I was introduced this morning to the Institute of Internal Auditors'(IIA) Web site (http://www.theiia.org/).
I was pointed there by another practitioner who agrees with me that "auditors are our friends."
The IIA publishes a series of documents called GTAGs; translation: Global Technology Audit Guides. There are 11 linked from http://www.theiia.org/guidance/technology/gtag/ .
GTAG 10 is titled Business Continuity Management.
It's a free PDF download and worth every bit of the 1.65M of space it will take up on a hard drive.
GTAG 10's authors - whose bios are included at near the end of the document, are real-world risk managers and come from a variety of industries.
I confess I was ready to hit the email when I read in the Page 1 Executive Summary that "The goal of business continuity management (BCM) is to restore critical business processes after a disaster has been declared."
While I agree with the focus on the business, my knee-jerk reaction was "where's avoidance and mitigation?" These two gems separate BC from DR more than anything else (in my book).
Page 2 was no better: BCM capabilities are focused on the recovery of critical business processes to minimize the financial and other impacts to a business caused during a disaster or business interruption."
But then I read:
2. Can the organization prove the business continuity risks are mitigated to an approved acceptable level and are recertified periodically?
and hope began to shine forth.
I found myself nodding my head in agreement as I read on Page 3 how IIA defines BCM:
Business continuity management is the process by which an organization prepares for future incidents that could jeopardize the organization’s core mission and its long-term viability. Such incidents include local events like building fires, regional events like earthquakes, or national events like pandemic illnesses. The key components of the BCM are:
Crisis Management Planning and Disaster Recovery of IT were separate headings.
I might quibble about the order of Risk Assessment and Risk Mitigation and Business Impact Analysis (BIA) in the IIA's list, and I firmly believe crisis management is part and parcel of business continuity, and that IT disaster recovery in part of the business continuity recovery process.
But all-in-all, IIA's document seems to have gotten off to a good start.
IIA really won me over when, on Page 6 it listed people as Number 1 under the Common Disaster Impacts heading. Following People were Facilities and equipment, Communication infrastructure, Supplies, and Information and IT systems.
I agree with so much of what is presented in GTAG 10, Business Continuity Management, I could have authored (most of) it.
For the ERM/BC/COOP practitioner, GTAG 10 is an excellent resource if for no other reason that it comes from auditors.
While many middle- and upper-level managers cringe when they hear the words "The auditors are coming," I delight in them.
Auditors, if they have any concept of business continuity, can be an asset to the practitioner.
Auditors, if they lack any concept of business continuity, should find a practitioner to give them an over view - or point them to this document and to the IIA.
There are a number of very good "what's business continuity and how to do it" documents out in the world; the International Facility Management Association has one.
What sets this publication apart is that auditors, unlike - say - facility managers, (should) have a broad view, a view that is focused on the enterprise rather than only a small part of the enterprise.
From my perspective, GTAG 10 is a keeper.
John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @ JohnGlennMBCI.com