BCM Continuous Improvement

Audit and Other Initiatives

Business & IT Resilience Summit Dubai

Rolf von Roessing CISA, CISM, CGEIT, CISSP, FBCI
Session Overview
Continuous Improvement Tools
Audit Universe and Scoping
Applicable Standards
Audit Programme
BCMS and Life Cycle
BCM Controls
Sources of Further Information and Q & A

CONTINUOUS IMPROVEMENT
TOOLS
BCM Continuous Improvement Audit and Other Initiatives
Continuous Improvement Tools
Process Model
Continuous
Improvement Process
Ad hoc Improvement
Process
PDCA (Plan Do Check Act
ISO-based version of
Deming Cycle
Pervasive throughout
ISO 22301, 27031 etc.
Coexistence with
BCM Life Cycle
Audit and Review
1st Line of Defence:
Management Review
2nd Line of Defence:
Independent Review
3rd Line of Defence:
Audit
Improvement Processes
Continuous Improvement Process use to
improve the BCMS (i.e. the Toolbox) in a
controlled and regular manner
CIP is needed to maintain the BCMS up to date
and in line with recognised standards
Ad hoc Improvement Process use to address
operational improvements from various sources:
Test / exercise results
Audit findings
Local regulatory changes
etc.
PDCA Cycle
Embedded in most standards addressing BCM
and ITSCM, e.g. ISO 22301 and ISO 27031
Links BCM to other disciplines such as IT Security,
ITIL / ISO 20000, Quality Mgmt etc.
The phases Plan, Do, Check, Act are projected
onto the elements of the life cycle in ISO 22313,
ISO 27031 and the BCI Good Practice Guidelines
Your processes, controls and indicators should
always link to at least one phase of the PDCA
cycle to maintain alignment
AUDIT UNIVERSE AND SCOPING
Auditing Business Continuity
BCM Developments
2009
Information Security
IT Service Continuity Mgmt
BCM
Critical Infrastructure Prot.
ORM
Corporate Governance
Civil Defence
Business Information / Technology Strategy
Enterprise Risk Management
2010 2011
Public / Private
Technical
Resilience
Business
Resilience
Integrated
Resilience
Model
20xx
Security
Audit Universe and Scoping
Control Design
BCMS and Life Cycle (including PDCA)
Templates, Standards Alignment etc.
BC Organisation, Resources
Control Effectiveness
Contents of documents, e. g. strategy, BC plans
Key performance indicators
BC as part of the internal control system

APPLICABLE STANDARDS
Auditing Business Continuity
11
ISO 22300 Roadmap
BCI Prof. Practices
Joint Standards
BS 7799
ISO 17799
BS PAS 56
(2003)
BS PAS 77
ISO 27001
ISO PAS 22399-1
BS 25777
BS 25999
(2006)
ISO 22301
ISO 27031
Applicable Standards
ISO and GPG (2013) note the new life cycle!
Include subsidiary ISO 223xx standards as they
are published
Sector-specific:
Banking / Basel III and Insurance / Solvency II, e.g.
High level principles for business continuity (2006)
Include international (indirect) regulations, e. g. MAS
in Singapore
If IT is involved: ISO 27031, ISO 24762 (for
outsourcing DR)

AUDIT PROGRAMME
Auditing Business Continuity
Audit Programme
AP must be modular life cycle phases and BCMS
form the highest level
Define clear drill-down paths linked to risk and
maturity
Define the audit question to be answered
(compliance? feasibility study? due diligence?
forensic?)
Select appropriate subset of global audit
programme
Communicate to auditee and make necessary
adjustments

Audit Mode
Point in time traditional method of auditing as at a
certain date:
financial year end
asymmetric, for instance towards a certification date
Project-based in line with delivering v1.0 of an initiative
or project
often used in the early stages
pre-implementation, post-implementation, accompanying the
project
Continuous comparatively new method of auditing, taken
from financial and IT audit
Cooperative involvement of auditors at any time
Audit and advice converge
BCMS AND LIFE CYCLE
Auditing Business Continuity
BCMS and Life Cycle
Take a maturity and risk based approach
Top-down approach recommended
Audit phases of the life cycle AND the PDCA
cycle
Adapt your audit programme in line with self-
assessments delivered by the auditee
organisation

BCM CONTROLS
Auditing Business Continuity
BCM Controls
BIA completeness, plausibility (relative), links to balance sheet
and P/L as well as previous events
RA method and procedure (not the individual risks)
Strategy completeness, method, adequacy
Plans completeness, adequacy, timeliness, strategy alignment
Test strategy completeness and adequacy (maturity based)
Test and exercise master plan alignment with test strategy
Individual testing and exercising planning, deployment
(observation), post exercise analysis, reporting
Continuous improvement PDCA alignment, timeliness,
completeness
1st and 2nd lines of defence ensure that reviews and audits have
been performed adequately and comprehensively

FURTHER INFORMATION, Q & A
Auditing Business Continuity
Further Information
BCM audit is explained in detail (about 700
pages) in the 2nd edition of Auditing Business
Continuity: Global Best Practices, to be
published by Rothstein Associates soon
Sequel to the 1st (2002) edition, now includes
all relevant laws, regulations, standards
Enhanced and extended standard audit
programme
More web-based support, e. g. audit library

Contact Details
Forfa AG provides independent advice on ITSCM / BCM and business resilience.
We further consult in Governance, Risk and Compliance (GRC) and all aspects
of security

Forfa AG Holding
Andhauser Str. 62
8572 Berg TG, Switzerland
Phone: +41 71 636 1770
mobile: +49 172 6712322
rvr@scmltd.com
We form a network with
Controllit AG
Stresemannstr. 342
22761 Hamburg, Germany
Phone: +49 40 890 66 46 0
mrosenberg@controll-it.de
JANUS Consulting GmbH
Max-Planck-Str. 6
63128 Dietzenbach, Germany
Phone: +49 6074 729 348 0
bernd.buehler@janusconsulting.de
also visible on LinkedIn, XING (but
definitely not on Facebook)