Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

Quality control of business continuity plans and systems

The results of Continuity Central’s recent survey into business continuity quality control throw an interesting spotlight on the varying practices across the profession.

The survey asked “Does your organization have clear processes or methods for the quality control of business continuity plans and systems?” Two thirds (64.9 percent) of the 242 respondents to the survey answered ‘Yes’ and 30.2 percent answered ‘No.’

Of those who said that their organization did not have clear processes or methods for the quality control of business continuity plans and systems the top reasons given were:

  • We are still developing our first business continuity plan: 30 percent
  • It is too complex to carry out: 20 percent
  • It is not required or necessary: 18.6 percent
  • It is too expensive to carry out: 7.1 percent.

Respondents whose organization did undertake business continuity quality control were asked to list the quality processes and methods that are in place. The responses were as follows:

  • Auditing by an internal audit process: 82.8 percent
  • Align to a business continuity standard: 75.8 percent
  • Defined Key Performance Indicators which we monitor and measure: 57.8 percent
  • Auditing by an external audit process: 47.7 percent
  • Benchmark against a Maturity Model: 25.8 percent
  • Benchmark against industry peers (e.g other companies in the same industry sector): 25.0 percent
  • Formal certification to a business continuity standard: 19.5 percent.

Respondents were asked to give a brief description of the quality control methods and processes for business continuity plans and systems within their organization. These are reproduced below:

Standardised BCP development process. Review and signoff by BC team.

The BCMS has been established in line with the requirements of the ISO 22301 standard and certified by an external agency.
BCM best practice is followed - aligned to ISO 22301
Continuous monitoring
Well defined and managed processes. Layers of accountability. Full approval and ratification procedures.
Formal annual review. Exercises at least yearly.
Regular BCP test days with full action report follow up and timescales for amendments and checking at next test.
Aligned to FSI industry Standards. Use of GRC tool. Internal audit team. External auditors.
Both quantifiable and quantifiable attributes of the program are measured against policies and procedures for BCP including the building and maintenance of plans, the exercise program, the maturity of the exercise program and the quality of documentation supporting exercises.
Yearly internal audit and follow up. Self assessment via Maturity Assessment Matrix. Compliance review.
All plans monitored by BC manager. Strategic plans reviewed by directors. Every two years audit by industry peers.
Aligned to BS 25999 and ISO 22301
Review of BIA/BCP across the organisations is a standard practice. Exercising the documented plans twice a year is the norm. Apart from this there are simulation exercises and certification process. During any audit, business continuity is a special focus area.
Internal and external audit. Review and approval process. Exercise and review. Continuous improvement. Document control.
All plans conform to requirements of ISO22301, ISO 27031.
Peer reviews, management approvals, change management.
Testing of plan twice per year, updates of plan following testing. Accredited organisation, external review of risk framework every three years.
Application of ISO 9001 and registration with same. Application of business continuity standard but not registered to this standard.
Our Compliance group uses an matrix against which the program is analyzed. I also do a self-assessment again the new ISO standard.
We work closely with our Internal audit group who have a set of standard questions and responses around business continuity which they ask and determine if there is an issue and report it back to us if they find one.
Internal compliance (approved by our steering committee) to update and exercise core BC plans annually and non-core update and exercise biennially.
The BC Program Plan is developed annually and outlines exercising, DR testing, BIA completion, Risk Assessment, Critical contact review etc. Each component must be completed for each essential business partner.
Controlled and scripted and scheduled.
Automated software which allows us to monitor the status of all plans.
BC plans are peer-reviewed by business managers. Central BC team reviews compliance to corporate standards. BCMS reviewed by internal audit.
Reviews of BCPs, and desktop exercises.
Plans are reviewed and tested on an annual basis.
Annual review of the BCMS document suite.
With a business continuity department, internal and external audits and a risk department.
KPIs for Emergency Planning Manager aligned with BS 25999 / IS0 22301. NHS Monitoring and assurance at regional level within health economy. Own governance, review and audit schedules.
Formal Q/A by regional BC directors/managers. Internal Q/A by Program Office. Internal audit. External regulator reviews.
Plans are subject to an annual quality assurance review by Group BCM.
Documented six monthly review.
Used as the basis of a full day off site exercise - done twice a year.
Plans are audited on an annual basis for quality by the Business Continuity Manager against internal standards within the Organiational BC Policy. The policy and its application is audited on a regular basis by the Internal Audit Service.
Review of plans by BC Manager.
All plans are 'baselined' as sufficient for recovery and resumption of their specific services. All plans are reviewed for sufficiency by their manager, and validated/confirmed in writing by the responsible executive. All departments are audited for completion, testing, and maintenance of continuity of operations plans.
Back up for professional services.
Qualified business continuity consultants review plans for accuracy. Business continuity plans are built in a system, which is aligned with BC standards.
All business continuity plans are reviewed and challenged where appropriate by the Business Continuity Coordinator. The maturity of the BCM system is reviewed utilising the 10 standards of competency previously published by the BCI.
Mostly audit and annual reviews of the plans and BIAs with department leads.
KPIs are documented for RTO and RPO objectives. Each exercise is alternately audited by internal or external auditors.
Agreed level of standards which are measured against.
BCMS in place is certified to BS25999-2.
Certification to ISO 22301.
As a State Agency, our plans are submitted once a year to the agency with responsibility for oversight of our plans. Using an outside consulting firm, each agency’s plans are evaluated against the COOP template and the results are reported to the Governor's Office.
Subject expert and common tool usage to gauge compliance levels and plan quality.
As regulated by all associated parties.
Annual validation and assurance with extra measures in-place (action plan) if plan not up to standard. More frequent monitoring.
The organisation is internally audited. A BC subgroup meets quarterly to discuss issues and progress re BC - this also ensures that key services have been identified and a BC plan is in place. BC tests and incidents are recorded and discussed at this subgroup to ensure lessons are learnt throughout the organisation.
BS 25999 LRQA Certificate.
Plans certified annually and audited. Regular desktop testing of plans throughout the year.
We are a consulting company, which, among other services, offer BCM services. So we aligned our BCP to ISO22301, perform regular internal audits and plan revisions.
Frequent reviews from internal audit, regulatory bodies, and peers.
Perfunctory review of plans by the program office to ensure all basic elements are included in the plan.
Internal reviews by BC specialist, program managers etc. Peer review, internal audits and 3rd party audits.
Location BCPs are reviewed annually or twice annually by BCM management team. Group audit teams then audit the BCM reviewers and management processes.
From a BCMS with attached alerts to key players each month for updates.
Quarterly reviews of all plans. Audit against BS25999. Internal audit. Benchmark against Delloitte maturity model.
We have a framework for BC plans that is documented in accordance with ISO 9001, and aligns to BS25999.
BC plans are specifically audited against an 'expected content' checklist to ensure that the basics are covered. There are KPIs for the frequency of updating and testing BC plans. The wider BC programme is subject to periodic internal audit review.
Manual RAG reports, regular reviews eg against organisation charts and announcements.
Business continuity management in my Department was recently subject to internal audit and consequently we have refreshed our BIA and governance arrangements. Business continuity in my Department is governed by our Executive Management Group.
Continual ongoing testing. Comparison with like operations within the company.
Self written audit trail.
Trained staff and exercised plans for practical quality assessment. CPD in industry best practice in BCM. Good KPI and methods of monitoring with use of the preventive/corrective/ continual improvement to document. System of admin, self-assessment and internal audits. Management reviews and external audit.
BCMS Program is combination of ISO22301,BS25999 & GPG2010.
Developed to and comply with our Quality Procedures aligned to ISO 22301.
Minimum requirements set up for all BCM lifecycle topics and deliverables. Continuous monitoring/measuring of adherence to these requirements and defined frequencies of maintenance/exercise.
Strong reviews by BCM leadership to insure consistent approach.
Generic service level template for use by all. Independent scrutiny of service level plans. Overarching corporate business continuity plan governance process to ensure issues are discussed, actions plans are completed and issues and risk escalated up through organisation.
1) KPIs related to age and content of BCPs and Exercise Quality 2) Implemented Maturity Model based on BS25999 / ISO22301 3) External Audits for ISO9000 and ISO27001 Certification.

Make a comment

Next survey:

We are also currently conducting a survey into 'Offshore risks: attitudes and trends' : take part in that survey at https://www.surveymonkey.com/s/offshorerisks

•Date: 22nd May 2013 • World •Type: Article • Topic: BC statistics

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here