Ensuring that an organization can recover from disaster is a basic business requirement the board should explore regularly with management. Nowadays, leading organizations are taking this requirement and turning it into a strategic advantage. Namely, investments in operational resiliency are assisting organizations to become more responsive to client needs as well as improving operational reliability, quality and efficiency. It’s an effort you should consider.
As organizations face increasingly complex business and operational environments, functions such as information security and business continuity keep evolving; indeed, they need to keep evolving. Today, successful information security and business continuity programs (BCPs) both address the technical issues involved and strive to support the organization’s efforts to improve and sustain an adequate level of operational resiliency. Operational resiliency efforts tackle operational risk by identifying potential operational problems and improving the processes and systems used, which is how operational problems are reduced over the longer term.
INTERNAL AUDITING'S CONTRIBUTION
Internal audits of information security, BCP and disaster recovery (DR) programs are highly recommended. The board and management need assurance regarding the effectiveness of those preparedness efforts, and they also need assurance that the company is building a more efficient and effective ongoing operation.
The following priorities are generally worth considering when scoping an audit of business continuity efforts:
Overall program governance: How is operational resiliency being encouraged? Has the program given appropriate strategic direction and investment? (i.e., Does the organization place enough emphasis on operational improvement?) Are suitable sponsors and stakeholders involved, representing all critical parts of the organization? Do they take enough interest in the program, demonstrating their support through involvement and action? Most importantly, who is accountable for program success or failure?
Ongoing program management: A critical success factor in every BCP and DR effort is the way in which the programs are planned and driven, ensuring that they meet objectives despite the company’s inevitable competing priorities. Does program management balance consideration of the many conflicting priorities managers face with the critical need that corporate resiliency efforts be appropriate? This is not a once-a-year exercise anymore. Being prepared is an ongoing, day-in and day-out effort, and more frequent testing is becoming the “norm.”
Management of system or process changes: The evaluation of operational resiliency inevitably results in system and process improvement. Is change management handled effectively to provide the best assurance that improvement results are beneficial, and that operational reliability is occurring?
An independent assessment of the BCP and DR programs by internal audit can provide objective feedback that helps ensure that the programs are adequate to prevent a business failure. Think about it: have your DR and BCP efforts kept pace with today’s new challenges and expanding requirements? You should have an answer to that question because your board is increasingly likely to ask. Depending on the organization and its business environment, an annual formal assessment could be a good practice.
Exactly how internal audit departments should interact with BCP and DR programs varies widely among companies. With the right approach, auditing can deliver real value to the board and executive management by objectively assessing whether the program provides effective coverage to protect the organization from harm when a significant disaster occurs.
An audit of the BCP and DR program can take many forms. At its simplest, auditors can conduct a quick “BCP/DR health check,” reviewing the plans and interviewing key stakeholders. At its most complex, the audit team can analyze almost every aspect of the program, evaluate the risk-based planning, observe BCP/DR tests, assess the completeness of the business impact analysis (BIA) and so forth.
The type and the extent of auditing performed depends on the risks involved, management’s assurance requirements and the availability of appropriate audit resources. External specialist resources may be useful on different occasions. The auditors might participate as formal observers in mock drills or review the program’s documentation and assess its comprehensiveness and completeness. Your audit options are numerous.
Internal auditors normally will review what has been planned and achieved against management’s expectations and in comparison, to generally accepted best practices in the field. This is where audit objectivity comes to the fore where the auditors have a legitimate purpose to assess whether management’s expectations are reasonable and sufficient, given the level of risk to the organization and in relation to other similar organizations.
The following advice covers the main phases of any audit: scoping, planning, fieldwork, analysis and reporting. BCP and DR programs, however, come in many shapes and sizes so clearly the specific details of any given audit will vary according to the situation.
AUDIT SCOPING PHASE
As with any audit, defining the goals and objectives for a review of the BCP and DR programs is the auditor’s first task. Providing an objective and comprehensive assessment of the organization’s BCP and DR programs to management and the board is likely the overriding audit goal that should be worked towards. Scoping is best conducted based on a rational assessment of the associated risks. The following aspects are generally worth considering when scoping a BCP and DR audit:
Overall program governance: How are the programs managed? Are they given appropriate strategic direction and investment? (i.e., Does the organization place enough emphasis on BCP and DR?) Are suitable sponsors and stakeholders involved, representing all critical parts of the organization? Do they take enough interest in the programs, demonstrating their support through involvement and action? And most importantly, who is accountable for the success or failure? Periodically revisiting overall program governance can be very productive since things change over time, particularly as businesses are acquired or aspects of the company are discontinued.
Ongoing program management: A critical success factor in every BCP and DR effort is the way the programs are planned and driven to ensure that they meet objectives despite the organization’s inevitable competing priorities. Does program management balance consideration of the many conflicting priorities managers face with the critical need that corporate resiliency efforts be appropriate? This is not a once-a-year exercise anymore; being prepared is an ongoing, day-in and day-out effort. Is the level of testing completed annually appropriate to the program’s complexity and importance? (Finding out how well you’ll do during an actual disaster is a very poor strategy.)
Definition and accuracy of the BCP and DR objectives: Have the programs’ requirements been clearly and fully defined by management? Has a comprehensive business-impact analysis been completed? Is it regularly updated?
Coverage of the BCP and DR plans: Have all the critical business processes been identified and suitable plans been prepared? Do the plans take enough account of the need to maintain or recover the supporting infrastructure (IT servers and networks, for example)? Are the plans reasonably “tidy” or are they cluttered with nonessential processes, systems and activities? Are significant outsourced activities adequately covered? Do they need validation as well? Are plans current with respect to the hardware and software the organization has in place?
Management of any system or process changes: Inevitably, changes will be required to implement BCP and DR arrangements. Is change management managed effectively to provide the best assurance that changes are tracked and addressed within the live and DR environments? In addition, the frequency of change to an organization’s technologies continues to increase; therefore, changes to the BCP and DR programs are ongoing.
Robustness of the BCP and DR testing processes: Program managers need to demonstrate the organization’s preparedness, build management confidence, and most importantly, strengthen the organization’s BCP and DR capabilities. Is “people participation” identified, approved and tracked to provide the best assurance that the drills and tests are attended and that those results meet your BCP and DR objectives? Remember, it’s not a matter of “if.” Today it’s more a matter of when and perhaps how large a scope is involved.
Plan maintenance: How is the change management process that keeps the plans up to date governed, even as the organization changes? Are roles and responsibilities allocated within the organization for developing, testing and maintaining BCP and DR plans? Organizations must design DR and BCP capabilities into their new solutions and technologies. They cannot be added on just before production implementation.
BCP and DR procedures: Consider the procedures and associated training, guidelines and so forth to make managers and staff familiar with the process to follow in a disaster.
In addition to defining what aspects fall within the audit’s scope, it is equally important that management and the board clarify any aspects that are out of the scope—particularly any important considerations that, for one reason or another, are not going to be covered at this time (e.g., perhaps because they will be audited separately).
In closing, many ask what audit tests could be performed. An audit of a BCP and DR program could include all the following (and likely more):
- Interview key stakeholders and participants in the program.
- Review business case, planning and IT-related documents.
Perform more- or less-detailed reviewing of individual BCP and DR plans, checking that they are complete, accurate and up to date — for example, testing a sample of the contact details for key players to confirm whether their phone numbers are correct; looking for defined recovery times and whether there is evidence that they can be met; examining training materials, procedures, guidelines, etc. plus any management communications regarding BCP and DR situations that might occur and what employees should do; reviewing testing plans and the results of any tests already conducted; evaluating relevant employee preparedness and familiarity with procedures; reviewing the impact of new regulations on plans; and reviewing contractor and service provider “readiness” efforts.
A LONG-TERM INVESTMENT
Companies that want to implement a culture of continuous improvement should focus on improving the operational resiliency of key systems and processes. Internal audit should help reinforce this goal by periodically, and perhaps even annually, evaluating both the entire enterprises and the individual business units’ efforts to address operational risk by enhancing operational processes and systems.
Building a highly resilient organization takes a long-term view and a persistent investment of management’s time and resources and leading organizations are now doing this.