Conducting a Business Continuity Plan Audit
By Ted Brown
There are no“generally accepted principles”with which to analyze business continuity.
I n a recent survey, 37 percent of chief financial officers perceived their firms to be most vulnerable in the area of disaster preparedness and
recovery . Ted Brown
The survey reflects the anxiety of many executives concerning the state of their company’s business continuity plans. Why the concern? Because experts estimate that 50 percent of companies without business continuity plans go out of business within two years following a disaster.
Just as companies conduct regular audits of their financial controls, they should also examine their business continuity plans, ensuring that critical business functions can be conducted in the event of a disaster, or other major disturbance.
While, unlike finance, there are no “generally accepted principles” with which to analyze business continuity, the following questions should assist corporate directors in assessing their company’s business continuity posture.
What are the business continuity objectives?
Like any business plan, a business continuity plan is designed to address specific business objectives. These objectives should be outlined in the plan, and reflect the consensus of senior management relative to
present recovery priorities. Each of the objectives should be:
Specific, such as “restore accounts receivable,” and
Measurable, such as “within one business day.”
If the business continuity objectives are not enumerated in the plan, the plan cannot be properly evaluated.
Is the business continuity plan capable of satisfying the stated objectives?
The business continuity plan, for example, may call for the restoration of e-commerce operations within twelve hours. If the data center supporting these functions is destroyed by a tornado, or terrorist bomb, can essential e-commerce activities be restarted within the twelve-hour recovery window? If the answer is no, then the plan objective is too ambitious, or the recovery scheme inadequate. In either case, the plan won’t work.
Is the business continuity plan relevant to everyday employees?
Are company personnel aware of— and familiar with—the business continuity plan?
Did they have input into the development of the plan?
Do they understand their obligations in the event the plan is invoked?
Are they comfortable with their level of training and preparation?
Do they have any reservations regarding the plan’s viability?
When was the last business impact analysis conducted?
Normally, a business continuity plan is predicated on the results of a business impact analysis (BIA).
The purpose of a BIA is to identify:
A company’s critical business functions, such as e-commerce
The threats to these functions, such as computer hacking
Any related risks, such a denial of service (DoS) attack, and
The financial impact of a disaster, such as lost revenue, or lost customer confidence
Armed with this information, business continuity professionals can formulate strategies designed to minimize the impact of a major disruption, and to expedite recovery.
Like a business continuity plan, the typical BIA suffers from a short shelf life, and must be periodically renewed, especially in highly-volatile business environments. Generally
Boardroom Brieng: Business Continuity and Disaster Recovery