|
 Continuity Central recently conducted an online survey which worked from the following premise:
“While there has been much activity in the area of business continuity standards, there has been little discussion in the profession about quality control within business continuity management. This anonymous survey seeks to provide a starting point for this...”
Overall 157 responses were received, with the majority (75 percent) of respondents representing large organizations (defined as having 500 or more employees). 12.8 percent of respondents were from medium sized organizations (100 - 499 staff) and 12.2 percent from small organizations (less than 100 staff).
The UK and the USA were equally represented, with 32.5% of respondents coming from each country. These were followed by Canada (9.5 percent) and Australia (6.1%). Other respondents from around the world made up the remaining 19.4 percent of respondents.
The results of the survey were as follows:
Question one: Does your organization undertake quality assurance of your business continuity outputs (eg the business continuity plan or the business continuity management system)?
67.5 percent of respondents undertake quality assurance for their business continuity outputs, while 32.5 percent do not.
As might be expected there are differences between size of organization, with 70 percent of large organizations undertaking quality assurance activities and 68.5 percent of small organizations also doing this. However only 50 percent of medium sized organizations reported having quality assurance in place for business continuity outputs.
UK organizations seem to be more likely to undertake quality assurance for their business continuity outputs, with 73 percent of respondents from this country stating that their organization did this; compared to only 58 percent of US, 64 percent of Canadian and 66 percent of Australian respondents.
Question two: If you answered 'yes' to question one, is this a formal or informal quality assurance system?
60.7 percent of organizations that carried out quality assurance for business continuity outputs used a formal system, with 30 percent having an informal system. 9.3 percent weren’t sure what type of quality assurance system was in place.
Large organizations were more likely to have a formal quality assurance system in place; 61 percent of such respondents compared to 58.3 percent of medium and 56.3 percent of small organizations.
Question three: If you answered 'no' to question one, does your organization have plans to undertake quality assurance of business continuity outputs in the future?
38.5 percent of respondents to this question stated that their organization did have plans to undertake quality assurance of business continuity outputs in the future. 19.2 percent had no plans and 42.3 percent were not sure whether their organization would address this issue.
Quality assurance methods
Respondents were asked to provide a brief overview of their quality assurance methods if they had these in place. These responses are reproduced below:
• Formal semi-annual certification and validation of plans and framework together with annual Internal Audit review.
• Internal and external audit. Internal self assessment and reporting based on standards
• QA surveys and assessments, Internal Audi reviews, specific business continuity reviews, lessons learned reviews following incidents.
• 1 )Regulatory review of our BCM system;
2 )Benchmarking / comparison of BCM system to leading guidelines / best practices including, e.g., BS25999, NFPA1600, Z1600; 3) Independent review of business continuity plans by Risk Management and Internal Audit.
• As regulated and needed per country.
• Plan reviews by Corporate Governance organization.
• Regular formal reviews of plans by the corporate BCM Unit. Audit review of BCP. Regular reporting to the Executive on the status of BCP within the organization.
• Regular formal plan reviews of all plans by the organizations Business Continuity Management Unit.
• Twice yearly reports to the Executive on the status of BCP in the organization. BCP is an area included in the Audit process.
• Two reviewers one at business unit level and the other at the corporate level for critical business units only.
• Regular inspection and inclusion in audit process for adherence to company methodology.
• Internal: reviews, internal auditing, random checks
• Each of our 80+ plans is independently assessed against a standard checklist and actions are collated in an Actions Log for each business unit (it also contains actions arising from exercises). The Actions Log is circulated to senior management for review and follow-up. It also forms a basis of regular reviews by the Risk Committee. The BCM framework for the company is independently reviewed every 1-2 years by an external organization; Internal Audit review every 2 yrs or so as well as checking BC Plans on an ongoing basis.
• KPI's
• Use of balanced scorecards. Every year BCM evidence is uploaded and is part of the operating capital for each location.
• BCM annually subjected to internal audit scrutiny and regular reporting to a Risk Committee by the BCP Manager.
• We have a formal cycle of BCM training, BCP reviewing, recovery testing, recovery team rotation and resilience reviewing.
• Some of the ISO 9001 requirements are incorporated into BS25999 compliance program.
• Written as part of an Integrated Management System in line with ISO 9001. The BCP, risk assessment, impact analysis and associated restoration plans are controlled documents in line with standard document control procedures. We carry out scheduled internal exercises and audits. Our QA accreditation includes BCM review during external audits. Currently rewriting the BCP in line with BS 25999 intending to achieve accreditation later this year.
• ISO 2000-9001 and BS 25999 as appropriate.
• Aligned to ISO 9001.
• Business area review via exercising programme elements, internal/external audit, global programme governance.
• High level review against Operating Management System recommended practices and deliverables, on a sample basis.
• Part of unit and functional level key control standards assessments undertaken periodically.
• Informal - through version control and management of processes on an ongoing basis Formal - through external audit.
• Plans reviewed every six months supported by internal audits.
• Audited to ISO 9001:2000.
• Audited.
• Central Policy, templates, guidelines and standards. Outputs are reviewed against standards which include quality criteria. QA feedback is given to ensure standard is reached.
• Internal audit both from a quality assurance and current best practice methodology aspect is conducted on the BCMS.
• External audit.
• Formal process conducted by a Group Audit function.
• Part of ongoing Audit Compliance programme to review BC.
• Exercises are conducted based on BIA results so frequency varies based on criticality. Plans are updated based on exercise results. The BIA is updated annually and all plans are adjusted to be compliant with new BIA findings.
• Our IT BC program team uses a template that we use to assess the quality of the recovery planning documents. We have a standard plan template that includes required and recommended content and information. The assessment tool refers to each area of the plan and looks at the content, quality, completeness, functionality, and usability of the plan contents.
• Formal methodology: Internal Audit department reviews business continuity program office. Internal Audit department randomly reviews BC plans developed by organizations. Informal methodology: A BC plan self assessment template is provided to organizations to help them evaluate the effectiveness of their plan.
• Periodic review by Internal Audit function.
• Program standards, policies, tools, testing and plan documentation templates and procedures are all in place. Quality audits are performed on the documented plans and drill logs are created and audited for all drills. Leaders at the corporate, business unit, and plan ownership levels are in place to manage the different levels of organization activities and capabilities. Metrics on compliance to requirements are tracked and reported monthly and quarterly to senior management.
• Reviewed centrally for compliance with Firm policy.
• The BCP team pulls BIA data entered into the central system and reports it out to senior management within each function for confirmation. In addition, each operational audit reviews BCP for appropriate identification of time-sensitive processes and adequate plans for loss of people, place or IT.
• Independent audits; subject matter annual reviews.
• Periodic review by Internal Audit function. Occasional review by external audit function.
• BCP/BCMS is audited both by our Internal Audit team and as part of our standard annual audit. It is also inspected by external auditors of investing organisations.
• Certified to ISO 27001 and currently implementing BS25999.
• We test the plans to ensure they actually might work during a continuity event; the plans are also examined during Internal Audit. Our Corrective/Preventive Action system also covers the BCP process and its outputs.
• We are complying to ISO 17021.
• Formal evaluation of business continuity plan by external auditors. Desktop review undertaken on two separate occasions. Hot site tested and IT backup systems activated and found to operate satisfactorily. Problem found with telephone system - our incoming lines were not functioning for one week; telecom provider could not detect cause of problem; eventually after six days telecom provider discovered lines were flooded. We had no alternative telecoms provider on standby to provide services to clients. Staff were using their mobile phones but all clients did not know the important mobile phone numbers. Plans now in place to address this deficit.
• Internal Audit; risk assessments.
• We have integrated our ISO9000 and 27001 systems as the integrity of data to our business plan is fundamental to the success of the product. There is a further non-manufacturing process involved that is a huge selling point to a major stakeholder identified as a critical process that is covered by our QMS. All records must be maintained indefinitely and the accessibility and integrity is of the highest priority. The service and data backup is covered by the BS25999 framework and an audited test plan is in place.
• In accordance with our Quality Policy, processes and procedures.
• Risk assessment, Internal Audit.
• Plan is reviewed for conformance / alignment to business continuity objectives of the organization & plans are tested annually.
• Review by central BC function
• Internal and External Audit. However audit function is not particularly strong and does little to add any real value to BCM quality.
• Branch wide risk assessment and KCI reporting to display the overall view of the organization based upon the KCI's.
• Audit by Internal Auditors who have questionable knowledge of what constitutes a BCMS!
• All individual plans QA'd by BC Manager and comments written up for inclusion in revised version.
• BC Manager Quality checks departmental BC plans on an ad hoc basis.
• A review of key department's BCPs and communication plans in support of the Company BCPs objectives, face-to-face with BCM Manager and departmental BC Coordinators. Random spot-testing of Company Call Trees (Call Cascades).
• Business continuity specialist review of business continuity plans. Oversight by 2nd line risk management function.
• Desktop testing exercises, plan review by BC Manager and BC Committee.
• Internal Audit and CCA.
• We use an audit checklist to assess individual business group/functional plans.
• Peer and management review, testing, internal audit review...
• One-on-one content and technical review with local BCP coordinator.
• Plans are reviewed by Internal Audit in conjunction with business unit audits. The BCP group reviews a sample annually and external audit and regulators review specific business units as well.
• Documented certification of requirements, tests, plans, etc.
• Essentially if involves only 2-3 rounds of drafts before templates are finalized, content and spelling review of reports, etc.
• I informally audit plans, procedures, processes, exercises, and training. However, as I am involved in coordinating the production and execution of these activities, I cannot provide a wholly objective view of the quality of my business continuity management practices. Unfortunately, the company's internal audit function focuses on financial and corporate governance quality controls, and does not include process quality controls, such as with business continuity.
• Quality controls are limited to exercises / testing, plan review, project management, and training.
• Questions, surveys.
• Testing of procedures when needed.
• We review plans based on our planning standards and exercise documentation. Results are communicated to planners and Business Continuity Management.
• 1) BC Plans - all plans and updates are prepared by the BC Administrator in cooperation with Plan owners and drafts are submitted for review to the Plan owner and are posted/published only after review/approval is received. 2) Test Scope and Test Scripts- all documents are prepared by the BC Administrator and submitted for review/approval to the Plan Owners. 3) Test results are published by the BC Administrator and submitted to Plan Owner and Internal Audit.
• Quarterly review of all BCM processes for alignment with ISO 9001 principles and practices.
• Our Quality Assurance Review results are between the Corporate Business Continuity group and the individual planner. We only escalate if after a second review no enhancements have been made.
Continuity Central would like to express a large ‘thank-you’ to everyone who took part in this survey.
Make a comment
Quality assurance starts with the implementation project to build a BCM.
There is no BCM without quality assurance and exercises: it becomes a waste of money.
Georges COWAN, CBCP, MBCI, CMC
Surely QA is an intrinsic part of BS25999-2? Those that reported not having a QA process are perhaps not using the standard or don't understand this element of it?
Bradley Wright
•Date: 28th October 2009• Region: UK/US/World •Type: Article •Topic: BC statistics
Rate this article or make a comment - click here
UPDATED 6th NOVEMBER
|
