Beruflich Dokumente
Kultur Dokumente
BUSINESS
CONTINUITY
MANAGEMENT
AUGUST 2014
IPPF Practice Guide
Business Continuity Management
Table of Contents
www.globaliia.org/standards-guidance /
IPPF Practice Guide
Business Continuity Management
Executive Summary
Business continuity management (BCM) prepares orga-
nizations for future incidents or crises that could inter-
fere with the achievement of business objectives. Crisis
management (CM) is a key component of BCM and
deals with communicating pertinent information about
the crisis to the organizations stakeholders.
www.globaliia.org/standards-guidance / 1
IPPF Practice Guide
Business Continuity Management
2 / www.globaliia.org/standards-guidance
IPPF Practice Guide
Business Continuity Management
Standard 2120: Risk Management business represents governing agencies, critical public op-
The internal audit activity must evaluate the effectiveness erations, public safety, and the security of its constituents.
and contribute to the improvement of risk management
processes. Key components of BCM include:
www.globaliia.org/standards-guidance / 3
IPPF Practice Guide
Business Continuity Management
4 / www.globaliia.org/standards-guidance
IPPF Practice Guide
Business Continuity Management
space. Given its interaction with, and understanding of, See Practice Aid I for additional guidance on assurance
the needs of the organizations board and executive man- engagement programs.
agement, internal audit can provide perspective and help
focus planning activities. Ensuring that key BCM focus Advisory Engagements
areas are aligned with board and executive management The focus of BCM can quickly turn toward the review
level needs is critical to success. and analysis of IT infrastructure because data access and
transfer are considered core business functions. However,
Assurance Engagements when providing BCM/CM advisory services, internal au-
Internal audit may perform periodic assurance engage- dit should consider broad organizational objectives and
ments to verify that the BCP and CMP are comprehen- risks and not limit the engagements emphasis to IT is-
sive, relevant to the current business operating environ- sues. BCM advisory engagements should not compromise
ment, and communicated to the appropriate internal and internal audits objectivity. Care should be taken not to ac-
external stakeholders. The frequency, nature, and extent cept responsibility for ownership or management of busi-
of work performed will be driven by risks or requests from ness continuity risks.
stakeholders to validate the effectiveness and relevance of
planned efforts.
Internal Audits Evaluation of
The scope of assurance engagements may include a com- Key BCM Elements
prehensive BCM program or specific elements (e.g., test-
ing the occurrence and update frequency of the BCP, and BCM programs include common elements such as pro-
the maturity of the CMP). Internal audits knowledge of gram governance, risk management, business impact anal-
the risks mitigated by the BCP or CMP and prior involve- ysis (BIA), and business continuity and recovery planning
ment in an advisory capacity during plan development may (BCRP). It is critical that each element involve the right
promote a more efficient engagement planning process. sponsors, stakeholders, and business partners to help en-
sure the development of a comprehensive, supported, and
Assurance engagements may include: actionable plan. Overall communication elements within,
and information about, the plans should be shared with
Requests for review by the audit committee or key stakeholders. Internal audit activity may include eval-
executive management on the BCM program or por- uating the effectiveness of BCM and the CMP.
tions thereof, including vendor or business partner
reviews. Program Governance
BCM reviews to evaluate plan completeness, maturi- The key to successful BCM is the support and sponsor-
ty, and appropriateness based on organizational risks, ship of executive management. Internal audit can help
growth, or divestitures. identify and forge relationships between key internal
BCM stakeholders. The following activities may be per-
Program risk assessments.
formed by internal audit during the initial stages of BCM
Reviews of existing provisions of an organizations or evaluation:
a business partners BCP/CMP as defined by con-
tractual terms (i.e., right to audit clauses or defined Determining whether key leadership positions have
service-level agreements). been documented and approved to help ensure
ownership and accountability for the organizations
www.globaliia.org/standards-guidance / 5
IPPF Practice Guide
Business Continuity Management
programs. Leadership is critical to identifying plan Understanding key BCM risks can help strengthen the
interdependencies, promoting continuous improve- development of the proposed internal audit plan. Being
ment, and learning from post-crisis activities. exposed to the organizations BCM activities helps the in-
Recommending the development of a BCM charter. ternal auditor identify key exposure areas including orga-
The charter helps to establish program sponsorship nizational tone/support, operational control activities, and
and support within the highest levels of the organiza- core processes and potential systems/data/vendor depen-
tion. In addition to validating the BCM programs dencies. Weakness or failures in these areas could prompt
existence, a well-defined charter establishes a BCM the internal audit function to focus resources on provid-
governance structure (i.e., BCM committee) and ing assurance or advisory engagements geared toward add-
guidance regarding periodic re-evaluation of the char- ing value and organizational improvement. Gathering risk
ter. A governance structure approves BCM or CM data helps guide internal audits plan and allows internal
decisions and provides a forum for visibility into or- audit to perform analyses to assess risk probabilities, im-
ganizationwide BCP or CMP development, revisions, pacts, comprehensiveness, and credibility. Practice Aid I
and associated internal and external communications. provides a sample risk assessment checklist.
6 / www.globaliia.org/standards-guidance
IPPF Practice Guide
Business Continuity Management
www.globaliia.org/standards-guidance / 7
IPPF Practice Guide
Business Continuity Management
Conduct Audits of the Recovery Processes Participate in the Broader Recovery Process
and Plan Effectiveness Internal auditors may be requested by organizational lead-
The disaster recovery plan, as a component of the BCM, ership to lend additional support to operational staff who
may include requirements for internal audit to conduct an are either:
audit of the recovery process. Where this is the case, this
additional work will need to be included in the initial draft Working on recovery processes.
plan and may lead to changes to those priorities. Working on revisions to normal business processes
as a result of the unavailability of IT systems.
Additionally, where such a role has not been specifically
assigned, the CAE should consider whether, following a Using alternate defined procedures to carry out
risk-based assessment, he or she should recommend to activities for which normal processes have been
the BCP leadership team that particular aspects of data disrupted.
recovery and/or CMP should be audited. It will be important for the CAE to consider requests au-
thorized by the audit committee in advance of determin-
The types of audit work that might be undertaken include: ing internal audits BCP/CMP role. Additionally, when in-
ternal audit staff is released to assist with CM or recovery
An end-to-end review of the recovery process (i.e., efforts, assigned duties should be carried out under the
whether it complied with the planned process and direction of operational management. To protect objectiv-
whether the plan proved to be detailed enough to ity, the CAE should consider the operational duties per-
deal with the issues that emerged). formed by internal auditors and avoid assigning them to
An audit of the effectiveness of the recovery pro- future internal audit assurance activities in the same area.
cess, including performance against defined metrics
or plan components as well as effective and timely
internal and external stakeholder/business partner
communication.
A review of controls and special processes intro-
duced outside the normal control framework and
potential impact on operational or financial risks for
the organization.
An audit of managements data recovery processes,
which may include examining key data reconcili-
ations performed by management to ensure data
completeness and accuracy.
A review of actual BCP and CMP variations follow-
ing activation of the plans, including recommenda-
tions that will allow for effective plan evolution. This
also should apply to the internal audit activitys own
plans.
8 / www.globaliia.org/standards-guidance
IPPF Practice Guide
Business Continuity Management
Example 1:
BCM SAMPLE WORK PROGRAM
SUB AREA ITEMS POSSIBLE CONSIDERATIONS
1. Business environment and strategy Industry 1. Key industry standards for BCM.
2. Legal requirements for industry in which the company
operates.
3. History of industry-specic vulnerabilities.
4. Listing of identied bodies and authorities (external
agencies).
External dependencies 1. Critical business partner relationships and stakeholder
dependencies are identied and considered (includes key
suppliers, vendors, and outsourced functions).
2. Key business partner contracts and service-level
agreements are identied and key provisions documented.
3. Right-to-audit clauses are periodically triggered, and
Statement on Auditing Standards (SAS) 70/Statement
on Standards for Attestation Engagements (SSAE) 16 or
equivalent business partner reporting is received (i.e.,
system validation exercises, including back-up recovery
capabilities and periodic security reviews).
www.globaliia.org/standards-guidance / 9
IPPF Practice Guide
Business Continuity Management
3. Impact Analysis (includes business Tone at the top 1. Board of directors and senior management is supporting
impact analysis [BIA], risk evaluation, the BCM initiative.
and controls)
2. Senior executive is responsible for ensuring successful
implementation, maintenance, and update of plans
supporting BCM.
3. BCM policy/charter exists and is updated periodically.
4. BCM-related plans, including BCP and CMP, are approved
by board of directors and each appropriate level of
management.
10 / www.globaliia.org/standards-guidance
IPPF Practice Guide
Business Continuity Management
www.globaliia.org/standards-guidance / 11
IPPF Practice Guide
Business Continuity Management
12 / www.globaliia.org/standards-guidance
IPPF Practice Guide
Business Continuity Management
www.globaliia.org/standards-guidance / 13
IPPF Practice Guide
Business Continuity Management
Example 2:
Selected portions of the assessment below are completed to provide examples of potential content.
PROCEDURES
Risk assessment Has a BCM risk assessment NI Greater formalization and
Designed to identify been conducted for the (Needs improvement) documentation needed.
threat scenarios (credible organization?
events) that could disrupt
business. To successfully
complete this BCM risk
assessment, those who are
Did the risk assessment NI Consider regional events.
knowledgeable of threats to
consider these categories of
the organization, environment,
risks:
and region should participate.
Participation may include Natural hazards.
those from security staff, Militant/people.
facilities staff, etc.
Human factors/IT.
Operational.
14 / www.globaliia.org/standards-guidance
IPPF Practice Guide
Business Continuity Management
www.globaliia.org/standards-guidance / 15
IPPF Practice Guide
Business Continuity Management
16 / www.globaliia.org/standards-guidance
IPPF Practice Guide
Business Continuity Management
www.globaliia.org/standards-guidance / 17
IPPF Practice Guide
Business Continuity Management
18 / www.globaliia.org/standards-guidance
IPPF Practice Guide
Business Continuity Management
www.globaliia.org/standards-guidance / 19
IPPF Practice Guide
Business Continuity Management
Practice Aid II: Glossary of Key Terms Incident an event that is not part of operational stan-
dards, which may temporarily impact a business and in
Business Continuity Plan (BCP) the ability to plan
some cases could lead to an emergency or disaster.
for the continuity of critical business processes; protect
critical assets; and provide service and support to custom-
Impact Analysis a process to analyze key operational
ers in the face of a crisis, disaster, incident, or emergency.
functions or critical data with a view to understand poten-
Such a plan allows an organization to recover effectively
tial internal or external impact of potential loss/disruption.
from, and manage risks associated with, a crisis. This is
Impact analysis includes Business Impact Analysis (BIA),
often included in a crisis management program.
which involves the identification of critical business as-
sets, functions, and resources, as well as an evaluation of
Business Continuity and Recovery Planning (BCRP)
the potential damage or loss that may be caused to the
a proactive method by which organizations can identify
organization resulting from a disruption or a change in the
business continuity and recovery measures to manage and
business or operating environment. A BIA should identify:
mitigate key organizational risks triggered by a crisis.
a) sources of damage, interruption, or loss; b) the extent to
which time passage will magnify the potential damage, in-
Crisis an event that, if not handled appropriately, may
terruption, or loss; c) the level of services or resources re-
significantly impact an organizations ability to operate,
quired to sustain core business activities; and d) the time
remain profitable, and manage reputational risk. Com-
line during which all critical business assets, functions,
monly, these are natural or physical disasters, failures of
and resources should be restored to avoid permanent sig-
critical operations and/or connectivity, disruptions to key
nificant loss for the organization.
business partner relationships, and technology exposures.
Recovery Point Objective (RPO) the point in time to
Crisis Management Program (CMP) a consolidated
which systems and data must be recovered after an outage
portfolio of activities consisting of preventive and reac-
(e.g., end of previous days processing). RPOs often are
tive measures executable by an organization to effectively
used as the basis for developing backup strategies and to
mitigate and manage risks implied by a crisis or event. A
determine the amount of data that may need to be recre-
CMP often will include a business continuity plan and a
ated after the systems or functions have been recovered.
disaster recovery plan.
Recovery Time Objective (RTO) the period of time
Disaster a sudden, unplanned catastrophic event caus-
within which systems, applications, or functions must
ing unacceptable damage or loss. This may include events
be recovered after an outage (usually one business day).
that compromise an organizations ability to provide critical
RTOs often are used as the basis for developing recovery
functions, processes, or services. This is an example of an
strategies and to determine whether to implement those
event in which business continuity and/or disaster recov-
strategies during a disaster situation. Maximum allowable
ery plans often are activated as part of an overall CMP.
downtime is a commonly associated term.
Emergency an unplanned, impending incident or
Risk Assessment/Analysis the process of identifying
situation that may cause injury; loss of life; destruction
the risks to an organization, assessing the critical func-
of property; or interference, loss, or disruption of normal
tions necessary for an organization to continue business
business operations. Such events may escalate into a cri-
operations, defining the controls in place to reduce or-
sis if not controlled or managed.
ganizational exposure, and evaluating the cost for such
20 / www.globaliia.org/standards-guidance
IPPF Practice Guide
Business Continuity Management
controls. Risk analysis often involves an evaluation of the Disaster Recovery Institute (www.drii.org), Profes-
probabilities and likelihood of a particular event. A crisis sional Practices for Business Continuity Planners
is an example of an event. (2008). A widely used framework that includes
information on: 1) program initiation and manage-
Practice Aid III: BCM Standards and ment, 2) risk evaluation and control, 3) business
Guidance Resources impact analysis, 4) business continuity strategies, 5)
emergency response and operations, 6) business con-
Numerous resources provide standards and guidance re-
tinuity plans, 7) awareness and training programs, 8)
lated to BCM. Resources include frameworks and ma-
audit and maintenance, 9) communications, and 10)
turity models to benchmark the internal auditors role in
coordination with external agencies.
supporting the business continuity plan (BCP) and crisis
management plan (CMP) development life cycles. Many Federal Financial Institutions Examination Coun-
resources may serve to educate internal audit staff and cil (www.ffiec.gov), Business Continuity Planning,
provide an opportunity for knowledge sharing with orga- IT Examination Handbook (2008). The handbook
nization management that are seeking to build, adjust, or includes seven elements: 1) board and senior man-
validate BCM efforts. Resources as of April 2013 include: agement responsibilities, 2) business continuity
planning process, 3) business impact analysis, 4) risk
The Institute of Internal Auditors International assessment, 5) risk management, 6) risk monitoring
Standards for the Professional Practice of Internal and testing, and 7) other policies, standards, and
Auditing (Standards) and related guidance processes.
(www.theiia.org), including: The Business Continuity Institutes (www.thebci.
o Global Technology Audit Guide 10: Business org) Good Practice Guidelines (2010). The guidelines
Continuity Management. This guidance includes: include six elements: 1) policy and program manage-
1) common disaster scenarios, 2) management ment, 2) embedding CM in the organizations cul-
roles during business interruption, 3) disaster ture, 3) understanding the organization, 4) determin-
recovery solutions, 4) risk assessment and mitiga- ing CM strategy, 5) developing and implementing a
tion, 5) business recovery and continuity strategy, CM response, and 6) exercising, maintaining, and
and 6) CM plan testing. reviewing.
o 2010 GAIN Survey and ResultsCrisis Manage- International Organization for Standardization (ISO)
ment. (www.iso.org) guidelines:
o Audit Executive Centers 2011 Knowledge Alert o ISO/Publicly Available Specification (PAS) 22399,
Three Crisis Management Imperatives for CAEs. Societal SecurityGuideline for Incident Prepared-
ANSI/ASIS/BSI CM.01:2010, Business Continuity ness and Operational Continuity Management
Management SystemsRequirements With Guidance (2007). Provides general guidance for an orga-
for Use (2010). Collaboration between the American nization (private, governmental, and nongovern-
National Standards Institute (ANSI), ASIS Interna- mental) to develop its own specific performance
tional, and the British Standards Institute (BSI) to criteria for incident preparedness and operational
provide a framework of auditable criteria and accom- continuity, and design an appropriate manage-
panying guidance that can be tailored to meet the ment system.
needs of organizations across their global operations. o ISO/IEC 24762, Guidelines for Information and
www.globaliia.org/standards-guidance / 21
IPPF Practice Guide
Business Continuity Management
22 / www.globaliia.org/standards-guidance
IPPF Practice Guide
Business Continuity Management
Authors:
David Bentley, CIA
Brian Foster, CIA
Brian Peterson
Brian Reed, CIA
Erich Schumann, CIA, CRMA
Rita Thakkar, CIA
Benito Ybarra, CIA
Reviewer:
Steven E. Jameson, CIA, CCSA, CFSA, CRMA
www.globaliia.org/standards-guidance / 23
About the Institute Disclaimer
Established in 1941, The Institute of Internal The IIA publishes this document for informa-
Auditors (IIA) is an international professional tional and educational purposes. This guidance
association with global headquarters in Altamonte material is not intended to provide definitive an-
Springs, Fla., USA. The IIA is the internal audit swers to specific individual circumstances and as
professions global voice, recognized authority, such is only intended to be used as a guide. The
acknowledged leader, chief advocate, and princi- IIA recommends that you always seek indepen-
pal educator. dent expert advice relating directly to any specific
situation. The IIA accepts no responsibility for
About Practice Guides anyone placing sole reliance on this guidance.
Practice Guides provide detailed guidance for
conducting internal audit activities. They include Copyright
detailed processes and procedures, such as tools Copyright 2014 The Institute of Internal
and techniques, programs, and step-by-step ap- Auditors. For permission to reproduce, please
proaches, as well as examples of deliverables. contact The IIA at guidance@theiia.org.
Practice Guides are part of The IIAs IPPF. As
part of the Strongly Recommended category
of guidance, compliance is not mandatory, but
it is strongly recommended, and the guidance
is endorsed by The IIA through formal review
and approval processes. For other authoritative
guidance materials provided by The IIA, please
visit our website at https://globaliia.org/standards-
guidance.
140455