Business Continuity Management (BCM) & Audit

 In today’s world, audit is big part of making sure we’re doing what we say we’re doing in the way we said we’d be doing it.  After such fiasco’s as Enron, WorldComm and many others, it’s no wonder that governing bodies have made sure there is some sort of regulation attached to just about everything we do.  Everything has a check and balance but then we knew that anyway because you can’t have black without white and you can’t have night without day.  You can’t have calm and peace without chaos and confusion. 

 However, the drawback to audit is that many believe they have become experts in just about everything – with no training and background.  I recently had a meeting with a (Canadian) provincial government representative regarding Business Continuity Management (BCM) and their expectations, since he was the main ‘go-to’ guy for compliance.  Since I was doing some work for an agency that reported to a government ministry, I wanted to make sure we were covering all the bases and expectations. 

Within moments of our chat beginning, I knew that everything he knew about BCM was found by doing internet searches.  He didn’t understand what a Business Impact Analysis (BIA) was or how various components of BCM fit together (i.e. Technology Recovery Plan based on organizational need and “DR” vendor contracts and and and….).  He simply rattled off a list of what he thought every plan should have with no real understanding of what he was asking for.  You might wonder how I know this; it’s because when he described what he was looking for he couldn’t explain what they were clearly and when pressed for details shrugged it off as though it wasn’t important.  Oh, and I hadn’t told him I’d been doing this for quite some time. 

I left our meeting not quite understanding the expectations but luckily since I’ve been doing this long enough (cough) that I had an idea of what he wanted to see in the BCM program I was helping to establish.  

There are some key things that every program requires and I know I’ve written about that a few times, so I won’t go into all of it here again.  Feel free to browse through some older articles/blogs.

The experience though got me thinking of how best to work with audit personnel, as I’ve had more and more contact with internal – and external – audit as time goes by.  I decided to put a few things together to help those who are having difficulty with their auditors and aren’t sure why they can’t see eye to eye or for those that have yet to have the big terrifying meeting with an auditor (it’s not as bad as people think it is).  Below are just a few suggestions you can utilize or consider when dealing with auditors (at least when it comes to BCM but maybe it’ll help with other things too).

  1. Get to Know Your Auditors – It’s that simple.  Introduce yourself and let him/her know what you do and that at times you want to touch base with them and make sure you’re addressing their concerns.  Yes, I said their concerns.  If they feel as though you’re helping them, then they are going to be more willing to help you when you need it.  Maybe even an ally when things seem to be going awry. 
  2. Investigate Regulations – If your organization is required to follow a specific regulation or standard, then I can guarantee the auditor will be measuring you against it.  Take a look and see what the specifics are to the standard/regulation and review your program components to see if you have it covered.  Don’t worry if you have it worded differently – as often happens – just make sure you have what the standard is asking for.  Remember a request for a car can be fulfilled with an Acura, a Mini, a limo or an SUV; they all meet the requirement but just look different.  Know what the requirement is.
  3. Know Their Auditing Process – Some corporations aren’t required to adhere to a specific standard or regulation, which is fine depending upon the industry you’re in.  However, I can guarantee that your auditor is following some audit standard or preferred methodology.  Find out what it is and like noted in #2, review your program components and see if you have it covered.  When you get audited you’ll know what he/she is looking for and be able to help them much easier than if you don’t understand where they’re coming from.
  4. Answer with Honestly – If you lie or try to manipulate the results, the auditors comments will show it.  If the answer to something is No, then simply state as such.  They may ask for a reason or more details after that.  You may answer to no to having department continuity plans but then you can say that until the BIA is completed, you can’t move on to that section.  Don’t lie and say something is under development if it isn’t; they’ll ask to see it and then you’re caught (and it’ll be in the report making its way to executives). 
  5. Help Them – As with my meeting noted earlier, not everyone is going to know what it is they are asking for.  Don’t simply state you can’t help them, ask some questions so they become comfortable with what it is they are asking. Often, they are looking at you as the expert in BCM (and hopefully you are) so they will want you to help them find what hey need and help them understand what it is you’re doing.  You can help them get what they need for their reports and at the same time help raise their level of awareness and understanding of your realm of responsibilities – and gaining a friend in the process.
  6. Ask for Their Input – If you don’t know what audit methodology or regulation you corporation follows, ask the auditor – they’ll know. They’ll also see it as you being proactive and it gives them the message that what you’re trying to achieve will be in line with the requirements the corporations must follow.  Sometimes, you may have some component you’re struggling with or having difficulty with, asking an auditor for input and their thoughts might help you get over that hump. Oh, and the best thing is that if you do seek their help, they become a great person to leverage for BCM support. 
  7. Show Progress – If an auditor does understand what makes up a BCM program then they are going to want to see progress.  If you state in an executive summary (from an exercise) that you encountered “X” issue, then during the next exercise they are going to want to see that “X” issue doesn’t – or didn’t – reoccur.  If you say you are updating BCP plans every quarter, then an auditor is going to want to see that the plan has been updated, what sections and probably ask for the older versions for proof. 
  8. Think Beyond the Scenario – If an auditor doesn’t understand BCM and its complexities, you can bet they will be asking questions about specific topics like ‘What do we when a flood occurs?  Or a Fire?  Or a pandemic outbreak?”  And then most of the questions are all about technology because they don’t understand the link to department contingencies (i.e manual processes etc).  Help them understand that BCM is more than just the results you get when ‘googling’ BCM.  It contains so many aspects and if they are seeking BCM with tunnel vision, they will not be able to understand that you’re building a comprehensive program that encompasses the entire enterprise.   I’ve come across many questions over the years with basic scenarios/situations but as we all know, there are so many different facets to BCM – it’s just not black and white. 

 Hopefully some of these considerations will help you when – not if – you deal with an auditor.  They aren’t there to be your enemy and they aren’t trying to tell you how to do your job – at least the good ones shouldn’t be.  They are making sure that what we said we’d do, we’re actually doing and getting the desired results we said we would obtain.  If not, we’ve got a plan to get us where we want to be. 

Developing a good relationship with audit personnel can be one of the most beneficial affiliations you can make within your organization.  You can learn from them but they can also help teach you many things.  What you don’t want to happen is walk away from a meeting where no one is better off – like the one I mentioned at the beginning of this blog.  I’ve reviewed what we’ve got developed so far and we’ve got everything he was looking for – so he can put that checkmark on his audit report.  It’s my role (and goal) to help him understand what that tick box actually means…

**NOW AVAILABLE**

The new book by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3, “Heads in the Sand: What Stops Corporations From Seeing Business Continuity as a Social Responsibility.”  Available at www.stone-road.com **

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s