Review and Testing of Business Continuity Plans – Basel Principle 13
“It is the responsibility of the organization's Internal Audit and Business Continuity functions to ensure that all of the organization's business continuity plans are tested and reviewed on a periodic basis to spot incorrect assumptions, oversights or changes to equipment, and employees and to identify any changes in business requirements not reflected in specific plans. Any undocumented requirements must immediately be documented. In addition, appropriate information owners and users must be informed of updates to plans.”
The Basel Accord for large global money center institutions says you have to test all of your suppliers and their plans so that you don’t have any service interruptions. The question is how often is enough? When is the last time you knocked on the door of your Power Company, Phone Company, and Water Company and said I’m here to audit your BCCM plans. And in every country you operate critical information processing and personnel centers.
Having survived several large quakes in Southern California in years past, I’m not sure that all of the testing in the world can prepare people for human behaviors that come from within. People literally lose all sense of common sense when you are on the 42nd of the 50+ skyscraper and without any warning it physically sways a couple feet to the left and a few more feet to the right. Believe me, the issue is not the testing itself, it’s how to create a real enough scenario that you get similar behaviors out of unsuspecting people.
Certainly the largest organizations realize that the threats are taking on different forms than the standard fire, flood, earthquake and twister scenarios. These large catastrophic external loss events have been insured against and the premiums are substantial. What it is less easy to analyze from a threat perspective are the constantly changing landscapes and continuity postures of the many facets of the organization having to do with people, processes and systems.
The many sources of significant loss events are changing as we speak. Here are a few that should not be overlooked:
· Public perception
· Unethical dealings
· Regulatory or civil action
· Failure to respond to market changes
· Failure to control industrial espionage
· Failure to take account of widespread disease or illness among the workforce
· Exploitation of the 3rd party suppliers
· Failure to establish a positive culture
· Failure in post employment process to quarantine information assets upon termination of employees
Frankly, corporate directors have their hands full managing risk and continuity on behalf of the shareholders. The risk management process will someday have as big an impact on the enterprise as other key functions because shareholders will be asking more questions about the changing landscape of managing risk for corporate governance.
In summation, the following six factors are the critical aspects of effective and strategic organizational resilience and survivability:
1. Business continuity planning will be conducted on an enterprise-wide basis 24/7.
2. A thorough and continuous business impact analysis and risk assessment is the foundation of an effective BCCM.
3. Business continuity planning is more than the recovery of the technology; it is the recovery of the business.
4. The effectiveness of a BCCM can only be validated through continuous and thorough testing.
5. The BCCM and test results will be subjected to continuous independent audit.
6. A BCCM will be continuously updated to reflect and respond to changes in the organization.