Surviving the worst: 3 steps to ensuring your Business Continuity Plan works
Forward-thinking businesses plan for the unthinkable, from hurricanes and internet disruptions to an old-fashioned water main burst that renders a building uninhabitable.
Those forward-thinking businesses rely on Business Continuity Plans (BCP) to guide timely resumption of work, but those plans are effective only if they are relevant, comprehensive, and current.
Enter the BCP audit, which brings expert eyes to disaster-recovery plans. Skilled auditors scrutinize plans for strengths and weaknesses, making recommendations meant to close gaps and assure procedures that truly position the business for smooth operations.
As with any audit, the BCP audit is only as useful as the preparation and active participation a business puts into it. Consider the BCP audit from the auditor’s perspective and expectations, and the time devoted to writing and revisions will translate to a plan that minimizes disruptions when disaster strikes.
The following three steps will ensure you get the most out of your BCP audit:
1. Before the audit: Prepare
Make efficient use of the auditor’s time by following these tips:
- Know your business: This might sound self-evident, but how accurately can you and your staff describe your organization? Taking hints from your website, annual reports, and strategic plan offers answers that give the auditor a thorough understanding of your business.
- Conduct planning meetings: Gather the appropriate staff, including relevant C-level executives and internal audit staff. Discuss the audit scope, objective, and logistics.
- Gather documents: Auditors want to see the BCP plan and such supporting documents as BCP team organization, recent business process and IT changes, BCP change management logs, and testing materials.
- Conduct the entrance conference: Kick off the audit by grounding all participants in a shared understanding of the audit scope and objectives, communications protocols, and auditor’s expectations. Company participants can include the sponsoring C-level executive, BCP coordinator and team members, stakeholders, and internal audit staff.
2. During the audit: Track the details
Your auditor will scrutinize the plan for critical elements, presented here with sample questions:
- Governance/planning framework: Is there a full-time, qualified BCP coordinator? What is the level of organizational commitment?
- Risk assessment and Business Impact Analysis (BIA): Were the studies done and how comprehensive were they?
- BCP development: Do the BCP’s scope and objectives align with risk assessment and BIA results? Are all critical records stored offsite and available to BCP team members if needed?
- BCP implementation and procedure: Do BCP procedures account for emergency response, site assessment, crisis management, crisis communications, and resource procurement and logistics?
- Alternate sites: Does the alternate site meet the organization’s strategy requirements for systems, servers, and networks? Is it likely to be affected by the same disaster?
- BCP plan readiness and testing: Have employee awareness and training been conducted? Have team members coordinated with external entities, such as first responders, labor unions, suppliers, clients, building management, and insurance providers?
The audit closes with an exit conference, where the auditor reviews and discusses key findings and then follows up with a written report.
3. Throughout the audit: Efficiency matters
Some tips for keeping the review on track and productive:
- Organize documentation.
- Cross-reference updates.
- Designate a single point of contact.
- Create a shared directory, such as in Dropbox or Google Docs.
- Answer questions honestly. Remember that the point of the audit is to uncover any gaps, assuring that the plan covers as many foreseeable contingencies as possible.
- Don’t ignore auditor emails. As auditors like to say, they don’t forget their requests; they simply request again.
Finally, remember that the auditor is there to help. An audit leverages the work already done to create the plan, elevating it to maximum effectiveness.
A well-conducted BCP audit assures that adversity won’t bring business to a halt. Employees will keep performing their critical functions, services will continue flowing to customers and stakeholders, and operations will resume promptly.