
by Joe Knight-McKenna
Natural disasters, the threat of terrorist attacks, and pandemic influenza have made a robust business continuity system an essential part of any organization. If you are including business continuity as part of your audits, which standards are you auditing to? If you don’t know which standards to use, there’s good news: The Department of Homeland Security (DHS) has some suggestions for you.
As part of Title IX of Public Law 110–53, Implementing Recommendations of the 9/11 Commission Act of 2007, Congress mandated the voluntary private sector preparedness accreditation and certification program (PS Prep), which is managed by the DHS. The purpose of the PS Prep program is to enhance businesses’ resilience in hazardous environments by encouraging private-sector preparedness. ANSI-ASQ National Accreditation Board (ANAB) will oversee the certification process, which includes managing accreditation, accrediting third parties to perform certifications, and collaborating to develop procedures and requirements for certifications and accreditations.
The DHS recently proposed the use of three standards as part of PS Prep: the National Fire Protection Association (NFPA) 1600:2007 standard on disaster/emergency management and business continuity program; ASIS International’s SPC 1–2009; and BSI’s BS-25999-2:2007, Business continuity management: Part 2, specification. SPC 1-2009 includes a section for guidance on using the standard and BSI provides guidance and recommendations via BS-25999-1:2006, Business continuity management: Part 1, code of practice.
These standards reflect the evolution of business continuity planning from its roots in information technology (IT) disaster recovery to business continuity management, which is a holistic management process that identifies potential effects that threaten an organization and provides a framework for building resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand, and value-creating activities.” The essence of business continuity management is found in all three standards, but I will address BS-25999 in this article. This standard presents a business continuity life cycle with six areas that illustrate what a business continuity management system should contain and how it can be audited.
BS-25999 represents the business continuity life cycle as a circle with business continuity management program management at its center. Understanding the organization; determining business continuity management strategy; developing and implementing a business continuity management response; and exercising, maintaining, and reviewing form a second concentric circle, and embedding business continuity management in the organization’s culture form a third outer ring. This circular organization of a business continuity management system emphasizes that business continuity management must be continual and evolving to be successful in protecting an organization’s finances and reputation.
Business continuity management: Program management
An organization can either include business continuity as part of its quality management system (QMS) or make it a separate management system. Just as a quality policy is an essential part of a QMS, a business continuity management policy is key for a business continuity program. It provides the framework around which the business continuity management capability is designed and built.
When reviewing a business continuity management program, an auditor should look for evidence of:
- The level of importance the organization’s executives places on business continuity management
- The scope of the program and assigned responsibilities
- Participation of various managerial, operational, administrative, and technical disciplines throughout the business continuity management life cycle
- That the business continuity management team is ready to respond and lead during an incident response
Understanding the organization
To develop an appropriate business continuity management program, a company must first understand the urgency with which activities and processes need to be resumed if they’re disrupted. The tools for understanding this are a business impact analysis (BIA) and a risk assessment.
The BIA is the foundation on which the business continuity management response is developed, and the auditor must look for evidence that the business objectives of the organization are addressed and prioritized in one or more BIA. Flowcharts and fishbone diagrams are often used as part of a BIA to identify how business objectives are achieved for the products and/or services of the organization, who is involved in the delivery of these products and/or services (internally and externally), and the time imperatives on their delivery.
An auditor reviewing a BIA should look for evidence that it includes:
- A review of each key product produce and/or service
- Evidence that each key product or service has been examined to determine when its loss, interruption, or disruption becomes intolerable. This is the process’ maximum tolerable period of disruption (MTPD).
Risk assessment assesses the probability and effects of a variety of specific threats that could cause business interruption. Like the BIA, risk assessment should focus on key business functions. Risk analysis often starts with brainstorming to identify potential threats to a business. Natural and man-made disasters are often the threats that concern businesses because of their obvious effect on buildings and utilities, but the H1N1 pandemic has highlighted the need to include the loss of staff as a potential threat.
An auditor’s review of a risk assessment process should look for evidence that it ensures that:
- Potential threats assessed are appropriate for the organization (hurricanes for Miami, blizzards for Buffalo)
- The probability of the threats are assessed so they can be prioritized and efforts can be devoted to the most-likely events
- Loss of staff is assessed not only for the number of staff members unable to work, but their relative importance to the organization. Other than the loss of key executives, the assessment should identify staff with essential knowledge and skills vital to the organization.
Determining business continuity strategies
After an organization understands its risks and the effect they have on key processes, it needs to decide on the best strategies for eliminating or minimizing them. In auditing business continuity management strategies, an auditor has to evaluate whether the strategies will maintain the organization’s business activities and processes through an interruption. Strategies may include the selection of alternative operating methods to be used after an interruption to maintain or resume the organization’s business activities, the organization’s dependencies (internal and external), vulnerabilities, and single points of failure in critical processes. The auditor needs to determine if these strategies address the findings in the BIA and risk assessment.
An auditor reviewing an organization’s business continuity management strategies should look for evidence that it includes:
- Key decisions are being made at a corporate level
- There is a recovery time objective for each activity that’s based on the MTPD.
- There are alternative facilities and data storage sites identified
- The people, equipment, suppliers, and information identified in a BIA are addressed at the process level of the business continuity management, including their interdependencies on services, business process, data, and technologies
- Appropriate tactics have been chosen to address the needs of the work force, stakeholders, partners, and contractors
- The likelihood of specific threats has been reduced through appropriate mitigation measures
- Resource requirements of various business activities are consolidated to ensure they can meet scale and the time frame requirements
- The strategy includes communication and cooperation with local emergency responders
Developing and implementing a business continuity management response
The goal in developing an appropriate business continuity management response is for the various plans to include the actions and the resources that are necessary to enable the organization to manage any interruption, whatever its cause. Business continuity management responses include incident management plans (IMP) and business continuity plans (BCP). IMP focus on responding to an event; BCP focus on how to continuity an activity. An event might trigger a response utilizing one IMP and multiple BCP.
An auditor reviewing an organization’s planned business continuity management responses should look for the following evidence:
- IMPs that include specific responsibility of IMP team leaders and members, along with time frames. Effective and timely management of a major incident is important in protecting an organization from financial and reputation damage.
- External stakeholder requirements are addressed in the IMP. This could include clients and vendors, along with governmental and regulatory agencies.
- BCP should deploy appropriate strategies for the direct resumption of business units according to agreed-upon
- BCP should reflect the culture of the organization and the technical complexity of the solutions.
- BCP provide responses to an incident at a department and/or business activity level of the organization.
- Responses address the short-term and long-term welfare of staff
- Evidence of recovery plans for the organization and individual business departments. Some organizations might have separate teams to focus on recovery activities, such as to deal with insurance carriers and suppliers.
- IMP and BCP should include or reference IT logistical and disaster recovery plans.
- Processes for escalation when the event falls outside the scope of BCP and IMP that the organization has created
Exercise, maintenance, and review
The capability and reliability of an organization’s business continuity management is demonstrated through the testing, control, and auditing of its business continuity management system. A business continuity management exercise program should be structured with simple exercises that gradually escalate to include staged company or department-wide events. A business continuity management system should include the control of business continuity management documents and maintenance of records of tests and actual events along with staff training. A business continuity management program should also be reviewed periodically by management. Incident management teams should be included as part of the internal audit program.
An auditor reviewing the exercise, maintenance, and review part of a business continuity management system should look for evidence that it includes:
- Business continuity management exercises that span from desktop paper reviews by the incident management team to mock events at the divisional or functional area level
- Exercises that don’t endanger staff or business activities
- IMP and BCP should be controlled documents and easily available to the appropriate staff.
- Necessary information, such as supplier lists, insurance companies, contact lists, and staff communication plans should be maintained and available to executive staff and incident management teams off-site.
- If the audit of the business continuity management is part of an external audit, the auditee’s internal audit program should include review of the business continuity management system.
Embedding business continuity management in the organization’s culture
Developing a business continuity management culture is vital to maintaining enthusiasm, readiness, and effective response at all levels of an organization. Evidence that business continuity management is embedded in the organization includes:
- Programs for business continuity management awareness and training for all staff
- The possibility of telecommuting for appropriate staff and a disease prevention program
- Processes for reviewing the business continuity management program as part of the organization’s culture to make sure it’s maintained at an acceptable level
For more information on implementing and auditing business continuity management systems, you can visit the Web sites of the Disaster Recovery Journal, Disaster Recovery Institute International (DRII), and the Business Continuity Institute. The DRII recently added a business continuity auditor training course and certification program to its list of business continuity courses and certifications. The International Register of Certified Auditors (IRCA) also includes business continuity as one of its certification programs.
About the author
Joe Knight-McKenna is currently the senior director of quality and regulatory compliance at Drug Safety Alliance. Joe is an ASQ CMQ/OE, CQE, and CQA. He is also certified by the Business Continuity Institute.
Tags: business continuity management.