits of information security, cybersecurity, BCP and DR programmes are highly recommended. The board and management need assurance regarding the effectiveness of those preparedness efforts, and they also need assurance that the company is building a more efficient and effective operation on an on-going basis.
The following priorities are generally worth considering when scoping an audit of business continuity capabilities:
- Overall programme governance. How is operational resiliency being encouraged? Is the programme given appropriate strategic direction and investment? (for example, does the organisation place sufficient emphasis on operational improvement?) Are suitable sponsors and stakeholders involved, representing all critical aspects of the organisation? Do they take sufficient interest in the programme, demonstrating their support through involvement and action? And most important of all, who is accountable for the programme's adequacy?
- Ongoing programme management. A critical success factor in every BCP and DR effort is the way in which the programmes are planned and driven, ensuring that they meet objectives despite the company’s inevitable competing priorities. Does programme management balance consideration of the many conflicting priorities managers face with the critical need that corporate resiliency efforts be appropriate? This is not a once-a-year exercise anymore; being prepared is an ongoing, day-in and day-out effort. More frequent testing is becoming a necessity.
- Management of significant system or process changes. The evaluation of operational resiliency inevitably results in system and process improvement. Is release management handled effectively to provide the best assurance that improvement results are beneficial and that operational reliability is occurring?
An independent assessment of the BCP and DR programmes by internal audit can provide objective feedback that helps ensure the programmes are adequate to prevent a business failure. Think about it: have your DR and BCP efforts kept pace with today’s new challenges and expanding requirements, as well as the significant investment in technology that most organisations have completed or are working on?
Exactly how internal audit departments should interact with BCP and DR programmes varies widely among companies. With the right approach, audit can deliver tremendous value to the board and executive management by objectively assessing whether the programme provides effective coverage to protect the organisation from harm when a significant disaster occurs. With the very significant time pressures many managers are facing, an independent and objective evaluation can actually be just what the doctor ordered.
An audit of the BCP and DR programme can take many forms. At its simplest, auditors can conduct a quick ‘BCP/DR health check’, reviewing the plans and interviewing key stakeholders. At its most complex, the audit team can analyse almost every aspect of the programme, evaluate the risk-based planning, observe BCP/DR testing, assess the completeness of the business impact analysis (BIA), and so forth.
The type and the extent of auditing performed depends on the risks involved, management’s assurance requirements, and the availability of appropriate audit resources. External specialist resources may be useful on different occasions. The auditors might participate as formal observers in mock drills or review the programme’s documentation and assess its comprehensiveness and completeness. Your audit options are quite broad; adjusting your audit plans over time is also recommended.
Internal auditors will normally review what has been planned and achieved against management’s expectations and in comparison to generally accepted best practices in the field. This is where audit objectivity comes to the fore; the auditors have a legitimate purpose to assess whether management’s expectations are reasonable and sufficient, given the level of risk to the organisation and in relation to other similar organisations.
The following advice covers the main phases of any audit: scoping, planning, fieldwork, analysis, and reporting. BCP and DR programmes, however, come in many shapes and sizes, so clearly the specific details of any given audit will vary according to the specific situation.
- The BCP and DR programme should be able to meet the recovery window objectives of mission critical services, in the event of an emergency or unusual event by covering:
- critical services, information assets, and dependencies documented in the business-impact analysis;
- approved and organised recovery strategies;
- measures to deal with the impacts and effects of disruptions;
- response and recovery teams including the membership, contact information, and activation procedures;
- roles, responsibilities, and tasks of the teams including internal and external stakeholders and covering planning, testing, and actual disaster efforts;
- resources and procedures for recovery;
- coordination mechanisms and procedures; and
- communications strategies.
The governance structure for the BCP and DR programme should establish the authorities and responsibilities for the development, approval, and testing of contingency plans, and involves:
- providing strategic direction and communication;
- approving departmental contingency plans and governance;
- committing financial and other resources;
- reviewing and approving identified critical services and associated assets;
- resolving conflicting interests and priorities;
- approving contingency plans and activities;
- ensuring that regular training, reviewing, testing, and auditing occur;
- ensuring that contingency-planning activities are supported by IM, IT, and other continuity plans and arrangements, as required; and
- risk appetite and statement of risk at the enterprise level.
As with any audit, defining the goals and objectives for a review of the BCP and DR programmes is the auditor’s first task. Providing an objective and comprehensive assessment of the organisation’s BCP and DR programmes, to management and the board, is likely the overriding audit goal that should be worked towards. Scoping is best conducted on the basis of a rational assessment of the associated risks. The following aspects are generally worth considering when scoping a BCP and DR audit:
- Overall programme governance. How are the programmes managed? Are they given appropriate strategic direction and investment? (That is, does the organisation place sufficient emphasis on BCP and DR?) Are suitable sponsors and stakeholders involved, representing all critical parts of the organisation? Do they take sufficient interest in the programmes, demonstrating their support through involvement and action? And most importantly, who is accountable for the success or failure? Periodically revisiting overall programme governance can be very productive, things change over time, particularly as businesses are acquired or aspects of the company are discontinued.
- Ongoing programme management. A critical success factor in every BCP and DR effort is the way in which the programs are planned and driven to ensure that they meet objectives despite the organisation’s inevitable competing priorities. Does programme management balance consideration of the many conflicting priorities managers face with the critical need that corporate resiliency efforts be appropriate? This is not a once a year exercise anymore; being prepared is an ongoing, day in and day out effort. Is the level of testing completed annually appropriate to the programme’s complexity and importance? (Finding out how well we’ll do during an actual disaster is an extremely poor strategy.)
- Definition and accuracy of the BCP and DR objectives. Have the programme's requirements been clearly and fully defined by management? Has a comprehensive business-impact analysis been completed? Is it regularly updated?
- Coverage of the BCP and DR plans. Have all the critical business processes been identified and suitable plans prepared? Do the plans take sufficient account of the need to maintain or recover the supporting infrastructure (IT servers and networks, for example)? Are the plans reasonably 'concise' or are they cluttered with non-essential processes, systems, and activities? Are significant outsourced activities adequately covered? Do they need validation as well? Are plans current with respect to all the current hardware and software the organisation has in place?
- Management of any major system or process changes. Inevitably, changes will be required to implement BCP and DR arrangements. Is change management managed effectively to provide the best assurance that changes are tracked and addressed within the live and DR environments? In addition, the frequency of change to an organisation’s technologies continues to increase, and therefore changes to the BCP and DR programmes are ongoing.
- Robustness of the BCP and DR testing processes. Programme managers need to demonstrate the organisation’s preparedness, build management confidence, and most importantly, strengthen the organisation’s BCP and DR capabilities; Is ‘people participation’ identified, approved, and tracked to provide the best assurance that the drills and tests are actually attended, and that those results meet your BCP and DR objectives? Remember, it’s not a matter of ‘if’, today it’s more a matter of ‘when’, and perhaps how large a scope (is involved).
- Plan maintenance. How is the change management process that keeps the plans up to date governed, even as the organisation changes? Are roles and responsibilities allocated within the organisation for developing, testing, and maintaining BCP and DR plans? Organisations MUST design DR and BCP capabilities ‘into’ their new solutions and technologies - it cannot be added on just before production implementation.
- BCP and DR procedures. Consider the procedures and associated training, guidelines, and so forth to make managers and staff familiar with the process to follow in a disaster.
In addition to defining what aspects fall within the audit’s scope, equally important is that management and the board clarify any aspects that are out of the scope —particularly any important considerations that, for one reason or another, are not going to be covered at this time (say, perhaps because they will be audited separately).
In closing, many people ask what audit tests could be performed? An audit of a BCP and DR programme could include some or even all of the following (and likely more):
- interviewing key stakeholders and participants in the programme
- reviewing business case, planning, and IT related documents
- more or less detailed reviewing of individual BCP and DR plans, checking that they are complete, accurate, and up-to-date — for example, testing a sample of the contact details for key players to confirm whether their phone numbers are correct
- looking for defined recovery times and whether there is evidence that they can be met
- examining training materials, procedures, guidelines, and so forth, plus any management communications regarding BCP and DR situations that might occur and what employees should do
- reviewing testing plans and the results of any tests already conducted
- evaluating relevant employee preparedness and familiarity with procedures
- reviewing impact of new regulations on plans
- reviewing contractor and service provider ‘readiness’ efforts.
A long term investment
Companies that want to implement a culture of continuous improvement should focus on improving the operational resiliency of their key systems and processes. Internal audit should help reinforce this goal by periodically evaluating both the whole enterprise’s and the individual business units’ efforts to address operational risk by enhancing operational processes and systems.
Building a highly resilient organisation takes a long-term view and a persistent investment of management’s time and resources, and leading organisations are now doing this.
What is your organisation doing to improve, and audit, your business continuity efforts?
In closing, do make sure the organisation’s crisis management protocols are well defined as executive management and the board need to have crisis communications organised prior to any significant incident.
About the author
Dan Swanson has more than 26 years’ experience as an internal auditor. He was formerly the Director of Professional Practices at the Institute of Internal Auditors.
Dan has completed audit projects for over 30 different organisations, spending almost 10 years in government auditing (federal, provincial and municipal levels), and the rest in the private sector, mainly in the financial services, transportation and health sectors.