Having a business continuity plan (BCP) which keeps pace with expanding requirements and new challenges is a necessary cost of doing business. As such, regular BCP audits are highly recommended to ensure that business continuity (BC) and disaster recovery (DR) plans, resources and infrastructure are fit for purpose. An audit will assess whether current BC will prevent a disaster from bringing a company to its knees and determine whether investments are obtaining good value. In the current climate, how to audit a business continuity plan is a hot topic of conversation.
BCP audits range from a relatively straightforward health check to intense and thorough analysis of every aspect of a plan, which will likely include test observations and assessments of technology lifecycles and environments. The type and extent of BCP audit undertaken depends on the risks posed to any one company (identified through a business impact analysis (BIA)) and the assurance requirements of the board, accreditors, governing bodies, legal institutions and of course, customer service level agreements.
Many organisations draft in a third-party specialist to audit their BCP, with internal auditing being the alternative. The benefit of this is that an unbiased and neutral external perspective is more likely to truthfully compare what is planned and achieved against business expectations, investment, and best practices. A fresh pair of eyes may even see expectations as being unreasonable to begin with! Now, let’s examine how to audit a business continuity plan in more detail.
Before you get started…
If you are undertaking an internal audit or working with a hybrid team of colleagues and external consultants, we recommend that all parties and personnel agree on the following approach to successfully audit a BCP:
- The BCP should be based on comprehensively researched definitions of what matters to the business and what the business depends on to retain operational continuity
- Achieving resilience should be the core objective, with this being the best way to protect against unknown scenarios and remain competition during and post-disaster
- Discarding tick-box mentality is crucial. Everybody must focus on whether provisions are fit for purpose, rather than whether they exist. I.e. asking “does this work” over “have we got this covered”. Just because a plan exists or a test happened, it hardly guarantees effectiveness or accuracy
Before getting to work analysing the BCP and its associated resources and technologies, you will want to take some preparation steps. We advise meeting with key stakeholders to understand “what good looks like” for them, which will later act as a pivot for any recommendations. We would also interview key BCP task owners, critical operational staff and any other active plan participants. Next, obtain documents that include:
- Organisational and business process analysis charts
- The complete BCP and a briefer overall recovery plan structure
- Plan Coordinator and key task owner lists
- The Business Impact Analysis
- The Risk Assessment
- Recovery Plan Documentation
- IT-related documents, including license dates
- A list of all third parties and a review of their services and SLAs if available
- The results of recent BC and DR tests
Without the right feedback and documents to hand, you will struggle to complete a BCP audit that tells a true story and as a result, any changes that are implemented will likely fall short and leave the organisation in a prolonged state of vulnerability. Now is also the time to define goals and objectives for a review of the BCP and DR program. Most auditors will generate an audit checklist to ensure that no key issue is missed and that every facet of the BCP receives appropriate and proportionate consideration.
- Field work
Learning about how to audit a business continuity plan wouldn’t be complete without researching typical BC field work tasks. With objectives cemented and prep data gathered, your BCP audit team can begin the field work. BCP audit field work has three key objectives:
- To validate the BCP in relation to the BIA, mission-critical systems, operational requirements and contemporary challenges
- To scrutinise and verify physical facilities, equipment and technology, and operating environments to ensure continuity, availability and recovery during and post-disaster
- To examine the performance of regular activities that ensure a business is always in a state of disaster preparedness and can therefore assure continuity and recovery
As mentioned earlier, the type of extent of audit fieldwork undertaken is largely dictated by the threats posed to an organisation, and its “disaster obligations”. In general, though, an audit will have the following steps and focuses:
- Business process analysis: Including whether a business impact criterion is defined and when the last time a high-level business process analysis was performed
- Business impact analysis: Including when and how a BIA was last performed, how BCP strategies align with results and whether Recovery Times Objectives and Recovery Point Objectives are identified
- Life safety risk assessment and mitigation: Including whether a review of natural disaster and building emergencies was conducted and relevant mitigation strategies implemented
- Operational and technology risk assessment and mitigation: Including identifying single points of failure and business critical systems, and whether multiple countermeasures and mitigation strategies are selected and in place
- Third party risk assessment and mitigation: Including asking whether business critical third parties have been risk assessed and linked to processes and technology identified in the BIA
- BCP and DR procedures and technology: Including whether procedures are in place, clear and accessible, plans are achievable with the technology in place and aligned with the latest threats, data protection and accessibility measures are watertight and staff know how to access continuity systems
- Testing processes: Including reviewing testing plans, the results of any tests already conducted and success criterion
- Plan maintenance and training: Including assessing training materials and guidelines, determining whether a maintenance and training programme is developed and in active use, evaluating relevant employee preparedness and familiarity with procedures
- Change management: Including whether change control procedures exist, there are procedures to incorporating change and the impact of new regulations on the BCP are accounted for
- Business continuity analysis and reporting
After your audit field work is completed, you will need to set out a clear report comprising a comprehensive analysis of your findings and realistic, effective recommendations. Typically, you and your BCP auditing team will analyse documentation, test results and operational and technology (among many things) and formulate recommendations about how BC infrastructure can be better architected to achieve optimal business resilience during times of trouble. You should explain:
- An overview of the BCP, including DR provision, to refresh focus and buy-in
- Audit objectives, including business risks and a recap of what was analysed and why
- Audit methods, to explain how you went about meeting the BCP audit objectives in a manner which would deliver actionable insights
- Findings, which will be more detailed depending on the type and extend of the BCP audit (N.B – health check versus a no-stone-unturned approach)
- Recommendations, covering overarching advice to senior management and key stakeholders plus detailed operational process and IT/technology guidance for task BCP owners. Above all these recommendations will be ambitious enough to achieve optimal resilience and put an organisation in a strong, competitive and confident position but be practical and realistic.
Would you know where to start with how to audit a business continuity plan?. This accessible guide explains how to get started.Do you have 100% confidence in your business’ preparedness for disaster? Are you concerned that your resiliency measures are insufficient or becoming outdated? Don’t wait to find out until it’s too late – start planning your BC audit today.