A business continuity planning (BCP) audit helps organizations define policies and provides remedial recommendations to tackle disasters. The BCP audit brings transparency to organizational management of internal systems and processes. It enables organizations to handle the risks on account of known and unexpected disasters. It will assess your organization’s capabilities to recover and resume activities in case of an incident. In simple terms, a business continuity audit ensures that appropriate and up-to-date technology, processes and efficient people are in place to battle any exigencies.
In India, both SEBI and RBI have mandated BCP and DR. As a result, all major Indian financial institutions are already compliant. Unfortunately, BCP and DR audits aren’t mandatory yet, although regulators could make them compulsory in future. Keeping this in mind, here are a few best practices that you need to consider before and after a business continuity audit.
BCP audit best practices
- Appoint a SPOC for business continuity
Appoint one administrator as the single point of contact (SPOC) for your business continuity processes. This administrator should carry out assessments and ensure that all the necessary steps are in place, by eliminating every vulnerable gap.
Appointing a SPOC is of supreme importance. Going beyond that, ensuring that the SPOC is fully dedicated to the project is equally important. If necessary, conduct workshops and awareness programs to bring home the criticality of their role and the importance of their dedication to such administrators.
- Set up standard operating procedures
For effective business continuity audits, make sure that all processes are verified, documented and updated whenever necessary. BCP has to be taken up formally and proactively, if the organization is to be successful in tackling unforeseen disasters. These operating procedures need to be followed by employees on a day to day basis. You should also conduct audits on a periodic basis to ensure compliance. Audits conducted yearly or half-yearly could help the organization achieve full compliance.
Take the example of a computer chip manufacturing company. The most critical asset for the company is the production of the product. The company should lay measures for the production, packaging, transportation of the product. Simple things such as raw material availability, power outages, and so on should be taken into consideration. This is where creating a detailed phased plan for the audit comes into the picture.
- Use a phased approach when conducting the audit
Instead of going in for a business continuity audit for the entire organization, it is better to use a phased approach. Conduct a business impact analysis and draw up the top systems that require 24x7 availability. Begin the business continuity audits for these important factors and then move on to the less critical systems. For instance, in the stock exchange sector, agility is of key importance. The prime setup needs to have disaster recovery in milliseconds. As part of the DR audit for such a setup one should document the steps involved for immediate resumption of activities and define the RTO and RPO objectives.
- Raise awareness in the organization
It is imperative that top management is convinced of the need for a business continuity audit. It is also important to keep them and the employees updated before and through the business continuity audit process. Employees do not harbor much fondness for auditors, as they are constantly looking out for inadequacies. Only if employees understand the need for BCP and are aware of the consequences of disasters, will they acknowledge the responsibilities of an auditor and the auditing process.
Take for example an outsourcing organization, where the people are the biggest critical asset. It is imperative that the organization convinces employees of the importance of BCP measures they can follow at an individual level. The employees should be given an induction session on BCP, followed by a refresher course every six months to keep them constantly updated on the subject.
- Develop the scope of the business continuity audit and follow standards
It is important to define the scope of the business continuity audit and have an audit program in place. There are myriad DR and BCP standards, both national and international, that could then be pursued. Due to the RBI, SEBI and CERC mandates for business continuity, most standards are tailored to banks, NBFCs, stock exchanges, commodity exchanges and power exchanges. But you could select the standard certification of your choice as per your organization’s requirements and regulatory compliance.
It’s a good idea to first follow the BS 25777 standard for service continuity, as it states the principles or code of practice for the BS 25999 standard set in 2006. You could also follow the ISO 27001 standard for business continuity. Plan, do, check and act are the four key elements to any certification program, providing an overview that helps the quality management system. Some organizations that have implemented BS 25999 will transition toISO 22301 in due course.
- Select the right auditors
Organizations often tend to choose those auditors that have audited a peer company of the same industry. This isn’t a good idea, since such auditors are likely to adopt a stereotypical approach. On the other hand, auditors with a wider range of expertise are unlikely to have such biases.
For a business continuity audit, you need to find subject matter experts to conduct internal as well as external audits. The internal auditors should be trained, certified professionals who understand the business elements of BCP. External auditors need to understand the BCP processes well in order to provide value to the organization. Remember, an auditor’s job is to assess the systems, identify and eliminate gaps and institute necessary precautions for the future.
About the author: Ashish Dandekar has served as chief information officer at Power Exchange India. He is a certified business continuity professional and a lead auditor (ISO 25999). Dandekar is also an information security management system implementer (ISO 27001) and holds a Quality Management certification (ISO 9001).
(As told to Mitchelle R Jansen)
This was first published in October 2012