Skip navigation

Tag Archives: audit

In a survey about the experience of handling major losses undertaken Vericlaim and Alarm, more than half of respondents “rated the practical assistance offered by a BCP (Business Continuity Plan) following a major incident as one or two out of a possible score of five”. In other words, the BC Plans of the organisations responding to the survey were found to not particularly helpful when responding to a major loss!

This finding seems to have been rather under reported by the BC community who are usually so forward in explaining the importance of having a BC Plan and extolling the virtues of BC in improving resilience. Personally, I find it a damning indictment of the BC profession.

One of the things that constantly both amuses and horrifies me is how far most BC Plans are from the description given in the Business Continuity Institute’s (BCI’s) Good Practice Guidelines. This states that a BC Plan should be “…focused, specific and easy to use…”, and that the important characteristics for an effective BC Plan are that is direct, adaptable, concise, and relevant.

Over the years I have had the pleasure of see hundreds, if not thousands of BC Plans from a wide variety of organisations, and I can safely say that more than 90% of these plans do not fit in with this description. They tend to contain lots of information that is irrelevant to the purpose of responding to a major incident and seem to be written more for the benefit of the organisation’s auditors than for use by people who need to take action to reduce the impact of the incident on the organisation.

As a BC consultant, I keep trying my best to improve BC Plans, but I’m constantly being knocked back by people who tell me that all sorts of things need to be put into their BC Plans, more often than not because of an audit or review undertaken by a third party.

For far too long this situation has been allowed to continue unchallenged. It cannot do so for too much longer without the BC profession losing credibility.



I have just started reading a book that I have been given about auditing business continuity, and have come across a remarkable statement in the book that says, and I quote, “…the internal auditor conducts the most detailed review work and therefore has the most input to a business continuity programme.”

Now, someone please correct me if I’m wrong, but shouldn’t the executive management have the most input to a business continuity programme, or maybe the individual tasked with managing the programme? I always thought that the role of internal audit was to review and challenge with a view to assist the organisation to improve the way that it operates. This should be no different in the context of a business continuity programme.

To my mind the theory of how a business continuity programme should implemented is very simple and straight forward (although the practice can be a bit tricky). The executive management set the strategic direction, allocate the resources, and appoint a suitably trained and knowledgeable person to manage the implementation. Internal audit check the implementation against whatever standard the organisation has decided to adopt, and make recommendations for improvement. This is a world away from “… has the most input to a business continuity programme.”

If internal audit set themselves up as the experts in business continuity, then they should manage the implementation. Maybe the Business Continuity Manager could then take over the review role and check internal audit’s implementation against the agreed standard.