Whether as a step towards ISO 22301 certification or as a means to improve the current business continuity management program, a gap analysis is an effective method of identifying areas of the BCMS needing attention. In this article Chris Alvord, Jayne Howe and Bob Draper from Austin Risk Consultants describe a method for an external business continuity gap analysis.
Overview
For many organizations, it is a constant challenge to meet the current year goals and objective for the business continuity management program. There are a plethora of causes and symptoms, including:
- Exercises continually fail to meet recovery time objective (RTO) targets.
- The internal and/or external auditors have black notes that have not been fixed.
- The board, interested parties, customers and other stakeholders are making more demands.
- The competition now has certified BCM programs and is winning more business.
- A lack of confidence in consistently meeting contractual and regulatory obligations.
- A need to expand the BCM program scope, e.g., additional departments, regions, or community responders, etc.
But there is hope. A set of fresh eyes to perform a gap analysis of your BCM program can highlight non-conformities and provide direction on how to reasonably move forward to meet your goals.
Assessment plan
Planning for an assessment effort depends on many factors, including some of the following:
- Size, inherent complexity and geographical spread of organizational processes;
- Scope and budget, decided by management, for some or all of the operation;
- Any unique business continuity needs and obligations;
- Particular requirements of interested parties and stakeholders;
- Legal, regulatory, contractual or other obligations.
With these variables in mind, an experienced practitioner can determine the requirements for the program, enabling the right level of people, time, resources and deliverables to be assigned.
Documents and records
A necessary start to an assessment is to review all relevant documentation associated with the BCM program. Of course the possibilities are many. Austin Risk Consultants has a four-page detailed list of possibilities that is shared with clients. Although this complete list is beyond the scope of this article, general categories are as follows:
- Any existing documentation covering business continuity, risk, emergency management and IT disaster recovery plans;
- General organizational documentation, e.g., annual reports, marketing materials, etc.;
- Business processes and procedures;
- Organization charts, descriptions and responsibilities;
- Topology maps of installed technology;
- Topology maps of IT, data and voice communications;
- Operational records / logs;
- Inventory listing of IT hardware and software assets;
- Inventory listing of other organizational assets;
- Existing insurance policies;
- Any third party supplier contracts, e.g., off-site storage, server back-up, payroll, etc.;
- Any existing service level agreements (SLAs) with third party providers;
- Any existing internal SLAs between internal business units;
- Any existing SLAs with customers / clients;
- Documentation from any/all applicable government regulatory bodies, membership associations, and legal conformity rulings;
- Union contracts, if applicable.
New technology can enable some additional productivity in the review process. File-sharing services (e.g., Dropbox) can provide secure methods for an organization to make their less sensitive materials available for review. Activity is captured automatically and limited access to folders can be defined as needed.
The most important material may only be viewed at the client location; for example, confidential information or documents with special security provisions (e.g., client contracts). Also, records associated with operational activities (e.g., backup logs) may not be available off-site.
Good practices include recording enough detail so the source material can be referenced, as needed, at a later date, so it is unlikely and probably unnecessary to make copies. Title, date, revision history and responsible party should be included with all notes to allow later verification of details, if necessary.
Interviews
Experience shows that interviewing key personnel is the best way to obtain the necessary detail. This process needs to be well organized and structured. The size of the organization may dictate that more than one person may be necessary to conduct interviews and the number of operations, people and locations can make present challenges in the consistency of data collection.
It is helpful to use structured sets of questions associated with well-known standards and to use technology to help organize and report on the findings. Austin Risk Consultants’ method for this is to leverage the global standards with enabling assessment software.
As the complete tool covers all aspects of the Plan-Do-Check-Act international standard, there is assurance that the complete life cycle of the program has been reviewed. Of course, as this maps to an open global standard, the client can also know that their assessment is not a captive of proprietary techniques.
Three further aspects of interviewing should also be considered.
- Standard professional interview methods should be used. For example, a sequence of open-ended questions is a good to drill-down to a finding. Using ‘Five Whys’ techniques can be used to peel away the layers of symptoms which can lead to the root cause of a problem.
- If operations are geographically diverse and budget and time is limited, consider using screen share technology to save money and time. Although not as good as an in-person session, the trade-offs can often make sense.
- Good note-taking protocol should be observed in the written record, e.g., persons interviewed, location, date, time, etc.
Reports
The most effective reporting is never measured by volume of pages in the report. Certainly there will be voluminous notes from individual interviews and document reviews, and these should be kept indefinitely for later use and possible comparison on the next cycle. However, the focus should be on improving the program by grouping findings into three categories:
- Major non-conformities to be targeted for action;
- Minor non-conformities that can often be grouped;
- Observations of possible general ways to do things better.
Such reporting is generally adequate for management to understand the state of the program and the areas needed for improvement. Resultant corrective actions can then be delegated to responsible individuals for action, depending on corporate resources and risk appetite.
Summary
With experienced resources, an assessment can generate great value in a short time. The four steps of (1) creating an overall assessment plan, (2) review of documents and program data, (3) interviews with key personnel and (4) results reporting with a proposed improvement roadmap has proven highly effective.
Developing a great business continuity program is not an ‘immediate fix’. It takes time and effort. To achieve the goal of having an effective, workable, exercised and maintainable program, it is crucial to start correctly, with a clear view of the current status and of the work that will be required.
The authors
Chris Alvord, Founding Partner, Austin Risk Consultants
Chris Alvord has had senior roles in consulting and technology for 25+ years, designing an industry-leading web-based BCM software package, leading numerous large-scale projects, being a Certified Business Continuity Teacher, and holding ISO 22301, ISO 27001, CBCP, and MBCI certifications. He has presented, published and been quoted in numerous industry venues. Mr. Alvord has a BA from Harvard College, MBA from Harvard Business School, and has done doctoral coursework at Virginia Tech.
Jayne Howe, Associate Partner, Austin Risk Consultants
Jayne Howe, FBCI, MRP, CBRM is the Managing Partner of THE HOWE PARTNERSHIP, a Canadian consultancy specializing in the provision of business continuity planning and management. With over 30+ years of experience in Business Continuity Programs, Jaye was the first female in the world to achieve the highest level of certification (Fellow) from The Business Continuity Institute. Additionally, Jayne is certified as a Master Recovery Planner, and a Certified Business Resilience Manager. Ms. Howe is the only practitioner in Canada to hold all these designations.
Bob Draper, Associate Partner, Austin Risk Consultants
Bob Draper is a Fellow of the Business Continuity Institute with 35+ years’ experience, developing robust business continuity management policies and strategies across all sectors and in highly regulated environments. His BCM experience has been gained working with a wide range of global organizations in multiple sectors, including central government. In 1995, he founded Pentire Solutions Ltd, an independent consultancy, having previously worked for Duracell Batteries Ltd managing business continuity and IT services across Europe.
Austin Risk Consultants
Austin Risk Consultants focuses on improving BC, DR and risk programs rapidly using standards-based methods and tools, anywhere in the world, using three key elements: (1) Senior staff, located globally, are deeply involved in all projects, (2) International standards ensures widely accepted work products and (3) Advanced software tools maximize reusability, accuracy, and cost-effective methods. Throughout, hands-on project leadership from proven resources in close consultation with the client ensures the highest quality deliverables.
