Business Continuity Management (BCM) is defined according to ISO 22301(2) as: “A holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities”.
A business continuity lifecycle consists of the stages that an organization has to follow in order to promote its preparation level for survival. The following diagram illustrates elements of the BCM lifecycle in accordance with ISO 22313(1):
1. Understanding the Organization
This stage is about understanding the internal and external environment where an organization operates. It is about recognizing the surrounding conditions and perceiving the capabilities and core competencies of the organization. At this milestone, critical organizational activities are identified and threats to these critical activities are determined through conducting business impact analysis (BIA) and risk assessment (RA).
1.1 Business Impact Analysis (BIA)
According to the 80/ 20 rule, 80% of organizational outputs and revenues come from 20% of its activities. In business impact analysis, these critical activities and their priorities to an organization are clearly identified in addition to determining dependencies and minimum resources required to recover. In BIA impacts of disruptions are assessed along with the maximum tolerable periods of disruptions (MTPD). In disastrous situations, the time available to think and react is limited and organizations have to understand this fact.
1.2 Risk Assessment
The organization should undertake a formal risk assessment that methodically identifies, analyzes and evaluates the risk of disrupting the organization’s prioritized activities and their required resources based on the results of BIA.
2. Selecting Business Continuity Options
At this stage, an organization has to determine the business continuity alternatives based on the output of BIA and RA with the aim to reduce the overall impact of disruptions. Alternatives should primarily focus on preventing disruptions of prioritized activities then dealing with any disruptions that may take place. All options should be considered and the most cost effective alternative which meets the recovery time objective should be selected. Continuity options may include: • Activity relocation
• Resource relocation or reallocation
• Alternate processes and spare capacity
• Resource and skills replacement
• Temporary workaround
• Asset restoration
3. Developing and Implementing a Business Continuity Response
At this stage, an organization should implement the predetermined continuity strategies through plans and procedures. Key requirements for an adequate and effective response include: determining clear procedures for the escalation and the management of disasters, communicating with the concerned stakeholders and developing business continuity plans.
However, other specialized plans can be also developed to address special circumstances or procedures. These specialized plans may include an emergency response plan, an incident response plan, a pandemic plan and an IT disaster recovery plan. Each of the aforementioned plans serves specific purposes and conditions and the need to develop such plans should be determined according to the underlying risks, the organization itself and its risk tolerance and the environment in which it operates. These plans have to be consistent and coherent with each other because any possible inconsistency or contradictions may negatively affect the whole program and the continuity of the organization. Furthermore, roles and responsibilities have to be clearly stated within the developed plans and procedures.
4. Exercise and Testing
Exercising in business continuity is an essential step in the whole program, since through this stage continuity plans are tested and verified. Also, the resources and teams for the implementation of these plans are exercised. It is important for an organization to ensure that the existing plans meet the business requirements and its continuity objectives in the case of severe conditions. Regular exercising and adequate testing procedures prepare the organization to facing the unexpected and improves its readiness level through reliable, suitable and adequate plans.
5. Embedding Competence and Awareness
BCM should become part of the organization’s core values in order to ensure that the competence required for responding to incidents is maintained. As previously defined, BCM is a holistic process and does not consist of discrete phases and deliverables. It is a culture that has to be embedded within regular operations and routine work. Awareness among the employees and the related stakeholders has to be raised and orientation sessions may be needed in order to emphasize the importance of achieving business continuity management objectives. The more awareness an organization has among its employees the more chances an organization will succeed in severe conditions.
6. Business Continuity Program Management
Business Continuity Program Management sits at the heart of the BCM lifecycle and is fundamental for the successful implementation because it defines, controls, and manages the implementation approach in order to ensure achieving the desired objectives. Business continuity program management includes elements like: leadership and support, program planning, operational planning and control, performance evaluation, and continuous improvement.
A key aspect of the program management is maintaining the related BCM deliverables up-to-date in order to reflect the current situation because without the regular update the deliverables will not achieve the intended targets during disruptions. Updating BCM plans should be integrated with the related business processes and not be treated as a discrete BCM activity.
The Role of Internal Audit
Internal audit’s role to support business continuity should be commensurate with the level of maturity of the BCM program. If no such program exists, internal audit should highlight the risk and possibly undertake a consulting role to help develop the BCM framework in a collaborative manner. If a BCM program is in place, Internal Audit should provide assurance that it is achieving its objectives. Effective assessments of the BCM program should focus on the its full lifecycle and concentrate on the underlying processes rather than reviewing the outcome documentation. An important reference to conducting BCM assessments is the Global Technology Audit Guide 10(3) issued by the Institute of Internal Auditors which provides the guidance necessary for the effective execution of BCM assessments and includes a BCM capability maturity model.
Business continuity management is a critical area for organizations today and specifically for certain sectors such as banking, insurance, and telecommunications. ISO 223131 standard provides guidance to organizations for initiating, implementing, and continuously improving business continuity management and describes a comprehensive BCM lifecycle. Internal audit should support their organization’s BCM program through consulting or assurance engagements depending on the organization’s maturity level in the area.
1. ISO 22313:2012 Societal security – Business continuity management systems Guidance
2. ISO 22301:2012 Societal security – Business continuity management systems – Requirements
3. Global Technology Audit Guide 10 – Business Continuity Management – the Institute of Internal Auditors – July 2008
HUSSAM T. KHATTAB, MBA, CISA, PMP, CGEIT is an information technology audit manager at a regional bank based in Jordan.