A focus on the strategic operation of the assessment and audit function of the BCMS to meet system goals and objectives, maintain conformance and leverage to enhance the awareness and benefits of the BCMS. Topics include the design and methodology of the internal audit plan and opportunities for using proven performance to promote awareness of the BCMS and quantify value of the system.
Main points covered:
• Gap Assessment and Internal Audit Plan
• Methodology
• Show ROI on performance
Presenter:
The presenter of this webinar will be Jan Decker. She is a Consultant in Emergency Management, Crisis Management and related Business Continuity plans, programs, and information systems. She is certified ISO 22301 Lead Implementer and Lead Auditor Trainer.
Link of the recorded session published on YouTube: https://youtu.be/7AyikpO6GLA
Leveraging Gap Assessments and Internal Audits in ISO 22301
1. LEVERAGING ASSESSMENTS AND
AUDITS IN ISO 22301
Return on Investment through Performance
Jan Decker
Crisis Management Consulting
BCMS Basics
www.crisismanagementconsulting.com
2. Jan Decker
Lead consultant and owner of Crisis Management Consulting
Jan Decker is a consultant in Emergency Management, Crisis Management and related
Business Continuity plans, programs, and information systems. She is certified ISO 22301
Lead Implementer and Lead Auditor Trainer
Contact Information
Jan.decker@comcast.net www.crisismanagementconsulting.com https://www.linkedin.com/in/jan-decker-6b421b6
3. A BCMS is a quality system
• Planned
• Strategic – targeted at goals, objectives and sustained mission
achievement
• Structured with policies, guidelines, and tangible elements
• Can be verified
• Operated by norms, processes and practices – repeated
• Measured and assessed
• Performance Outcomes
• Meets or exceeds goals
• Multiple outcomes and benefits
• Investment is realized into real value
• Quality Systems – ISO conformance is voluntary
4. Built upon and/or aligned to the ISO
22301 standard
• Major components – Clauses 4-10
• May share system components of Clauses 9-10
• Note that there are common elements in several Clauses
5. Organization Mission, Goals and
Objectives
• Crosswalk the mission, goals and objectives of the organization to
the standard
• Crosswalk the standard to the organization and the existing/current
BC program
• Resolve any major gaps at the planning level
• The Organization’s Mission is primary
• The operation of the BCMS is meet to the Organization’s Mission
• The ISO 22301 standard is the guide and criteria
• If certification is the goal – then the Standard is primary
6. Baseline Assessment – Starting Point
• If there is no BCMS in place, this is a Gap Assessment with a
preliminary comparison with the standard – and a set of gaps
that present a work plan for alignment focused on alignment
and conformance over quality and performance.
• If there is a BCMS in place, this is a Gap Assessment on the
following:
• Conformance with the ISO 22301 Standard
• Achievement of the Mission, Goals and Objectives of the
Organization
• Current performance with respect to the standard and policy
• May include a focus on improvements
7. Quarterly and Annual Audit Plan
• If getting certified, the Assessment/Audit plan
is fast tracked for 6-12 months to completed a
full cycle of audit/correction action
plan/improvement/verification/report and
involvement of top management – and then the
quarterly and annual plan is implemented.
8. Quarterly and Annual Audit Plan
- 3 year program
• Plan to audit all clauses within 3 years
• Plan to address major gaps of non-conformance within
solution timelines
• Plan to audit all major operations at least once a year
• Track the audit plan and status with an annual report
• Note where auditing in a clause also satisfies an audit in
another clause - streamline
9. Integrate Quarterly and Annual Audit Plan with
the BCMS program and the Organizational
Business Operation
• Integrate audit plan and performance reports with other
BCMS programs
• Training
• Testing and Exercise
• Awareness
• Competence
• Risk Management
• Strategic Planning
10. Gap Assessment and Internal Audit
Methodologies
A Baseline Gap Assessment is a very comprehensive assessment. It is
a comparison of the current program with the ISO Standard
elements – there are 213 elements in ISO 22301.
11. # BCMS Standard Element Comments
1 Top Management Commitment
2 Stakeholders
3 Policy
4 Organization and Assignments
5 Risk Assessment and Risk Treatment, BIA
6 Objectives
7 BC Plans
8 Competency
9 Communications
10 Training and Awareness
11 Tests, Drills and Exercises
12 Incident Documentation
13 After Action Review
14 Non-Conformities
15 Root Cause Analysis
16 Corrective Action Plans
17 Continuous Improvement
18 Audits – Internal
19 Audits – External
20 Annual Report
21 Top Management Review
22 1-3 year program
One methodology is to outline the elements into major categories and create a basic checklist.
12. # BC Plans Comments
1 Site Safety Plan – OSHA 1910.38
2 Business Unit Business Continuity Plans
3 System Disaster Recovery Plan
4 Crisis Management Plan
5 Facilities Damage Assessment and Recovery Plan
6 Public Information and Crisis Communication Plan
7 Security Plan - Facilities
8 IT Security Plan
9 Incident Specific Contingency Plans
10 Community Assistance Plan
Example Detail List for Elements
13. Comprehensive Assessment with the ISO 22301
Standard
• Clauses 4-10
• Approximately 213 separate elements
• If there are other ISO systems in place,
Clauses 9 and 10 may require less review
• Group together similar requirements
14. Example – Top Management and Audits
5. 5.4 Organizational Roles, Responsibilities and Authorities b. Reports on
performance to top management The audit reports are summarized and
communicated to TOP MANAGEMENT - generally annually. Auditors should also
meet with TOP MANAGEMENT during audits for the close out meeting and
report.
5. 5.2 Management Commitment o. Ensure internal audits are conducted
9. 9.3 Management Review · Results of the BCMS audits and reviews, including
suppliers and partners
18. Example – Quarterly Plan by ISO 22301 Clause
6. 6.2 Business Continuity Objectives and Plans Top Management SHALL ensure Business Continuity
objectives are established and communicated for relevant functions and levels within the organization
Business Continuity objectives are both high level and are from the Business Impact Analysis. The most
common are: RTO, RPO, MAO, MBCO - there may be others.
22. Self Assessment – Survey Tool
Supplement to Interviews and
Quarterly data collection
• Survey selected elements and
organizational units.
• Collect and review responses
• Collate data
• Select specific units for verification
23. Group Interviews and Review Meetings
• Multiple Departments and Units
• Conduct full survey of Program
Components
• Conduct survey of ISO Clauses
• Combine with training
• See plans and documents
• Communicate goals, objectives,
expectations
• Bring in top management for
communication
24. Benefits and Advantages of Leveraging the
Internal Audit Program
• Raises Awareness of the Goals, Objectives and Components of the
BCMS
• Continuous Training through activities
• Promotes the update and maintenance of the plans, procedures
and processes
• Encourages participation of the review and improvement plan
25. Benefits and Advantages of Leveraging the
Internal Audit Program
• Completes the cycle of findings, solutions to gaps,
implementation of solutions, and verification
• Regular performance tracking proves that the BCMS is operational
• Increases assurances that people and plans are ready
• Continual improvement of the BCMS is aligned with the growth
and expansion of the organization
26. Performance and Reporting is the opportunity
to show VALUE
• Annual reporting highlights the avoided loss and the resilience of the
organization – a success of the BCMS and a work product of the audits
• Non-conformances equal potential failures and losses – conformance is
a savings and an investment – validated by audits
• Use a methodology to show risk reduction and increased sustainability
as performance and continuous improvement is measured
• Show the correlation between the BCMS and operational performance –
highlight any incidents and recovery
27. Return on Investment of the BCMS – through
the Audit Program
• Protection of the Value of the Organization – cost of the BCMS is a very
small percentage of the gross annual operational value
Cost of BCMS
Services
Contracts
Dedicated Staff
Training Time
May limit this to the AUDIT cost
Gross Annual Operational Value
Total Revenue
Total Sales
Total Delivery of Services ($ Value)
Organization Retail Value
28. Return on Investment of the BCMS – through
the Audit Program
• Protection of the Value of the Organization – cost of the BCMS is a very
small percentage of the gross annual operational value
$100,000
$10,000,000
1%
29. Return on Investment of the BCMS – through
the Audit Program
• Annual reporting highlights the avoided loss and the resilience of the
organization – a success of the BCMS and a work product of the audits
Avoided loss results in profits and/or the achievement
of the mission of the organization
This is proven through the audit program which
reviews the performance tracking
30. Return on Investment of the BCMS – through
the Audit Program
• Use a methodology to show risk reduction and increased sustainability as
performance and continuous improvement is measured
Performance of the BCMS has resulted in a 40% reduction in the overall risk score – validated through
the audit program and annual reporting. This can be quantified into higher or greater resilience and
therefore value to the organization.
31. Leveraging the Internal Audit program with the
other operational activities of the BCMS –
maximize the effectiveness of the audit function
• Include auditors in tests and exercises – they are trained, have greater
understanding of what they are auditing and can provide an audit report to
augment the audit plan
• Plan training and awareness programs just before audits – audits reinforce
the training
• Use the audit findings for training and promotion of performance –
champion good performance
32. Leveraging the Internal Audit program with the
other operational activities of the BCMS
• Rotate internal auditors from one department to another – leverage the
understanding within the organization of the high level objectives and
integration of the plans and processes – cross training raises performance
for the auditor in their own role and function in the BCMS
• Notify auditor or supplement reports as solutions are implemented and
updates are made – make this part of continuous improvement.
• Treat auditors as a key component of performance.
33. ISO 22301 Training Courses
ISO 22301 Introduction
1 Day Course
ISO 22301 Foundation
2 Days Course
ISO 22301 Lead Implementer
5 Days Course
ISO 22301 Lead Auditor
5 Days Course
Exam and certification fees are included in the training price.
https://pecb.com/iso-22301-training-courses| www.pecb.com/events