July 2006

Is Your Organization's Business Continuity Plan Effective?

Identifying key problem areas during audits of business continuity plans can enhance an organization's disaster recovery efforts and ensure the quick return of business activities and services.

Syed Salman, CISA
Senior Information Systems Auditor
Ford Rhodes Sidat Hyder & Co. Chartered Accountants

As dependence on IT systems continues to grow, businesses are becoming particularly concerned about the availability of their IT systems year-round. Regulatory pressures also are directing business attention to this area. Business continuity management requirements found in initiatives such as the U.S. Health Insurance Portability and Accountability Act of 1996, BASEL II Accord, and National Association of Securities Dealers (NASD) 3510 Rule are forcing companies to mitigate operational risks effectively and provide evidence that controls are working properly. Not surprisingly, the business continuity plan (BCP) has become an important document in most organizations and a main area of concern for internal auditors. Because of their role, auditors are in the perfect position to help companies improve the effectiveness of business continuity management plans by identifying current and possible problem areas and providing recommendations aimed at preparing organizations before a disaster strikes.

IDENTIFYING BUSINESS CONTINUITY PROBLEMS

When reviewing an organization's business continuity management efforts, internal auditors may find that even though the BCP is of dire importance to the organization, the plan is in poor shape or rendered useless by the passage of time. Sometimes auditors may find that employee attitude toward the BCP is casual. This may be true in organizations with a large number of business units or sites where employees are unconcerned about resuming operations quickly or are under the impression that the organization can sustain a financial loss. In addition, auditors may discover that although the BCP is implemented and tested in some parts of the organization, not all business units have tested the plan or developed similar processes, especially isolated or remote business locations.

Other problem areas identified during audits of business continuity management procedures include:

1. Outdated information. Organizations may forget to update the BCP after internal changes occur or include lessons learned after performing tests to determine the plan's effectiveness. For example, even though a staff member may have moved to a different department or may have left the organization, the information is not modified or deleted from the plan. Companies also may forget to include new employees in the document.
2. Lack of staff awareness. Often, employees are unaware a plan exists or may be unsure about how to interpret the BCP's contents. This may result in employees not knowing what is expected of them in the event of a disaster.
3. Obsolete technology. Organizations may not consider more effective and efficient IT solutions that can help them resume business operations faster. Companies also may forget to incorporate new technology solutions commonly found throughout the business in the disaster recovery site. For instance, the company could forget to modify the recovery site after new vendor contracts and software updates are implemented.

Auditors may find that these problems occur simultaneously throughout the organization or in isolated business areas, and lead to a slow, costly, and disorganized recovery process.

IMPROVING BUSINESS CONTINUITY EFFORTS

In companies that do not have an established BCP, implementing effective business continuity management initiatives is best accomplished through a combination of management support and elimination of problem areas. Internal auditors can help organizations accomplish both objectives by recommending that organizations conduct a comprehensive assessment of their business continuity processes and vulnerable areas. An internal auditor or an external consultant can conduct the review.

Once the assessment is conducted and issues are identified, organizations should:

• Develop a BCP.
• Test the plan's effectiveness and review the results of any BCP drills.
• Interview employees to assess their awareness regarding the different issues outlined in the plan.
• Assess whether the procedures mentioned in the BCP are relevant and workable.
• Update the plan accordingly.

In organizations with an established BCP, auditors can review the plan's effectiveness and draft a report that outlines how plan discrepancies should be resolved. In addition to enhancing the plan, this will draw management's attention to the issues or inefficiencies identified during the review process. Auditors also can work with senior managers to identify the root causes of any business continuity problems and provide recommendations that can help the organization eliminate any short- and long-term issues.

Main Factors Leading to Ineffective BCPs
A key factor leading to poor business continuity planning is the inappropriate delegation of planning activities and the lack of senior-level management involvement during the plan's development, implementation, and maintenance phases — as exemplified by the 2005 Business Continuity Survey conducted by CPM Group and Deloitte and Touche LLP (see "Executive Management and Business Continuity" below). For instance, some executives may think that BCPs only encompass procedures pertaining to recovery of IT systems or automated routine processes. Because these activities typically are performed by low-level IT staff, executives erroneously believe there is no need for them to be involved in the planning process, and thus delegate planning responsibilities to IT managers or other mid-level managers.

Executive Management and Business Continuity According to the 2005 Business Continuity Survey by CPM Group and Deloitte and Touche LLP, only 18.7 percent of executive managers are actively involved in setting business continuity program priorities. In addition, only 38 percent of executives understand the effect of regulatory issues on business continuity management efforts or know whether the organization is fully compliant with audit requirements. Regulatory mandates can increase management’s focus on business continuity governance and enhance risk management controls. To review the complete 2005 Business Continuity Survey, visit Deloitte's Web site.

Unfortunately, this lack of involvement gives rise to the organization's overall casual attitude toward the BCP, resulting in the presence of gaps during the document's planning phases, a lack of applicability, and slow decay with the passage of time. Therefore, auditors should recommend that executive managers play an active role in the entire BCP process. For instance, executive managers should:

• Dedicate ongoing resources so the BCP is kept current and remains as relevant as possible. This will enable companies to revise the document as needed and ensure that the BCP is comprehensive.
• Ensure drills are conducted regularly at all units, review drill results, and monitor whether lessons learned are incorporated into the BCP.
• Meet regularly with IT directors to make sure business continuity efforts incorporate technology solutions that can help the organization resume operations as quickly, seamlessly, and effectively as possible.

Once the tone at the top is more supportive, the organization's awareness of the plan's content will improve significantly. These efforts increase the likelihood that the BCP document truly achieves its overall objective: To form a complete executable plan that minimizes the time it takes to recuperate in the event of a disaster by using the least amount of corporate resources necessary. 

THE ROLE OF AUDITORS

In addition to identifying problem areas, it is important for auditors to know how they can help during the business continuity process. Key areas auditors should keep in mind include evaluating the company's business continuity readiness, how to review recovery activities, and action items to consider during the BCP audit.

To evaluate the company's business continuity readiness, internal auditors should assess the organization's internal and external environment. In addition, auditors can help evaluate the formulation of the entire BCP and review the proposed document for its design, completeness, and overall adequacy. Auditors should then present a summary of their assessment and recommendations to senior managers.

During the recovery period, auditors should monitor the effectiveness of recovery and control operations, and recommend improvements to the BCP. Auditors also can assist by identifying lessons learned from disaster and recovery events. Finally, auditors should review the plan's adequacy in ensuring the timely resumption of business operations after a disaster and determine whether the plan reflects the current business operating environment.

Questions auditors should ask while reviewing the organization's BCP include:

1. Is the plan up-to-date? Do procedures exist for updating the plan?
2. Are all critical business functions and systems covered in the plan? If not, are the reasons for omissions documented?
3. Is the plan based on the risks and potential consequences of business interruptions?
4. Is the plan fully documented and in accordance with organizational policies and procedures?
5. Have functional responsibilities been assigned?
6. Is the organization capable of implementing and prepared to implement the plan?
7. Is the plan tested and revised based on drill results?
8. Is the plan stored properly and safely? Is the location of, and access to, the plan known to management?
9. Is the location of alternate facilities (e.g., backup sites) known to employees?
10. Does the plan call for coordination with local emergency services?

A POSITIVE OUTLOOK

Many organizations are starting to pay more attention to business continuity management, perhaps in part due to the Sept. 11, 2001 attacks that crippled New York City and the 2004 train bombings in Madrid, Spain. Business continuity management has received additional spotlight after recent natural disasters, including the 2005 tsunami that killed approximately 150,000 people in Asia and the 2005 destruction caused in the United States by Hurricane Katrina in New Orleans.

This increased attention was evident in the CPM Group and Deloitte survey. According to the study, executive management involvement is slowly increasing in organizations: Management support increased by 2 percent last year — from 17 percent in 2004 to 19 percent in 2005, and the number of formal steering BCP committees increased as well — from 19 percent in 2004 to 22 percent in 2005. Companies also are allocating more funding to business continuity efforts: Budget allocations in excess of US $1 million increased by 11 percent in 2005. This involvement and interest by top management levels is projected to continue increasing in the years to come, says the study.

As part of their role, auditors can provide recommendations that can enhance business continuity efforts, thus becoming an integral part of the process. Identifying problem areas, such as lack of executive-level involvement, and recommending effective courses of action are some of the many ways in which auditors can help organizations get back on their feet quickly when disasters strike and ensure the continuing and smooth operation of vital business functions.

Syed M. Salman, CISA, is a senior information systems auditor for Ford Rhodes Sidat Hyder & Co. Chartered Accountants, an Ernst & Young International member firm in Pakistan. Previously, he worked for Deloitte in Karachi, Pakistan. Salman has conducted reviews of general computer controls in companies where computer processing environments play a dominant role in business operations and has been a part of business continuity planning efforts at major financial institutions.

COMMENT ON THIS ARTICLE

Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

Name:

Email:

Subject:

Comment:

---

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

---