This page contains a Flash digital edition of a book.
Auditing
once-over. Independent auditors, whether business or ICT continuity arrangements. subject and you can do your best to assess
from your own internal audit department This will ensure that, whatever the incident, the relevant risks and impacts. You can pull
or an outside consultancy firm, will your plans will be appropriate to manage together some plans and you can try and
objectively examine the current continuity the subsequent events; staff welfare can arrange a test to see if they work. However,
arrangements for adequacy, effectiveness, be maintained; data can be restored; IT if your sphere of applicable experience is
completeness and sustainability. In doing services will be available; and security relatively small, whilst you may have done
so, they will be taking into consideration will be adequate during the disaster. They a credible job it may not be complete. Alas,
the size of the organisation, the nature of know what a disaster may mean to an it may take an incident for you to find out
what it does, the risk profile and appetite, organisation, they will know what needs that your best endeavours were not as good
the organisation’s business strategy and to be in place and they will know how to as you thought they were. So why do so
objectives, the disciplines of recognised achieve it. many wait until an incident to find that out?
best practice, and – if appropriate – the In addition, an auditor worth their salt An independent expert review will
requirements of regulators and local laws will not simply ask a list of predefined provide you with what you need to gain
etc. questions and record the answers. They assurance on the level of coverage you
It’s worth pointing out that ‘internal’
audit doesn’t necessarily mean that your
own organisation’s staff must be used.
Indeed, unless an internal audit department
is sizeable, it’s unlikely that it will have the
specialist skills necessary to perform this
kind of review. In these circumstances it
is wise to fully or partially outsource the
work.
In any case, at the end of the review
the organisation will have a current state
assessment of its business continuity
management system, a view as to the
level of assurance provided by the existing
arrangements, a clear understanding of any
risk exposure and a prioritised action list
for remediation, together with cost-effective
recommendations for improvements.
You are in effect telling someone who will be able to tell
Incidentally, it is unlikely that any review
of business continuity arrangements would
you what you need to do to put things right, and they will
be conducted by your external auditors as
part of the financial year-end processing in also give you the tools to fix it – the audit report
sufficient depth to achieve these objectives.
After all, the accountants are merely will have the skills necessary to drill have, what gaps there are and what you
checking the numbers! deeper into those answers as it is often the need to do to fill those gaps. The audit
supplementary questions which deliver the report can in turn provide you with a
Continuity experience goods! lever to gain the time, resource and
External organisations providing audit If you are being audited, you should senior sponsorship required to effectively
services in continuity will generally employ ensure that those involved are fully implement continuity management in line
consultants who have proven merit in this experienced and able to carry out all of with legislation and best practice. Crucially,
field. Most will also have relevant business these functions – if they are not, you should because senior management don’t generally
experience, have been involved in the day- demand replacements. You wouldn’t expect like audit issues to remain outstanding for
to-day management and testing of business an electrician to give an effective report on long, the audit report is also likely to be
continuity arrangements – potentially the state of your plumbing! your route to an appropriate budget.
within a similar organisation to your own, In larger organisations, particularly So next time that an auditor arrives to
although this is not usually vital – and multinationals, it is often useful for the review your continuity arrangements, pull
will have a sound knowledge of standards same auditors to cover all sites. This up a chair, put the kettle on and tell them
such as BS25999 and BS25777. This provides consistency of approach, and is the truth in the sound knowledge that they
experience may well have been enhanced realistically the only way that you (and your are in a position to help you with the skills
by relevant professional qualifications. senior management) will get an overall you need to meet your objectives; and
They will probably have been involved in coherent view of the situation. Those you will have their full attention! Rather
live incidents, they will have run complex performing this kind of extensive review than trying to avoid the experience, as is
tests and exercises, and they will know the may well need to be familiar with the legal frequently the case, you should consider
potential pitfalls arising – and in this area and regulatory environment in relevant inviting your friendly auditor in sooner
there are many such pitfalls, including: jurisdictions. rather than later.
not enough testing; not enough training;
e
complacency; out of date plans; calling A stamp of approval
TiM WrigHT CBCi
trees containing names of former staff If business continuity management is just
members; etc. In short, the consultants will one of the hats you have to wear, you
tim wright is a specialist business continuity
have been there and done it. will probably not have been employed
auditor at kingston smith Consulting llP.
Continuity auditors should be as a BCM expert. Yet you may end up
twright@kscllp.co.uk
experienced in looking at all angles of having responsibility for it within your
s
tockphoto.com/lorrainedark www.kscllp.co.uk
©i risk when reviewing an organisation’s organisation. You can read up on the
January/February 2010  Continuity  33
Cont Jan/Feb 2010_insides.indd 33 3/2/10 14:52:50
Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44
Produced with Yudu - www.yudu.com