Reading Time: 4 minutes
Another Business Continuity Management (BCM) Program audit. Again? Some organizations think of audits as tedious, and often unnecessary, accounting procedures, rather than as a powerful business tool that can be used to improve the organization’s capabilities. At its core, an audit is simply an assessment used to discover which areas the business will require a focus in the future.
These types of assessments can be used to evaluate an entire organization (management consulting), or any specific system (IT audit), process or project.
Audits are a proactive way of exposing issues or shortcomings of the organization before they pose a real problem to their operations.
The results of the audit will typically show where the organization currently stands within these areas, and where there is a misalignment with its objectives, vision or other requirements.
BCM Program Audits
Audits are especially useful to evaluate the Business Continuity Management (BCM) Program, as its effectiveness will heavily depend on an understanding of the organization’s capabilities, risks and threats, and overall business requirements.
By nature, audits must examine data over periods of time, unlike other assessment types that may only look at a specific point in time. Business Continuity and IT Disaster Recovery planning efforts do not have defined start and endpoints, and as such must be maintained and updated over time to be truly effective.
BCM Program audits are typically executed to evaluate an organization’s resilience maturity, but they can also be focused on specific program areas, such as the Business Continuity Plan, training programs, or the IT Disaster Recovery Plan.
A comprehensive audit can sometimes be a lengthy undertaking and the time and money investment could be hard to justify. However, whenever doubts arise about the effectiveness of specific programs or projects, targeted audits are an excellent tool to address these doubts.
Smaller organizations may struggle with audits
Large organizations usually face pressure to perform audits from their board of directors, or compliance laws and regulations. Some also have internal audit teams that ensure audits are conducted on a regular basis within all areas of the organization. On the other hand, some smaller organizations typically don’t have the same internal or external requirements to perform audits.
As an example, many smaller organizations use Managed Service Providers (MSPs) to outsource their IT operations and IT Disaster Recovery requirements.
A third-party audit of the services and projects managed by the MSP can be an invaluable tool for assessing how well the MSP is fulfilling its role and meeting IT operations and organizational resilience requirements.
Audits are typically delivered in phases
A typical audit can be broken down into three general phases.
- The first phase involves the collection and initial assessment of information about the organization, function or service being audited. The goal of this phase is to ensure that all the current and pertinent info is gathered and that all information is complete. In the context of business continuity, IT strategic planning, and other similar long-term planning activities this phase also includes gathering information about the organization’s strategic objectives, vision and overall structure. The scope of the information collected will vary based on the scope of the audit itself.
- The second phase of an audit must include an analysis of the information as well as a gap assessment against pre-determined criteria (e.g. regulation, best industry practices, most recent Business Impact Analysis, etc.). In this phase, the focus shifts to assessing where the organization is currently at, and where it needs or wants to be. The key in this phase is to look at not only the current state but also the historical performance of the assessed programs or projects. It is also important to develop up-to-date business requirements that accurately reflect the current and future organizational requirements. These requirements should be captured with the involvement of all of the organization’s stakeholders that depend on the program or project in question. The requirements must then be compared to the desired objectives to determine whether any gaps exist.
- The final phase of an audit is the report phase. A comprehensive report should be developed that outlines all the findings as well as high-level implementation and budgetary recommendations. The report should be used by all stakeholders as a guide for making changes to address the identified gaps, as well as a reference document to be kept in mind when making other types of decisions. Organizations that use MSPs can also leverage the final report when assessing the outsourcing organization's performance or negotiating changes to their service agreements.
When to do an audit of your BCM Program
A final consideration is a decision of when exactly an audit is appropriate. Some situations that may warrant an audit are:
- Changes in compliance or regulatory requirements
- Changes in the organization’s product or service offering
- Changes in external vendors/supply chain risk re-evaluation
- Organizational changes such as restructuring, mergers, major transformation projects etc.
StratoGrid Advisory is a Business Continuity Management (BCM) Advisory firm in the Ottawa/Gatineau region that can provide you with the experience and knowledge needed to execute a Business Impact Analysis successfully and to implement a BCM Program in your organization.