BCM Audit - Are We Doing It Right? - Bank Islam Malaysia

21 downloads 301 Views 11MB Size Report
Management Standard. PD 25111. PD 25666. 2012. ISO22301. 2007. BS 25999- 2. ISO/PAS 22399. MS 1970. 2011. PAS 200. ISO/IEC 27031. BNM BCM.
1

Definition of Internal Auditing “Internal Auditing is an independent, objective

assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” International Professional Practices Framework, Institute of Internal Auditors

BCM Audit As part of its governance responsibility, the Board or a committee of the Board is expected to ensure that the institution has a workable BCP in place for all critical business functions and that the plan is consistent with the institution's overall business objectives. B.1.1. Board & Management Oversight Article 19 BNM Guidelines on BCM (2011)

2

Reference Documents for Internal Auditors on BCM Evolution of BCM practices, guidelines and standards

1995 NFPA 1600

1997 DRII Professional Practices

2002 BCI Good Practice Guidelines

2003 PAS 56

2007 BS 25999-2 ISO/PAS 22399 MS 1970

2006 BS 25999-1

2008 ISO/IEC 24762 2011 BS 25777 PAS 200 ISO/IEC 27031 BNM BCM Guidelines

2010 ASIS/BSI Business Continuity Management Standard PD 25111 PD 25666

2012 ISO22301

3

DRI International Professional Practices (PP) Program Initiation & Management

Audit & Maintenance

Risk Evaluation & Control Business Impact Analysis Develop BC Strategies Emergency Preparedness & Response Develop & Implement BC Plans

Crisis Communications & External Agencies Awareness & Training

The Plan Test & Exercise 4

5

ISO 22301/DRII Professional Practices Cross Walk PLAN – DO – CHECK – ACT (PDCA) MODEL Establish (Plan) (Clause 4,5,6 & 7)

Maintain & Improve (Act)

DRI’s PP : 1.  Program Initiation & Management 2.  Risk Evaluation 3.  BIA 4.  BC Strategies

(Clause 10) DRI’s PP : 8. BC Plan Exercise & Maintaining

Monitor & Review (Check) (Clause 9)

Implement & Operate (DO) (Clause 8)

DRI’s PP : 6. Implement BC Plan 5. Emergency Preparedness & Response 9. Crisis Communication 10. Coordination with External Agencies

DRI’s PP : 7. Awareness & Training 6

Audit Programme Requirements for BCM ISO 22301:2012 [9.2 (b)] The audit programme, including any schedule, shall be base on the results of risk assessments of the organization’s activities, and the results of previous audits. The management responsible for the area being audited shall ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes. BNM’s Guidelines on BCM [D. Internal Audit – Principle] The institution’s Internal audit should conduct regular independent evaluation of the adequacy and relevance of BCM policy, strategies, procedures and testing of the BCP and DRP.

7

Emerging Risks More Frequent and Devastating

Natural Disasters •  Flood, Earthquake, Hurricane, Tsunami Political Disaster •  Protest in the Gulf region, Thai red shirts… Technological Disaster •  Computer Viruses, Cyber Attack, Cable Damage … Manmade Disaster •  Oil spill, Dam release, Pollution Pandemic •  H1N1, SARs 8

What is required of Internal Auditors when auditing BCM?  Form an opinion on the state of BCM readiness

 Identify gaps and actions to close these gaps within a specified time frame

Audit using Existing Model (Given)

OR

(i) Risk Assessment

Outcome Based Audit

(ii) Test/Exercise

9

i) Risk Assessment •  •  • 

New Emerging Risk Change to Existing Risk – Dynamic Process Risk Arising from dependencies

ISO 22301 – 8.2.3 Risk Assessment The organization shall a)  identify risks of disruption to the organization’s prioritized activities and the processes, systems, information, people, assets, outsource partners and other resources that support them, b)  systematically analyse risk, c)  evaluate which disruption related risks require treatment, and d)  identify treatments commensurate with business continuity objectives and in accordance with the organization’s risk appetite. BNM B.2.1. Risk Assessment & BIA In undertaking the risk assessment, scenario analysis and planning should be conducted based on the potential loss, inaccessibility or unavailability of the following resources: a)  key personnel, including decision makers and recovery personnel, b)  office premises (including branch, locally or abroad) and facilities within the same or nearby geographical location or region, c)  critical business information and records, d)  IT systems and infrastructure, including network devices and peripherals as well as other support facilities, and e)  services of key supplies, service providers or vendors, including outsourcing vendors.

[HOW ROBUST IS THE RA MODEL] 10

(i) AUDIT FOCUS ON RISK ASSESSMENT

Risk Identification

Regulatory Obligations Emerging Risk Changes to Existing Risk Blind Spots (Risk arising from dependencies)

Reporting Requirements

Risk Evaluation

Systematic Risk Analysis

Addressing Risk Risk Appetite

11

ii) Exercise & Testing Objective [ISO 22301 – 8.5 (a-g)] The organization shall exercise and test its business continuity procedures to ensure that they are consistent with its business continuity objectives. The organization shall conduct exercises and tests that a)  are consistent with the scope and objectives of the BCMS, b)  are based on appropriate scenarios that are well planned with clearly defined aims and objectives, c)  taken together over time validate the whole of its business continuity arrangements, involving relevant interested parties, d)  minimize the risk of disruption of operations, e)  produce formalized post-exercise reports that contain outcomes, recommendations and actions to implement improvements, f) 

are reviewed within the context of promoting continual improvement, and

g)  are conducted at planned intervals and when there are significant changes within the organization or to the environment in which it operates. ISO 22301:2012 – 8.5 (a-g

12

- Recommended Corrective Actions - Monitoring

End-to-End

What Scenario Test Results

Any Actual Incident Record Used

TEST / EXERCISE METHODOLOGY

OUTCOME Post-Exercise Reports

Previous Audit Comments

Lessons Learned

Audit Rating

- Desired - Short - Failed

13

Exercise/Test Plan a) Appropriateness of test methodology used – walk through/simulation/life test

b) Scope of test – silo/end-to-end/BCP only/BCP & DRP

c) Outcome achievement level - Desired/short/failed

d) Were Lessons Learned built into the test

e) Was the Audit Risk Rating reflective of the test outcome

These questions have to answered by the Auditors 14

Conclusion Auditing BCM is fairly straight forward, but stating an opinion on the state of BCM readiness and whether the organization has a workable BCP/DRP in place is the challenge. Evaluating Risk Assessment and Testing Process via the OUTCOME approach within the overall audit of the BCM System is where Auditors can make a difference.

15

16