X hits on this document





10 / 36


Conducting a Business Continuity Plan Audit

By Ted Brown

There are no“generally accepted principles”with which to analyze business continuity.

I n a recent survey, 37 percent of chief financial officers perceived their firms to be most vulnerable in the area of disaster preparedness and

recovery . Ted Brown

The survey reflects the anxiety of many executives concerning the state of their company’s business continuity plans. Why the concern? Because experts estimate that 50 percent of companies without business continuity plans go out of business within two years following a disaster.

Just as companies conduct regular audits of their financial controls, they should also examine their business continuity plans, ensuring that critical business functions can be conducted in the event of a disaster, or other major disturbance.

While, unlike finance, there are no “generally accepted principles” with which to analyze business continuity, the following questions should assist corporate directors in assessing their company’s business continuity posture.

What are the business continuity objectives?

Like any business plan, a business continuity plan is designed to address specific business objectives. These objectives should be outlined in the plan, and reflect the consensus of senior management relative to

present recovery priorities. Each of the objectives should be:

  • Specific, such as “restore accounts receivable,” and

  • Measurable, such as “within one business day.”

If the business continuity objectives are not enumerated in the plan, the plan cannot be properly evaluated.

Is the business continuity plan capable of satisfying the stated objectives?

The business continuity plan, for example, may call for the restoration of e-commerce operations within twelve hours. If the data center supporting these functions is destroyed by a tornado, or terrorist bomb, can essential e-commerce activities be restarted within the twelve-hour recovery window? If the answer is no, then the plan objective is too ambitious, or the recovery scheme inadequate. In either case, the plan won’t work.

Is the business continuity plan relevant to everyday employees?

More specifically:

  • Are company personnel aware of— and familiar with—the business continuity plan?

  • Did they have input into the development of the plan?

  • Do they understand their obligations in the event the plan is invoked?

  • Are they comfortable with their level of training and preparation?

  • Do they have any reservations regarding the plan’s viability?

When was the last business impact analysis conducted?

Normally, a business continuity plan is predicated on the results of a business impact analysis (BIA).

The purpose of a BIA is to identify:

  • A company’s critical business functions, such as e-commerce

  • The threats to these functions, such as computer hacking

  • Any related risks, such a denial of service (DoS) attack, and

  • The financial impact of a disaster, such as lost revenue, or lost customer confidence

Armed with this information, business continuity professionals can formulate strategies designed to minimize the impact of a major disruption, and to expedite recovery.

Like a business continuity plan, the typical BIA suffers from a short shelf life, and must be periodically renewed, especially in highly-volatile business environments. Generally

Boardroom Brieng: Business Continuity and Disaster Recovery

Document info
Document views99
Page views99
Page last viewedTue Jan 17 06:29:39 UTC 2017