Evaluating your business continuity plan to effectively manage risks
Going beyond traditional checklists and walkthroughs
Threats to your organization and key processes can appear at any time, from natural disasters to man-made incidents such as hacking and acts of terror. To avoid extended disruptions, your organization must have a comprehensive business continuity plan (BCP) in place to protect your data, systems and ultimately, your operations. Unfortunately, while many organizations have a documented BCP, those plans are often out of date or insufficient to protect against today’s evolving threats.
In order to be effective, a BCP must be tested and evaluated on a regular basis. However, many organizations only audit their BCP with a check-the-box approach, demonstrating that certain controls exist, but not necessarily knowing how they will perform in a disaster. Similarly, many BCPs are tested using very simple exercises that only scrape the surface of what an actual disaster would entail. Organizations must look at BCPs with a more critical eye to determine whether necessary features are in place and allow them to uncover material strengths and weaknesses in the plan.
Program initiation and management
You require a solid, well-defined BCP policy that is tailored to your organization and sets the tone for your business continuity planning efforts. That foundation must be regularly reconfirmed, clearly illustrating management’s commitment to the initiative.
In addition to confirming that your BCP policy is current, clear and effective, your audit process should also confirm that your BCP repository–whether a specialized BCP software package or another storage structure–provides an efficient and effective tool for organizing and storing your BCP documentation. By assuring that your BCP repository enables effective compilation, storage and maintenance of your BCP documentation, you will make your planning efforts efficient–and more successful.
When auditing your BCP policy, you should also assess your BCP program charter to confirm that it accurately details specific planning roles and enables accountability for assigned responsibilities. If the audit process determines that employees perceive BCP processes to be nonessential tasks that are not part of their jobs, failures and vulnerabilities can be expected to emerge. It is important to confirm that definitive roles are clearly outlined, and that management properly and proactively monitors against such assigned responsibilities.
Disaster risk assessment and business impact analysis
A disaster risk assessment (DRA) evaluates potential disaster causes, and how to mitigate threats and manage their specific consequences. You can’t realistically prevent every disaster, but validating your DRA processes helps you confirm that you have identified your highest risks and considered opportunities to better mitigate them. In addition, you should confirm that you DRA process has identified specific disruptive scenarios that are to be addressed within your BCP. For example, if the DRA has determined that multiple business locations share the same disaster concerns, the audit process should go on to confirm that you have simultaneous recovery plans in place, instead of individual efforts.
A business impact analysis (BIA) should evaluate each facet of your business to determine the consequences of disruptions to specific functions or systems. With recovery time objective (RTO) requirements varying widely, your audit process should confirm that your BIA results align with your industry, the nature of your organization and even individual business function requirements. For example, a consumer products company may need to resume delivering products within three days to retain customers, while a bank must adhere to a much tighter timeline for account holders to access their funds.
Your audit process should provide assurance that RTOs have been determined for each individual business function and system–and that the RTOs accurately reflect your recovery requirements. Organizations can have hundreds of different business functions, and some may need to be restored immediately while others can likely wait. Effectively validating the BIA helps to confirm that the organization has reliably determined what is necessary to focus on first and what is less essential following a disaster.
The groundwork established by the DRA and BIA should help you select appropriate recovery strategies to leverage within your BCP. Recognizing that the most comprehensive recovery strategies may not be affordable or realistic, your audit processes should confirm that your recovery strategies are effective and appropriate for your particular organization. Beyond the audit process, periodic BCP testing enables your organization to confirm that your recovery strategies meet your specific requirements and the evolving demands of your organization.
While your recovery strategies will likely never be perfect, validation will help you proactively identify, track, monitor and prioritize any gaps, allowing the organization to work to close them over time.
An effective audit of your BCP manual will help ensure that it is useable, organized, intuitive and properly formatted. Some BCP manuals are very large and include great information, but finding specific details is difficult because the materials are often added arbitrarily without a defined structure in mind. Your audit process should aim to confirm that users understand and can easily navigate the documentation, because it will only grow over time.
Your BCP audit process should confirm that your documentation is comprehensive, but yet logical, intuitive and easily accessible. You should also confirm that the materials reflect up-to-date recovery strategies and processes for reference by designated individuals if and when a disaster occurs. In addition, your audit process should affirm that your BCP includes special pandemic response provisions, as many of the recovery plans and processes for traditional disaster scenarios simply don’t apply in a pandemic situation.
When testing a BCP, many organizations perform exercises with a goal of being successful. However, you learn more by stressing your BCP to see how it can fail if a disaster happens, providing more insight into both strengths and deficiencies. When auditing your BCP testing processes, you should look for common shortcomings such as not considering the unpredictable nature of disasters, only validating certain processes or strategies, and generally testing in a vacuum.
Auditing your BCP testing processes also helps confirm that your testing schedule is effective. Typical testing schedules only involve a rolling 24-month calendar, with specific timing, test types and participants. However, your assessment should confirm that your organization also identifies other information about each planned test, including the precise test scope and objectives, the specific disaster scenario to be simulated, the expected participants and their assigned roles, and definitive constraints or other variables.
In addition, you must regularly validate your testing methodology to ensure it avoids repetition, and confirm it considers realistic and unpredictable circumstances, continuously expanding test scope and complexity, and other key variables.
Potential BCP pitfalls
Failures in your BCP plan can result in significant issues. Such issues can be reduced by a combination of BCP audits and tests that effectively uncover weaknesses so that they can be properly resolved. For example, an effective BCP audit may reveal that your policy has become outdated and obsolete, despite being officially re-approved year after year. Furthermore, thorough BCP testing could allow you to discover that your technology backups are incomplete, despite logs and reports indicating that such processes are routinely successful.
Evaluating a BCP requires a level of subjectivity that cannot be obtained from checklists alone. Like disasters themselves, BCP assessments should come in all shapes and sizes. Untested BCPs are unreliable and vulnerable, and the same goes for untested individual components of your overall BCP. To effectively validate your BCP, you must assess it against realistic conditions and parameters, truly stressing your strategies and plans, and uncovering weaknesses requiring remediation.
RSM is a proud sponsor of the 2021 NetDiligence® Cyber Claims Study. Download the study to learn the real cost of a data breach.
Learn from the business vulnerability lessons organizations experienced throughout the COVID-19 pandemic. Read now.
Learn about how you can mitigate ERP project risks that can create vulnerabilities, cause regulatory concerns and derail an implementation.