Understanding Business Continuity Management: A corporate level approach

1
Business continuity: Overview
What business continuity management is not about
 Business continuity management is not about creating a great plan that, once written, sits in a desk drawer
and gathers dust.
 It is not about creating a great plan and not telling anyone about it.
 It’s not about letting consultants build a great plan for you and then expecting all staff to welcome it with
open arms and immediately adopt it.

What business continuity management is about

 It is about working with staff, unions, emergency services, suppliers and many others to build a plan that all
can work with and all can see the sense in.
 It’s about involving the emergency services who just may have to rescue your staff.
 It’s about communicating with your staff who may, one morning, find their place of work is no longer
accessible due to flooding.
 It’s about reassuring your customers who have paid you to provide a service and you cannot because your
factory has no power.
 It’s about satisfying your neighbours and the public at large that while your business is burning down you
are minimizing the impact upon them.
 It’s about telling people what is going on in a full and positive manner.

This is not a small exercise and should not be considered a quick task.

Overview of business continuity

The British Standard code of practice for business continuity (BS 25999-1:2006) defines business continuity as the
‘strategic and tactical capability of the organization to plan for and respond to incidents and business disruptions in
order to continue business operations at an acceptable pre-defined level’.

Essentially therefore business continuity planning continually confronts the likelihood or otherwise of an incident.
Such a business interruption may be something minor or major, but the important thing is that there are processes in
place to enable management control to be gained when it does occur.

Depending on the length or severity of the interruption, significant consequences or the very sustainability of the
organization may hinge on management’s ability to re-establish critical business functions. Usually these business
functions have been established and developed over a period of years, but management must rebuild and get them up
and running within hours or days of the business interruption.

This is a difficult situation and rebuilding the complex business environment in a timely manner requires a well
thought-out plan in place ready to be executed.

Business continuity planning is therefore the main answer to an unexpected business interruption. It is a proactive
management-led incident management programme driven by business requirements.

No organization can have complete control over the business environment in which it operates. There are a number
of issues that will be outside its control, from the weather, through the utility services to the attitudes of staff and
customers. Then the standard external influences threats for all organizations, such as fire, flood, power outages and
even terrorism which need to be faced as part of the price of doing business.

Consequently, every organization needs to have in place a plan to recover key business processes following an
incident. The recovery plan, however, has to consider not just likely events (known business risk), but also those that
may be considered unlikely or perhaps even impossible (scenario planning).
A business continuity process needs to match the organization. This sounds obvious, but a large organization needs
a large plan while a small organization needs a small one. This aspect clearly has an impact on the cost and time
involved in building a plan and in the recovery processes put in place.

The business continuity plan identifies the recovery alternatives that cost-effectively restore critical business
functions within an acceptable time frame. In doing this it needs to take into account the time that the business
process can remain functioning in a limited way. This duration is known as the maximum tolerable period of
disruption. At the end of that period the business function will no longer be recoverable.

Management authorizes and approves the recovery solutions. As a result, the recovery plan is developed around the
recovery solution authorized by management.

Thus, the business continuity plan objectives are to:

 Ensure continuity and survival of the business;
 Provide protection of corporate assets;
 Provide management control of risks and exposures;
 Provide preventative measures where appropriate;
 Take proactive management control of any business interruption.

Pictorial overview to the Business continuity process

Role of audit
According to the British Standard specification for business continuity management, BS 25999-2:2007,
Audit is a systematic examination to determine whether activities and related results conform to planned
arrangements and whether these arrangements are implemented effectively and are suitable for achieving the
organization’s policy and objectives

An audit can fall into the three categories below

Internal audit
Internal audit is an independent, objective assurance and consulting activity designed to add value and improve an
organization’s operations. It provides assurance that the risks the organization is exposed to are being effectively
managed.
.

External audit
External audit is a statutory function charged with ensuring the accuracy and veracity of the annual report and
accounts. To achieve this, the external auditors will undertake their own assurance work, which can include an
assessment of business continuity plans. They will also place reliance to a greater or lesser degree on the work
conducted by the internal audit function, if there is one.

Certification audit
Organizations wishing to obtain certification to business continuity standards will need to undergo audits by an
external assessor (or certification body) approved by the government. This ensures that the certification body meets
national and international standards for the services they are offering.
The compliance audits by the certification body take place at specific stages of the project and then regularly after
the certification is awarded. In performing these compliance audits the certification body can rely on the work
undertaken by other auditors, including internal and external auditors.

Others
In addition to these three main bodies there is the opportunity for a team to undertake self-assessment audits and/or
to employ external consultants for all or part of the project. Depending upon the contract, the external consultants
may then be responsible for all detailed review and audit work or they in turn may work with others, such as internal
audit and other business functions.

Focus on internal audit

Internal audit will undertake more detailed work on the business continuity plans than certification or external
auditors. For example, an internal auditor will check the detail of a testing plan whereas the certification auditor will
check to see that a testing plan is in place. For these reasons the primary focus of this book is on the role of the
internal audit function. However, certification auditors, external auditors and consultants will also find this material
very useful.
This does not prevent others from undertaking the same or similar work. However, operating at this level provides a
wider scope for ensuring that the business continuity process is appropriate, robust and fit for purpose.
Providing assurance
There are three primary roles for internal audit within business continuity:
to provide independent and objective assurance to management on the • business continuity management
framework;Auditing Business Continuity Management Plans 8
to contribute as consultants to the business continuity process if required;•
to take part in the organizational approach to contingency planning and • consider the risks to its own activities.
The primary purpose of providing assurance to management is a simple concept that is identified in the audit charter
and underpinned by a wide variety of activities designed to ensure that when audit provides assurance to
management it knows:
what aspects are encompassed in the business it is reporting on;•
that the process conforms (as far as possible) to best practice in the sector • or marketplace;
that risks taken are commensurate with the risk appetite of the business; • and
that mitigating strategies, offsetting activities and/or residual risks are • known and recorded.
Auditors as consultants
Because internal audit is part of the business and is aware of the day-to-day constraints and issues, as well as the
risks and risk appetite of the business, it is well placed to be part of any business continuity programme.
The role of internal audit, however, is advisory and as such it cannot make operational decisions, as this would
conflict with its independence. For example if an auditor made the decision that a business would use a specific
supplier for stationery purchases, then the audit department would have lost its independence on the matter and
could not subsequently review that decision.
It is recognized within the audit profession that while there is an absolute requirement for independence, there may
also be a wealth of skills within the audit department that management could use to its advantage in undertaking
fairly specific operational tasks. In view of this it is possible for a specific auditor to be engaged by management as
a ‘consultant’ to undertake one or more specific tasks. The difference here is that the consultancy is covered by a
contract drawn up by management, and that the auditor is acting in his or her own capacity. Any operational
decisions they make are under that contract and this does not prevent another auditor from subsequently reviewing
those decisions and having the independence to make a judgement on them.Overview of business continuity and the
role of audit 9
Business continuity for the audit function
The business continuity plan for internal audit, as for most other support functions, should be based upon developing
a controlled resumption of the service as space and equipment becomes available and as the business returns to full
operation.
In the short term, during a recovery, it may be appropriate to release internal audit staff to the business to assist in
operational activities or to carry out special reviews to ensure that any revised procedures introduced during the
emergency still provide an adequate degree of operational control.
Risk
Within business continuity there is frequent mention of ‘risk’. It is therefore worth considering this aspect a little
further here. A fuller overview of risk and some of the tools for assessing it are discussed in Appendix 2.
Although risk appears in business continuity terms as a threat to an organization or system, it can also be a positive.
Identifying a risk (or weakness) may provide the organization with the opportunity to change the system, or process,
involved and turn the risk to an advantage (an opportunity). So undertaking the investigations and analyses required
to determine a business continuity system may lead to changes in organizational behaviour to the advantage of the
organization, its staff and systems.
A risk assessment is required to identify key sources of risk within an organization, reduce them where possible and
ultimately provide the basis for the development of containment and/or recovery measures. In order to achieve this,
it is important to understand the likelihood of a particular threat occurring, identify its causes and evaluate the
potential effects on the business.
Of course, these factors can change markedly between risks, organizations and sectors. For example a
communications failure could cause serious losses in a matter of minutes within a financial institution but may not
impact a manufacturing process for some hours. Conversely a delivery delay could wreak havoc in a ‘just in time’
manufacturing environment while only mildly affecting a financial institution.Auditing Business Continuity
Management Plans 10
All organizations therefore need to be aware of the risks that they face in everyday trading. These will include:
business risks – e.g. a competing business;•
data risks – e.g. loss or compromise of data;•
environmental risks – e.g. weather-related activities like floods;•
regulatory risks – e.g. new legislation that affects business trading;•
personnel risks – e.g. low morale among staff leading to poor customer • service;
reputational risk – e.g. product recalls that lead to loss of confidence in • a brand.
There are many types of risks and it must be emphasized that the above list is just a small selection of high-level
ones.
Risk is therefore the awareness that something threatens the organization. The next stage is to consider how this risk
could materialize. The above list provides an example in each selected category but there are many others. One that
should never be overlooked is the risk that your surrounding businesses and neighbours bring.
Consider the following real examples.
The head office of a financial institution was located very close to an army • reserve base. Any bomb threat or other
incident at the army facility closed the road leading to the financial institution.
In another location a bomb had actually exploded. The area cordoned-• off by the emergency services encompassed
several blocks. Due to the dangerous structures that needed to be demolished, local businesses, even though
unaffected by the original incident, were unable to recover materials from their sites or to serve customers. Several
went out of business as the cordon was maintained for six months.
The data centre for an Italian company was located on the first floor above • the kitchen of a pizza parlour. The
main computer was in fact directly above the cooking ranges. The only exit stairs from the data centre also went
through the kitchen.
Company X purchased a site to develop as a dark site, a location where • their mainframe computer systems would
be. The systems were largely unattended and operated from a control bridge at head office many miles distant.
There were therefore several risks to this site and the company made the decision not to advertise who owned the
site. Unfortunately no Overview of business continuity and the role of audit 11
one mentioned this to the seller’s agents who put up a ‘sold to company X’ board.
A subsequent incident at this same site showed that the electronic systems • had been designed by the systems’
contractors to fail ‘safe’. To fail safe meant no one got trapped inside. Unfortunately for company X this also meant
that all the security systems switched off and the doors and gates were unlocked.
Apart from commiserating with company X, these examples highlight the range of risks that can occur and
particularly that what may be a good recovery model in one way, can lead to problems in another direction. It is for
this reason (and others) that real testing of continuity plans has to be undertaken. Desk checking is just not thorough
enough.
Another point to emphasize is that the smaller the business, the more likely an incident is to prove fatal to the
business. This is due to the lack of alternative options open to a smaller business. For example they cannot quickly
change their business model. They are also less likely to have the cash flow to support extended operation without
money coming in. Unfortunately, they are also less likely to have invested in a robust recovery plan due to the cost
of that process.
Each organization needs to consider what exactly it is that makes a risk materialize and when the impact of that risk
becomes an issue. These aspects will vary between organizations and it is said that one man’s risk is another man’s
opportunity.
Certification view
This aspect links to the compliance requirements of BS 25999-2:2007, 5.1, Internal audit.
Certification key risks
A number of key purposes have been established in BS 25999-2:2007. They act as checkpoints to ensure that an
organization’s business continuity management system is fit for purpose and has met the needs of the specification.
In essence they are the key risks that audit must ensure are addressed before an organization can achieve
certification to BS 25999-2:2007.Auditing Business Continuity Management Plans 12
They are integrated into the text of the chapters and each one could form the subject of a standalone audit, the results
of which would contribute to the external certification process. Indeed, the more detailed work undertaken in-house,
the more likely that the organization will be able to achieve certification quickly and easily.
These certification risks are considered further in Appendix 3.