I don’t think that anyone is going to object to the recommendation that organisations need to document disruptive events so that there is a clear record of what happened and how the organisation handled it. But what if I was to recommend to you that your organisations should document events that haven’t happened?
Sounds crazy? Yes, I agree, but this is the recommendation contained in a book that I’m currently reading on ISO 22301 and Business Continuity. Unfortunately, the book doesn’t elaborate on how this is to be done in terms of which events to include and how much detail should be recorded. Both of these need to be defined if the recommendation is to be followed, otherwise it is a rather pointless recommendation.
If you decide to include every event that might happen then you’ll spend the rest of your life listing them and still not have covered them all. And once you’ve decided on a finite list, do you then go into detail about what the different responses might have been and what might have been the result of each response? In other words, write a novel about each event that hasn’t yet happened?
After a short period of reflection, I’ve decided that this is not a good idea. Is there anyone out there who thinks it is?
I have just started reading a book that I have been given about auditing business continuity, and have come across a remarkable statement in the book that says, and I quote, “…the internal auditor conducts the most detailed review work and therefore has the most input to a business continuity programme.”
Now, someone please correct me if I’m wrong, but shouldn’t the executive management have the most input to a business continuity programme, or maybe the individual tasked with managing the programme? I always thought that the role of internal audit was to review and challenge with a view to assist the organisation to improve the way that it operates. This should be no different in the context of a business continuity programme.
To my mind the theory of how a business continuity programme should implemented is very simple and straight forward (although the practice can be a bit tricky). The executive management set the strategic direction, allocate the resources, and appoint a suitably trained and knowledgeable person to manage the implementation. Internal audit check the implementation against whatever standard the organisation has decided to adopt, and make recommendations for improvement. This is a world away from “… has the most input to a business continuity programme.”
If internal audit set themselves up as the experts in business continuity, then they should manage the implementation. Maybe the Business Continuity Manager could then take over the review role and check internal audit’s implementation against the agreed standard.