bcm audit - are we doing it right?

Download BCM Audit - Are We Doing It Right?

Post on 02-Jan-2017




0 download

Embed Size (px)


  • 1

  • 2

    Internal Auditing is an independent, objective assurance and consulting activity designed to add value and improve an organizations operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

    International Professional Practices Framework, Institute of Internal Auditors

    Definition of Internal Auditing

    As part of its governance responsibility, the Board or a committee of the Board is expected to ensure that the institution has a workable BCP in place for all critical business functions and that the plan is consistent with the institution's overall business objectives.

    B.1.1. Board & Management Oversight Article 19

    BNM Guidelines on BCM (2011)

    BCM Audit

  • 3

    Evolution of BCM practices, guidelines and standards

    Reference Documents for Internal Auditors on BCM

    1995 NFPA 1600

    1997 DRII

    Professional Practices

    2003 PAS 56

    2002 BCI

    Good Practice


    2008 ISO/IEC 24762 BS 25777

    2006 BS 25999-1 2010 ASIS/BSI

    Business Continuity Management Standard

    PD 25111 PD 25666

    2012 ISO22301

    2007 BS 25999-2

    ISO/PAS 22399 MS 1970

    2011 PAS 200 ISO/IEC 27031 BNM BCM Guidelines

  • 4

    DRI International Professional Practices (PP)

    Program Initiation & Management

    Risk Evaluation & Control

    Business Impact Analysis

    Develop BC Strategies

    Emergency Preparedness &


    Develop & Implement BC Plans

    Crisis Communications & External Agencies

    Awareness & Training

    Test & Exercise

    Audit & Maintenance

    The Plan

  • 5

  • Establish (Plan) (Clause 4,5,6 & 7)

    Implement & Operate (DO) (Clause 8)

    Monitor & Review (Check)

    (Clause 9)

    Maintain & Improve (Act)

    (Clause 10)


    ISO 22301/DRII Professional Practices Cross Walk

    DRIs PP : 1. Program Initiation &

    Management 2. Risk Evaluation 3. BIA 4. BC Strategies

    DRIs PP : 6. Implement BC Plan 5. Emergency

    Preparedness & Response

    9. Crisis Communication 10. Coordination with

    External Agencies

    DRIs PP : 7. Awareness & Training

    DRIs PP : 8. BC Plan Exercise &



  • 7

    Audit Programme Requirements for BCM

    ISO 22301:2012 [9.2 (b)]

    The audit programme, including any schedule, shall be base on the results of risk assessments of the organizations activities, and the results of previous audits.

    The management responsible for the area being audited shall ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes.

    BNMs Guidelines on BCM [D. Internal Audit Principle]

    The institutions Internal audit should conduct regular independent evaluation of the adequacy and relevance of BCM policy, strategies, procedures and testing of the BCP and DRP.

  • 8

    Emerging Risks More Frequent and Devastating

    Natural Disasters

    Flood, Earthquake, Hurricane, Tsunami

    Political Disaster

    Protest in the Gulf region, Thai red shirts

    Technological Disaster

    Computer Viruses, Cyber Attack, Cable Damage

    Manmade Disaster

    Oil spill, Dam release, Pollution


    H1N1, SARs

  • OR Audit using Existing Model (Given) Outcome Based Audit

    (i) Risk Assessment

    (ii) Test/Exercise


    What is required of Internal Auditors when auditing BCM?

    Form an opinion on the state of BCM readiness

    Identify gaps and actions to close these gaps within a specified time frame

  • 10

    i) Risk Assessment New Emerging Risk Change to Existing Risk Dynamic Process Risk Arising from dependencies

    ISO 22301 8.2.3 Risk Assessment The organization shall a) identify risks of disruption to the organizations prioritized activities and the processes, systems, information,

    people, assets, outsource partners and other resources that support them, b) systematically analyse risk, c) evaluate which disruption related risks require treatment, and d) identify treatments commensurate with business continuity objectives and in accordance with the

    organizations risk appetite.

    BNM B.2.1. Risk Assessment & BIA In undertaking the risk assessment, scenario analysis and planning should be conducted based on the potential loss, inaccessibility or unavailability of the following resources: a) key personnel, including decision makers and recovery personnel, b) office premises (including branch, locally or abroad) and facilities within the same or nearby geographical

    location or region, c) critical business information and records, d) IT systems and infrastructure, including network devices and peripherals as well as other support facilities,

    and e) services of key supplies, service providers or vendors, including outsourcing vendors.


  • 11


    Regulatory Obligations

    Reporting Requirements

    Addressing Risk

    Risk Appetite

    Systematic Risk Analysis

    Risk Evaluation

    Risk Identification

    Emerging Risk

    Changes to Existing Risk

    Blind Spots (Risk arising from


  • 12

    ii) Exercise & Testing Objective [ISO 22301 8.5 (a-g)]

    The organization shall exercise and test its business continuity procedures to ensure that they are consistent with its business continuity objectives.

    The organization shall conduct exercises and tests that

    a) are consistent with the scope and objectives of the BCMS, b) are based on appropriate scenarios that are well planned with clearly defined aims and


    d) minimize the risk of disruption of operations, e) produce formalized post-exercise reports that contain outcomes, recommendations and actions to

    implement improvements, f) are reviewed within the context of promoting continual improvement, and g) are conducted at planned intervals and when there are significant changes within the organization

    or to the environment in which it operates.

    ISO 22301:2012 8.5 (a-g

    c) taken together over time validate the whole of its business continuity arrangements, involving relevant interested parties,

  • 13




    What Scenario

    Any Actual Incident Record Used

    Previous Audit Comments

    Lessons Learned

    Test Results


    Post-Exercise Reports

    - Recommended Corrective Actions - Monitoring

    - Desired - Short - Failed

    Audit Rating

  • 14

    Exercise/Test Plan

    a) Appropriateness of test methodology used walk through/simulation/life test

    b) Scope of test silo/end-to-end/BCP only/BCP & DRP

    c) Outcome achievement level - Desired/short/failed

    d) Were Lessons Learned built into the test

    e) Was the Audit Risk Rating reflective of the test outcome

    These questions have to answered by the Auditors

  • 15


    Auditing BCM is fairly straight forward, but stating an opinion on the state of BCM readiness and whether the organization has a workable BCP/DRP in place is the challenge.

    Evaluating Risk Assessment and Testing Process via the OUTCOME approach within the overall audit of the BCM System is where Auditors can make a difference.

  • 16