#312 – AUDITING YOUR BCP AND DR PROGRAM – JUST HOW RESILIENT IS YOUR ORGANIZATION? – DAN SWANSON

Being able to respond (i.e. continue critical business processes) during a major disaster and recover normal operations efficiently afterwards is a critical success factor for all organizations.  An effective business continuity plan (BCP) and disaster recovery (DR) program is vital and must receive proper management attention and support. 

The purpose of the BCP and DR program is to prepare the organization to cope more effectively with major disruption, planning possible responses in advance of the actual incident(s) rather than simply responding in the heat of the moment.

2020 was a year of massive change, including: implementing work from home, improving digital capabilities, pivoting sales & supply channels, and adjusting business models. In the future organizations will be need to be resilient in order to succeed. Evaluating your BCP and DR capabilities will assist in that effort, as well as ensure that the many 2020 response efforts are leveraged, and improved in the coming years.  

Being “prepared” is a worthwhile goal for many reasons. Being prepared is critically important because it will reduce impacts on an organization’s customers and their stakeholders. A resilient organization is also a strongly competitive organization, better able to react to surprise events, better able to go on the offensive when business opportunities arise, and better able to implement new initiatives (because the organization’s management knows and understands its business practices and has strong process-management knowledge). If an organization can recover effectively from a disaster, it can certainly handle smaller challenges. 

The BCP and DR program must cope with a wide variety of potential incidents, covering both man-made disasters such as power-grid or other critical infrastructure failures and natural disasters such as hurricanes, floods or fires.  Simple incidents can also have high impact so don’t under-plan, e.g. plan for staff not making it into work due to an ice storm. It is an unfortunate fact of life that, despite our best efforts, some disasters are simply unavoidable.  The quality of an organization’s response to such a crisis can make the difference between its survival or its demise.

Plans are important, planning more so. Execution and continuous improvement are perhaps the most important.

Audit’s role in reviewing BCP and DR programs

Internal audit’s role in respect to the BCP and DR program varies widely between organizations.  With the right approach, audit can deliver real value to the board (through the audit committee) and executive management by ensuring that the program provides effective coverage to protect the organization from harm when a significant disaster occurs.

An audit of the BCP and DR program can take many forms. At its simplest, auditors can conduct a quick “BCP/DR health check”, reviewing the plans and interviewing key stakeholders; at its most complex, the audit team can analyze almost every aspect of the program, evaluate the risk-based planning, critically evaluate the reasonableness of the Business Impact Analysis, observe BCP/DR tests, etc. The type and extent of auditing performed depends on the risks involved, management’s assurance requirements, and the audit resources available. External specialist resources may also be beneficial on occasion.

Internal audits of the BCP and DR program are highly recommended.  The board and management need assurance regarding the effectiveness of the BCP and DR program. They want to know the DR plan will work when needed, that the investments in BCP and DR are obtaining good value, and that a disaster will not bring the organization to its knees. An independent assessment of the BCP and DR program by internal audit can provide objective feedback that might even prevent a business failure.

Reviewing a BCP and DR program encourages better performance.  Internal auditors will normally review what has been planned and achieved against management’s expectations and in comparison to generally accepted best practices in the field.  This is where audit independence comes to the fore: the auditors have a legitimate purpose to assess whether management’s expectations are reasonable and sufficient, given the level of risk to the organization and in relation to other similar organizations.

The following advice covers the main phases of any audit: scoping, planning, fieldwork, and analysis and reporting.  BCP and DR programs, however, come in many shapes and sizes so clearly the specific details of any given audit will vary according to the situation.  

Audit scoping phase

As with any audit, defining the goals, objectives, criteria, and scope for a review of the BCP and DR program is the auditor’s first task.  Scoping is best conducted on the basis of a rational assessment of the associated risks.  The following aspects are generally worth considering when scoping a BCP and DR audit:

  • Overall program governance: How is the program managed?  Is the program given appropriate strategic direction and investment? Does the organization place sufficient emphasis on BCP and DR?  Are suitable sponsors and stakeholders involved, representing all critical parts of the organization?  Do they take sufficient interest in the program, demonstrating their support through involvement and action?  And most important of all, who is accountable for the program’s success or failure?
  • Ongoing program management – A critical success factor in every BCP and DR program is the way in which the program is planned and improved, ensuring that it meets objectives despite the organization’s inevitable competing priorities;
  • Definition and accuracy of the BCP and DR objectives.  Have the program’s requirements been clearly and fully defined by management? Has a comprehensive business impact analysis been completed and is it regularly updated?  How often and thorough is a threat and hazard analysis and risk assessment conducted?
  • Coverage of the BCP and DR plans i.e. have all the critical business processes been identified and suitable plans prepared?  Do the plans take sufficient account of the need to maintain or recover the supporting infrastructure (e.g. IT servers and networks)?  Are the plans reasonably ‘tidy’ or are they cluttered with non-essential processes, systems and activities? Are significant outsourced activities adequately covered? Do they need to be validated? (Will they work?). Have these plans been signed off on by the department heads? How aware are key departments managers and critical staff of the BCP/DR Plans? Are third party vendors/contractors included in the planning, testing, and audits? How is third party resilience verified and at what level (DDQ, documentation, in-person testing/exercise audit? 
  • Management of any system or process changes that are required to implement DR and BCP arrangements, including any system decommissioning and/or outsourcing;
  • Robustness of the BCP and DR testing processes and exercises to demonstrate the organization’s preparedness, build management confidence, and most importantly, to strengthen the organization’s BCP and DR capabilities. Are After Action Reports issued and reviewed, then used to develop improvement plans to update the BCP/DR Plans?;
  • Plan maintenance – the change management processes that keep the plans up to date even as the organization changes.  Are roles and responsibilities allocated within the organization for developing, testing and maintaining BCP and DR plans? How often is the plan updated, where is it updated (online systems, e-documents, hard copies)? How is plan maintenance controlled?
  • BCP and DR procedures plus the associated training, guidelines, etc. to make managers and staff familiar with the process to follow in a disaster.
  • Changing requirements and operating environments, – for e.g. as productions operations more and more move to the cloud, what are the implications for the DR and BCP program efforts? – Also consider the growing importance of resilient operations and investments in high availability designs and architectures.  
  • Assurance – the frequency and reasonableness of reporting to the board, audit committee and executive management on the organization’s BCP and DR preparedness. 

As well as defining what aspects are in scope for the audit, it is just as important that audit management clarifies any aspects that are out-of-scope, particularly any important considerations that, for one reason or another, are not going to be covered at this time.  

A natural part of the scoping phase is to identify one or more management sponsors for the audit.  Audits are conducted for the benefit of the organization’s management rather than for audit’s own purposes, so it is important to know who will receive, accept and act upon the final audit report.  Their overt support for the audit can make audit’s job much easier, for example engaging and gaining the proactive involvement of suitable auditees.

A key question to explore – Does the board and executive understand just how resilient the organization is?

The BCP and DR program in place should ensure the maintenance of continuous, uninterrupted delivery of mission critical services, in the event of an emergency or unusual event by covering:

  • critical services, information assets, and dependencies documented in the business impact analysis; 
  • risk monitoring, trigger points for various types of disruptions, and escalation framework to deploy responses;
  • approved recovery strategies; 
  • measures to deal with the impacts and effects of disruptions; 
  • response and recovery teams including the membership and contact information; 
  • roles, responsibilities and tasks of the teams including internal and external stakeholders; 
  • resources and procedures for recovery; 
  • co-ordination mechanisms and procedures; and, 
  • communications strategies and messaging for customer and other stakeholders.

The governance structure for BCP and DR program should establish the authorities and responsibilities for the development, approval and regular exercising of contingency plans, and involves:

  • providing strategic direction and communication; 
  • approving departmental contingency plans and governance; 
  • committing financial and other resources; 
  • reviewing and approving identified critical services and associated assets; 
  • resolving conflicting interests and priorities; 
  • approving contingency plans and activities; 
  • reporting on the results of periodical exercises and on the remediation of shortcomings identified by the testing; 
  • ensuring regular training, staff communication, and review, testing & audit; and, 
  • ensuring contingency planning activities are supported by Management and IT, and that the board and audit committee are informed.

Having defined the scope, the audit team needs to plan the audit within the constraints of available audit and business resources and timescales. Resourcing decisions are largely risk-based, taking account of factors such as the program management’s experience, the level of management involvement in the program efforts, the size and complexity of the program and the potential effects on the organization if the program fails.  

The availability of suitable auditors is, of course, a prerequisite.  Audit teams combining business and IT auditors are recommended wherever possible since BCP and DR spans both fields of expertise.  

Now is a good time for the auditors to identify and contact the primary auditees.  Securing their assistance with the audit fieldwork is easier if they have an opportunity to comment on the timing and nature of the work required (provided that audit’s independence and objectivity are not unduly compromised in the process!).

The audit approach also needs to be decided during the audit planning. Will it be feasible to review all BCP and DR plans, for instance, or is it necessary to sample the plans, and if so on what basis will the sample be selected?  Should the audit of BCP and DR efforts be separate and distinct audits? Does auditing of outsourced activities and related BCP and DR plans need to be completed? 

Most auditors generate an audit checklist at this stage, converting the agreed audit scope into a structured series of audit tests they plan to conduct.  Styles vary but the most useful checklists aim to guide rather than constrain the auditors since the extent of the audit testing required depends to some extent on what is found.  

Before the fieldwork commences, audit management should review the audit plans and checklists to ensure that all key issues identified in the scope are given sufficient consideration to satisfy management’s assurance needs.

Audit fieldwork phase

In this phase of the audit, the auditors examine the BCP and DR program based on the goals and methods decided upon in the earlier phases.   BCP helps the organization to survive a disaster by keeping critical business processes operating during the crisis whereas DR involves restoring the other less-critical processes following the crisis.  Audit testing during the fieldwork phase gathers sufficient evidence to assess whether the program is able to meet these two fundamental requirements.

Audit tests in reviewing a BCP and DR program may include the following:

  • Interviewing key stakeholders and participants in the program;
  • Reviewing business-case, planning and IT-related documents;
  • More or less detailed review of individual BCP and DR plans, checking that they are complete, accurate and up-to-date (e.g. testing a sample of the contact details for key players to confirm whether their phone numbers etc. are correct). Looking for defined recovery times and whether there is evidence that they can be met.
  • Examining training materials, procedures, guidelines, etc., plus any management communications regarding the BCP and DR situations that might occur and what employees should do;
  • Reviewing testing plans and the results of any exercises already conducted. <A plan may look great on paper, but if it has not actually been attempted in a DR/BCP exercise, key gaps could exist which have not been identified>.
  • Evaluating relevant employee preparedness and familiarity with procedures. 
  • Review impact of new regulation on plan. 
  • Review contractor and service provider “readiness” efforts. 

Details of the tests are normally recorded in the audit checklist and accompanied by a file containing the corresponding audit evidence such as annotated copies of BCP and DR plans, test results, etc. that the auditors have reviewed.

Audit analysis and reporting phase

Audit reporting is a straightforward process, at least in theory.  This is where the auditors analyze the results of their tests, formulate their recommendations, prepare and finally present a formal audit report to management.  

In the report, the auditors explain:

  • What they set out to do – in other words, introduce the risks and recap the audit scope;
  • The audit methods – how they went about meeting the objectives;
  • What they found – the key issues identified if not the full gory details (not all findings are reportable but sometimes it helps to provide the completed audit checklist as an appendix to the report and invite management to review the audit evidence if they need more information) and root cause analysis if significant issues arise; and
  • The recommendations – advice to management on how to address the issues identified.   

In practice, audit reporting varies markedly between organizations.  It requires a careful balance between the somewhat idealistic outlook of some auditors and the realities of managing the organization with limited resources and competing priorities.  There is usually a fairly involved, iterative process of drafting, reviewing and correcting the report, negotiating the details with management to reach the best possible outcome for the organization.  

At the end of the day, it is management and not audit that are responsible for deciding which if any recommended improvements to the BCP and DR program that they intend to make.  The audit process has the advantage of systematic collection, testing and evaluation of audit evidence by an independent yet interested function.  The facts of the matter carry a lot of weight with management.  

Conclusion

We need to encourage appropriate investment in resilience.  Auditors can bring considerable value to an organization by evaluating both IT and organizational aspects of the BCP and DR program. Because failure of the BCP and DR program to deliver when needed is one of the highest risks that an organization can face, internal auditors’ independent assessment of the program will provide value far in excess of the audit’s costs.  

Management should always be looking for ways to improve their BCP and DR program efforts, i.e. don’t just wait for an audit. Involve internal audit in your ongoing program efforts such as the design and execution of testing exercises. Regular management “self-assessments” should be strongly encouraged and comprehensive testing of the program is always recommended.  

Companies need to take both a boardroom and operational perspective for their BCP and DR program efforts:

1) Do we have the plans and programs in place to deal with a significant disruption to operations? – (Including assigning responsibilities and accountabilities for business continuity efforts and providing the program with the necessary resources to deliver when needed),

2) What absolutely must be in place to ensure the organization’s survival, and 

3) Is management regularly assessing, exercising, and improving the organization’s “preparedness” capabilities in the event of a disaster?  

Bio:

Dan Swanson has more than 35 years of experience in Internal Audit, Information Security, Information Systems, Management Consulting, and Project Management. Dan has an extensive background in the financial services, healthcare and transportation sectors, as w ell as significant experience in auditing at all levels of government (federal, provincial, and municipal). He can be reached at dswanson_2008@yahoo.ca

Resources to assist your efforts & journey are presented below.

RECOMMENDED WEB SITES

1. The Risk and Resilience Hub – https://www.riskandresiliencehub.com/

2. The Disaster Recovery Journal – https://drj.com/

3. The ChicagoFIRST initiative – https://www.chicagofirst.org/

4. Continuity Central.Com – https://www.continuitycentral.com/index.php

5. The Business Continuity Institute (BCI) – http://www.thebci.org/

6. Rothstein Associates Inc. – One of the industry’s principal source for hundreds of books, videos & research reports – http://www.rothstein.com/

7. Continuity Planning – Planning for the Unexpected & Building Resiliency.

https://www.protiviti.com/US-en/continuity-planning

RECOMMENDED READINGS

1. Continuity eGUIDE  https://www.riskandresiliencehub.com/eguide_landing/

2. Infectious Disease Emergency Response (IDER) Plan
https://www.sfcdcp.org/health-alerts-emergencies/infectious-disease-emergency-response-ider-plan/

3. The Disaster Recovery Journal – https://drj.com/

4. What leaders need during a crisis is not a predefined response plan, but behaviors and mindsets to navigate the situation effectively and look ahead.

Leadership in a crisis: Responding to the coronavirus outbreak and future challenges

5. Road to Retail Recovery Playbook
https://www.retailcouncil.org/coronavirus-info-for-retailers/recovery-playbook/?fbclid=IwAR3DCFGiKXnCbmnYhTqPKl8zir2WerSUxOuUuc2az5gH8Ki3G6dPW5QH15c

6. Global Technology Audit Guide – Business Continuity Management www.theiia.org 

7. Being Ready for a Crisis
https://www.strategy-business.com/article/Being-Ready-for-a-Crisis

8. Generally Accepted Practices for BCP Practitioners
https://docplayer.net/9712124-Generally-accepted-practices-business-continuity-practitioners-drafted-by-disaster-recovery-journal-and-dri-international.html

9. How Leaders Build Resilience in Good Times & Bad Times
https://leadershipfreak.blog/2018/12/05/how-leaders-can-build-resilience-in-good-times-bad-times/

10. Protiviti’s Guide to Business Continuity & Resilience
https://www.protiviti.com/sites/default/files/united_states/about_us/bcm-guide-2020-final.pdf

11. Getting Business Resilience Right
https://www.bain.com/insights/getting-business-resilience-right/?utm_source=linkedin_company&utm_medium=social_organic&utm_content=4387834643&linkId=108673570

12. The Power of Resilience: How the Best Companies Manage the Unexpected
https://www.amazon.com/Power-Resilience-Companies-Manage-Unexpected/dp/0262029790/ref=tmm_hrd_swatch_0?_encoding=UTF8&amp;qid=1610504069&amp;sr=8-2&_encoding=UTF8&tag=wwwnoticeborc-20&linkCode=ur2&linkId=3c0649d247b81b466e15a72d1a2ac301&camp=1789&creative=9325

13. ISO 22301:2019 Security and resilience — Business continuity management systems — Requirements

https://www.iso.org/standard/75106.html

 

Leave a Reply

Your email address will not be published. Required fields are marked *