Challenges in Auditing Business Continuity Management Systems
Written by: Nazlan Eza MBCI and Mohan Menon Hon-FBCI of the BCI’s Malaysian Chapter
Business Continuity Management (BCM) sometimes has a love-hate relationship with Internal Audit. There are organizations that comply to BCM requirements simply because of the dreaded annual Group Internal Audit – a boon to the BCM department. On the other hand, an inexperienced internal auditor can frustrate BCM. So, how do we manage the challenges of auditing BCM?
Assurance teams, like Internal Audit, are crucial to Organizational Resilience (and BCM) in providing further assurance to stakeholders that the organization’s resilience needs are addressed adequately. Regularly auditing the organization’s BCMS helps to ensure that it is always ready and fit for purpose in the event a business disruption or crisis occurs.
Indeed, with the increased post-COVID recognition of the value of BCM, there is an impetus to speed up BCM implementation or expand its scope, often with no commensurate ramp-up of supporting BCM resources. Audit findings provide confidence to the Board and Board Committees in seeing that no corners are cut, and can help justify management investment in additional BCM resources.
On the other hand, an inexperienced auditor can be a nightmare for a BCM manager. Auditors without BC competence may not understand the subtle nuances of BCM, and could treat an audit as just another administrative exercise. Such an auditor might try to hide their inexperience and fill up an otherwise thin audit report by being overly pedantic on checklists without a sense of prioritisation regarding what’s important.
Auditors should realize that BCM is a journey of maturity. The level of maturity aspired to hinges on the organization’s risk context, risk appetite, and budgets. Not every organization has the resources to be world class in BCM or wants to certify the entire organization to ISO 22301; and not every organization needs to. The focus should be on auditing the core BCM basics, leaving the rest for a life-long, planned, and measured corporate journey of incremental improvements in resilience.
Underpinning this is the knowledge and experience of the auditor. The Institute of Internal Auditors’ (IIA) International Professional Practices Framework (IPPF) IPPF Standard 1210 on Proficiency states: “Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities.”
ISO 22313:2020 states: “….the persons conducting the audit should be competent and able to do so impartially and objectively.”
Audit should also take heart of the contents from other authoritative sources, such as the BCI’s Good Practices Guidelines 2018 (GPG) and DRII’s Professional Practices and Standards.
Failing to heed the advice in these standards and guidelines will not only result in an ineffective audit outcome, but may also scuttle existing progress in the BC programme.
Auditors shouldn’t be shy to get expert assistance where needed. Let’s face it, BCM is a fairly complex topic that can’t be learnt overnight. If they find themselves out of their depth, they should seek the assistance of independent BC experts to augment their audit team. The IIA IPPF 1210.A1 standard states: “The chief audit executive must obtain competent advice and assistance if the internal auditors lack the knowledge, skill, or other competencies needed to perform all or part of the engagement.”
These subject matter experts can help give appropriate or prioritised findings and recommendations that do not overwhelm or frustrate the BCM efforts of the organization.
Last but not least, Internal Audit’s over-reaction to honest disclosure by the BCM department, on scope-exclusions and declarations of current BCM maturity levels (or lack thereof), can lead to a dangerous corporate culture of concealing deficiency. Such an overreaction is sometimes done to fill up audit reports with erudite content — perhaps hiding an auditor’s thin expertise. Audit findings should record deficiencies and yet be written in a way to encourage open disclosure in future engagements. This is not a call to hide deficiencies. It is about knowing where and when to increase the volume of a legitimate finding.
Internal Audit should recognise that perfect BCM does not exist and most organizations are on a lifelong BCM maturity journey. They should have the skills to focus on a risk-based approach to BCM audit that focuses on important elements rather than a pedantic clause-by-clause checklist approach. They should know how to emphasise a core deficiency, and also moderate their volume and help the BCM team seek management support on an honest disclosure. If they don’t have this capability, they should not hold back on seeking the assistance of independent BCM experts to augment their audit teams.
Get involved in BCAW 2023 - Follow the link below: