Unless you review your business continuity plan at least once a year it is worthless.
How do you go about reviewing your business continuity plan?
You could start with an audit – the audit can be done by an external auditor or by an internal auditor. It doesn’t matter really which one as long as the internal auditor is certified for ISO 22301.
The benefits of an external auditor are that you get third-party external advice and objective opinion. The advantages of an internal auditor who is ISO 22301 certified as a lead auditor is that the auditor knows your organisation and understands your business processes.
The word “audit” can be intimidating. Whenever we hear the word “audit” we suspect bad news. But it doesn’t have to be that way – an internal auditor isn’t there to find fault but to show weaknesses in your business continuity plan.
The internal auditor identifies areas where your business continuity plan can be improved. The conclusion of the audit would be a list of corrective actions that you need to take to strengthen your business continuity plan. The auditor will give you a certain period within which to close the gaps.
What is the internal auditor and external audit to look for? The auditor would go through your business continuity plan with you and look at areas such as your scope, risk analysis, business impact analysis, whether you have communicated your plan to your team, your business management strategy, whether your plan shows continual improvement and the specific actions you would take following a disruptive incident.
You would need to provide the auditor with supporting documentation so that he or she can see concrete evidence of what you’ve done. What also be important is whether you have done an annual walk-through of your plan or test. This will show your commitment to business continuity. The auditor may also want to look at your disaster recovery plan and to see how it fits in with your business continuity plan.
Business continuity planning is an important element of risk and controls. By thinking through what you would do in the event of a disruptive incident, you can be better prepared for one. The aim of business continuity planning is to help you get your business back up and running or operational as soon as possible after a disruptive incident of whatever nature.
If you have any questions or need assistance with business continuity implementation, business continuity management systems or auditing of your business management system, please let me know.