Dr Goh Moh Heng Building Your Organization Business Continuity Management Com...
Standardised Audit Program Risk Analysis Review
1. Standardised Audit Program
Risk Analysis and Review Clause Component Yes No
Are internal and external risk events and impacts
Policies /
1 identified and reviewed by all business units and 5.1
Processes
their operational processes?
How is this done and are records available for
2 5.1 / 5.2.2 Policies
audit ?
Are both qualitative and quantitative impacts
3 5.1 Policies
evaluated ? Records available ?
Is procedure for identification of external and
4 5.2 Policies
operational risks established and available ?
Has the BCM committee reviewed the findings and
5 recommendations of risk analysis efforts? Selected 5.2.1 Policies
appropriate cost effective treatment?
How are identified risks treated and are they
6 5.2.3 Policies
documented ?
Is list of potential disasters established and what is
7 5.2.4 Policies
selected as the most probable disaster ?
Is risk analysis carried out consistently across all
8 business units ? Are records of analysis available 5.2.5 Policies
for all business units ?
Are people involved or responsible for risk analysis
9 competence ? Are training records available for 5.2.6 Policies / People
these training conducted ?
Are roles and skills of essential staff and external
10 parties needed identified, established and 5.4.2 People
documented ?
Has risk review and anaysis been performed on
11 critical equipment and facilities? Are there 5.5 Infrastructure
available risk treatments for all identified risks?
copy1ss540auditguide201214rarbiarsplan-110224004807-phpapp01.xlsx 1 2/23/2011
2. Standardised Audit Program
Risk Analysis and Review Clause Component Yes No
copy1ss540auditguide201214rarbiarsplan-110224004807-phpapp01.xlsx 2 2/23/2011
3. Standardised Audit Program
Specific comments regarding deficiencies/
effectiveness
copy1ss540auditguide201214rarbiarsplan-110224004807-phpapp01.xlsx 3 2/23/2011
4. Standardised Audit Program
Specific comments regarding deficiencies/
effectiveness
copy1ss540auditguide201214rarbiarsplan-110224004807-phpapp01.xlsx 4 2/23/2011
5. Standardised Audit Program
Business Impact Analysis Clause Component Yes No Specific comments regarding deficiencies/ effectiveness
1 Was the BIA process completed ? 6
Was the BIA conducted on a periodic
2 and systematic basis ? i.e. pre- 6.1
determined frequency?
Are there any business or technology
3 changes that require a review of the 6.1
BIA ?
Are there policies to govern
assessment of losses due to
4 6.2 Policies
interruptions to business operations or
processes ?
Is the MBCO of the organization
5 clearly stated and documented by the 6.2.1 Policies
Exe Mgt?
How is the MBCO clearly defined and
6 6.2.1 Policies
approved by the Exe Mgt ?
Are there any significant internal or
external changes especially for legal or
7 6.2.1 Policies
contractual requirement that requires a
review of the MBCO ?
8 Is there a BCM Steering committee ? 6.2.2 Policies
Is there a list for review of potential
9 threats and risks for each business 6.2.2 Policies
unit for the BCM Steering committee ?
Is the list reviewed by the BCM
10 6.2.2 Policies
Steering committee ?
Is the list of CBF produced and
11 6.2.2 Policies
priortised by the Committee?
Is the list of CBF the decision of the
12 6.2.2 Policies
Committee ?
Are there any discrepancies of the
13 CBF between the Business Unit Head 6.2.2 Policies
and the BC team ?
14 Has the CBF been prioritized ? 6.2.2 Policies
copy1ss540auditguide201214rarbiarsplan-110224004807-phpapp01.xlsx 5 2/23/2011
6. Standardised Audit Program
Business Impact Analysis Clause Component Yes No Specific comments regarding deficiencies/ effectiveness
Is the prioritized list reviewed and
15 approved by the BCM Steering 6.2.2 Policies
committee ?
Has the recovery prioritization of CBF
16 been done in conjunction with 6.2.2 Policies
allocation of resources ?
Are there policies to ensure that the
17 MBCO comply with legal and 6.2.3 Policies
regulatory requirements ?
What is the expertise level of
18 6.2.4 Policies
personnel undertaking the BIA ?
19 Does the CBFs support the MBCO ? 6.2.4 Policies
What considerations are the priority for
20 analyzing the impact of risk on CBFs ? 6.2.5 Policies
Establish and approve the recovery
21 6.2.5 Policies
priority with the allocation of resource
Is workplace safety and health
22 considerations considered in the 6.2.5 Policies
prioritization of the CBFs
Are legal and regulatory requirements
23 considered in the prioritization of CBFs 6.2.5 Policies
Are quantitative or qualitative impacts
24 considered for the CBF's impact of 6.2.5 Policies
risk?
Are there processes established to
25 identify different disruptions to the 6.3 Processes
business operations and functions ?
26 Are all the individual BU identified by: 6.3.1 Processes
Name and description?
Processes employed?
Supporting systems?
Special skills and expertise required?
Resource requirements?
copy1ss540auditguide201214rarbiarsplan-110224004807-phpapp01.xlsx 6 2/23/2011
7. Standardised Audit Program
Business Impact Analysis Clause Component Yes No Specific comments regarding deficiencies/ effectiveness
Are the operational constraints of each
28 6.3.1.1 Processes
Business Unit CBFs provided ?
Has each BU identify the minimum
level of services that must be provided
29 6.3.1.2 Processes
to support the organisation 's MCBO
Has an assessment of CBFs been
30 6.3.2 Processes
done ?
Has inter-dependencies been
31 identified for internal and external 6.3.2.1 Processes
parties ?
Has alternate process been examined
32 6.3.2.2 Processes
and documented?
Has the documentation done for all the
33 CBF and processes? I.e. SOP, 6.3.2.3 Processes
flowcharts, manuals.
Have each CBF RTO and RPO been
34 6.3.3 Processes
determined ?
Are the following areas considered in
establishment the CBF priorities?
Potential loss impact?
Parallels and interdependencies?
RTO/RPO?
Have the processes for the
identification, categorisation and
35 6.3.5 Processes
prioritisation of vital records been
established for each CBF process?
Are the processes for data collection
36 6.3.6 Processes
for the BIA phase kept ?
Have key personnel been identified for
37 the participation in the Business 6.4 People
impact analysis?
Are the probable impacts on existing
38 infrastructure identified and assessed? 6.5 Infrastructure
copy1ss540auditguide201214rarbiarsplan-110224004807-phpapp01.xlsx 7 2/23/2011
8. Standardised Audit Program
Business Impact Analysis Clause Component Yes No Specific comments regarding deficiencies/ effectiveness
Are the facilities required for each CBF
identified?
Have the Key personnel participated
39 6.5 Infrastructure
and consulted on the BIA?
Has an IT inventory for the CBFs
40 6.5.1 Infrastructure
completed ?
Is the available BC IT inventory able to
41 6.5.1 Infrastructure
support the MBCO ?
Are the facilities required to support
42 6.5.2 Infrastructure
each CBF identified?
copy1ss540auditguide201214rarbiarsplan-110224004807-phpapp01.xlsx 8 2/23/2011
9. Standardised Audit Program
Strategy Clause Component Yes No Specific comments regarding deficiencies/ effectiveness
1 What is the scope for Recovery Strategy? 7.1 Scope
What are the policies guiding the evaluation of
2 7.2 Policies
recovery strategies?
Does the BCM Steering committee review and BCM Steering
3 7.2.1
approve recommended BCM strategies? Committee
Does the BCM Steering committee formulate the
BCM Steering
4 organisational recovery strategy based on probable 7.2.1
Committee
disasters and CBFs?
Was the strategy formulated based on risks faced
by CBFs from one or a combination of the
following:
a. Revert to alternate processing capability;
b. Arrange reciprocal arrangements, e.g. with
another organization in the same industry;
c. Establish alternate site or business facility; Strategy
5 7.2.2
d. Arrange for alternate source of supply, e.g. of Formulation
raw materials;
e. Outsource to external vendor(s);
f. Transfer of operation(s) to subsidiary business
units;
g. Rebuild from scratch after disaster;
h. Do not take any action.
Is a set of guidelines established to guide the Strategy
6 7.2.2
decision making process for the above strategy? Formulation
copy1ss540auditguide201214rarbiarsplan-110224004807-phpapp01.xlsx 9 2/23/2011
10. Standardised Audit Program
Strategy Clause Component Yes No Specific comments regarding deficiencies/ effectiveness
Does the BCM steering committee undertake the
following set of activities based on the feedback
from business units with CBFs?
a. deliberate on the recovery strategies for various
7 7.3 Processes
CBFs and formulate an organisational recovery
strategy in conjuction with probable disasters; and
b. consolidate recovery requirements based on the
organisational recovery strategy into contract
specifications
Are there processes for a given recovery strategy
to determine the following requirements:
a. Skill set required by supporting staff; Recovery
8 b. Technology and equipment; 7.3.1 Strategy
c. Facilities; Requirements
d. Off-site storage and alternate site(s); and
e. Alternate processing capabilities.
Recovery
Were the non-tecnology continuity issues for each
9 7.3.1 Strategy
support service of CBFs reviewed?
Requirements
Recovery
Does a set of criteria have been established to
Strategy
10 guide the evaluation of the appropriate recovery 7.3.2
Evaluation
strategy for each CBF?
Criteria
copy1ss540auditguide201214rarbiarsplan-110224004807-phpapp01.xlsx 10 2/23/2011
11. Standardised Audit Program
Strategy Clause Component Yes No Specific comments regarding deficiencies/ effectiveness
Does the organisation have adequate number of
11 staff with relevant skill set to support the 7.4 People
organisational recovery strategy?
Does the alternate infrastructure have been
12 examined if the existing infrastructure is indaquate 7.4 People
to support the recovery strategy?
Does the organisation capable of providing the
13 necessary infrastructure to support the 7.5 Infrastructure
organisational recovery strategy?
Is there a review of existing technology and Technology and
14 7.5.1
equipment? equipment
Does a list of technical specifications for the Technology and
15 7.5.1
technology and equipment have been specified? equipment
16 Have the existing facilities been reviewed? 7.5.2 Facilities
Does deliberation on the facilities used to support
alternate processing include the following
considerations:
Alternate
17 a. Acquisitions; 7.5.2.1
Processing
b. Mutual agreement;
c. Outsource to external vendors; and
d. Manual workarounds
Does the criteria to guide the selection process of Alternate
18 alternate processing vendors have been 7.5.2.2 facilities
established? outsourcing
19
20
21
22
copy1ss540auditguide201214rarbiarsplan-110224004807-phpapp01.xlsx 11 2/23/2011
12. Standardised Audit Program
Strategy Clause Component Yes No Specific comments regarding deficiencies/ effectiveness
23
24
25
copy1ss540auditguide201214rarbiarsplan-110224004807-phpapp01.xlsx 12 2/23/2011
13. Standardised Audit Program
BC Plan Clause Component Yes No Specific comments regarding deficiencies/ effectiveness
Is policy and process established and documented
1 8.2 Policies
to govern the development of BC plans ?
Is the BC Plan, and subsequent changes, reviewed
2 8.2.1 Policies
and approved by the BCM Steering Committee?
Is an Emergency Operations Centre set up and
3 associated conditions for operation and closure 8.2.2 Policies
established and the head appointed ?
Is policy governing emergency response and the
8.2.5 /
4 priority for actions to be carried out established Policies
8.2.6
and documented ?
Are formal processes established for each
component of the BC plan to determine their
requirements?
5 1) Pre-incident preparation 8.3 Processes
2) Initial damage assessment
…
13) BC plan distribution and control
Who are the people in the BCM Steering
Committee? Are roles and responsibilities
established and documented including :
6 8.4.2 ) BCM Coordinator 8.4 People
..
..
8.4.8) Damage assessment team (DAT )
Is procedure established to manage appropriate
8.4.9 /
7 medical attention, assembly area and personnel People
8.4.10
safety ?
copy1ss540auditguide201214rarbiarsplan-110224004807-phpapp01.xlsx 13 2/23/2011
14. Standardised Audit Program
BC Plan Clause Component Yes No Specific comments regarding deficiencies/ effectiveness
Is contact list for key personnel drawn up and
8 8.4.11 People
maintained ?
Does the BC plan address the requirements
needed to operate and maintain all the
9 infrastructure componenets to ensure that CBFs 8.5 Infrastructure
can continue within the planned levels of
disruption?
Are critical and general equipment / supplies as
10 well as communication requirements established 8.5.1 Infrastructure
and documented ?
Are EOC as well as alternate site requirements
11 8.5.2 Infrastructure
identified and documented ?
copy1ss540auditguide201214rarbiarsplan-110224004807-phpapp01.xlsx 14 2/23/2011
15. Standardised Audit Program
Testing and Exercising Clause Component Yes No Specific comments regarding deficiencies/ effectiveness
copy1ss540auditguide201214rarbiarsplan-110224004807-phpapp01.xlsx 15 2/23/2011