BCM audit

BCM audit

A target-oriented and sustainable audit stands and falls with the auditor's wealth of knowledge and experience....

The audit

Cars are maintained to run without problems and flashing lights – and they need to go to the T&U regularly. Business continuity management systems, just like their BC plans, also need to be maintained in order to function. Only regular inspections can ensure that they are effective in the event of a disruption.

Of course, this is not called maintenance, but rather auditing, depending on the object of the audit. However, audits are not only used to examine BC management systems, but also many other subjects, such as processes, financial status, projects, other management systems, products, software, guidelines and requirements. The question is always whether what is being audited meets the required standards. In other words, an audit is a target-performance comparison.

Audits differ in the way they are carried out. There are:

  • First Party Audits: They are an internal audit that is carried out by an employee. In first party audits, for example, the company's quality management is reviewed by an internal auditor.

  • Second Party Audits: These investigation procedures are also called supplier audits. In companies with existing supply chains, for example, the purchasing company reviews the business continuity management of its suppliers (see also: Supply Chain Continuity Management). Deviations are discussed and remedied – and reviewed again. Suggestions for improvement are also discussed during these audits and, if possible, implemented. For this purpose, either one of the company's own trained employees is sent to the company to be audited or an external auditor is commissioned.

  • Third Party Audits: With these audits, certification is the goal. An external certification body checks, for example, whether a company complies with the management system certification according to ISO 22301:2019. The subsequent regular audits for recertification are also part of this process.

All audits have in common that they check whether certain defined standards are implemented in a company/organisation.

Business continuity management audits are subject to a fixed cycle, which is due to the BCM lifecycle alone. They are recommended with annual repetition, for certified companies they are obligatory in this sequence.

If the auditor is familiar with the company and its organisation and / or if no inspections or visual inspections are required, these can be carried out remotely. In this case, the auditor has all the necessary documents sent to him and conducts the audit interviews remotely. If the auditor does not know the company to be audited, on-site inspections are indispensable when conducting a threat analysis in order to get to know the company organisation including all facilities.

Procedure

BCM audit by Controllit AG to check the readiness for certification – an overview of the procedure

After the audit assignment and initial telephone calls to coordinate the content of the audit, the first step is to review and assess the documentation. The documents include, for example, the policy, the handbook, the BIA and BC plans, etc. These include, for example, the audit manual. This also includes checking the effectiveness of the methodology. In parallel, the opening meeting and the audit plan are prepared and sent to all participants before the meeting date.

At the opening meeting, it is explained to all participants how the audit will proceed, which then starts. Depending on the scope and depth of the audit, it can last from one day to several weeks. During the audit, the documentation / management system is reviewed and interviews are conducted with the BC manager responsible for the process and other stakeholders.

This then shows whether all processes are documented and implemented. If deviations are found during this time, the auditor is supported with solution-oriented suggestions for improvement in order to be able to eliminate the deviations as quickly as possible. Once all deviations have been discussed and summarised together with their proposed solutions, the Closing Meeting is prepared.

In this meeting, all deviations are reviewed with all those involved. The audit report is then written and sent to the participants and the management. The report contains recommendations assessed according to priority, effect and effort. This concludes the audit.

And what happens in the company afterwards?

A targeted and sustainable audit depends on the auditor's knowledge and experience. In addition, a high level of comprehension, an understanding of complex processes and management systems, and knowledge of human nature are important. This is because an auditor must neither barge in at the door when he notices a deficiency, nor let himself be led around by the nose if a process manager tries to hide a non-conformity, in whatever way, or wants to deviate from the audit plan.

Audits are very valuable parts of the BCM lifecycle that help to optimise processes to be more successful as an organisation.

Is there a standard?

Yes, the ISO 22301:2019. This standard for business continuity management systems also contains a standard for the performance of audits (ISO 19011 „Guidance on auditing of management systems“).You are looking for advice or support in the field of auditing or BCM? The Controllit AG will be happy to advise you on this.