A methodology for business continuity gap analysis

Published: Thursday, 26 May 2016 08:29

Whether as a step towards ISO 22301 certification or as a means to improve the current business continuity management program, a gap analysis is an effective method of identifying areas of the BCMS needing attention. In this article Chris Alvord, Jayne Howe and Bob Draper from Austin Risk Consultants describe a method for an external business continuity gap analysis.

Overview

For many organizations, it is a constant challenge to meet the current year goals and objective for the business continuity management program.  There are a plethora of causes and symptoms, including:

But there is hope.  A set of fresh eyes to perform a gap analysis of your BCM program can highlight non-conformities and provide direction on how to reasonably move forward to meet your goals.

Assessment plan

Planning for an assessment effort depends on many factors, including some of the following:

With these variables in mind, an experienced practitioner can determine the requirements for the program, enabling the right level of people, time, resources and deliverables to be assigned.

Documents and records

A necessary start to an assessment is to review all relevant documentation associated with the BCM program.  Of course the possibilities are many.  Austin Risk Consultants has a four-page detailed list of possibilities that is shared with clients.  Although this complete list is beyond the scope of this article, general categories are as follows:

New technology can enable some additional productivity in the review process.  File-sharing services (e.g., Dropbox) can provide secure methods for an organization to make their less sensitive materials available for review.  Activity is captured automatically and limited access to folders can be defined as needed.

The most important material may only be viewed at the client location; for example, confidential information or documents with special security provisions (e.g., client contracts).  Also, records associated with operational activities (e.g., backup logs) may not be available off-site.

Good practices include recording enough detail so the source material can be referenced, as needed, at a later date, so it is unlikely and probably unnecessary to make copies.  Title, date, revision history and responsible party should be included with all notes to allow later verification of details, if necessary.

Interviews

Experience shows that interviewing key personnel is the best way to obtain the necessary detail.  This process needs to be well organized and structured.  The size of the organization may dictate that more than one person may be necessary to conduct interviews and the number of operations, people and locations can make present challenges in the consistency of data collection.

It is helpful to use structured sets of questions associated with well-known standards and to use technology to help organize and report on the findings.  Austin Risk Consultants’ method for this is to leverage the global standards with enabling assessment software. 

As the complete tool covers all aspects of the Plan-Do-Check-Act international standard, there is assurance that the complete life cycle of the program has been reviewed.  Of course, as this maps to an open global standard, the client can also know that their assessment is not a captive of proprietary techniques.

Three further aspects of interviewing should also be considered.

Reports

The most effective reporting is never measured by volume of pages in the report.  Certainly there will be voluminous notes from individual interviews and document reviews, and these should be kept indefinitely for later use and possible comparison on the next cycle.  However, the focus should be on improving the program by grouping findings into three categories:

Such reporting is generally adequate for management to understand the state of the program and the areas needed for improvement.  Resultant corrective actions can then be delegated to responsible individuals for action, depending on corporate resources and risk appetite.

Summary

With experienced resources, an assessment can generate great value in a short time.  The four steps of (1) creating an overall assessment plan, (2) review of documents and program data, (3) interviews with key personnel and (4) results reporting with a proposed improvement roadmap has proven highly effective.

Developing a great business continuity program is not an ‘immediate fix’. It takes time and effort.  To achieve the goal of having an effective, workable, exercised and maintainable program, it is crucial to start correctly, with a clear view of the current status and of the work that will be required.

The authors

Chris Alvord, Founding Partner, Austin Risk Consultants
Chris Alvord has had senior roles in consulting and technology for 25+ years, designing an industry-leading web-based BCM software package, leading numerous large-scale projects, being a Certified Business Continuity Teacher, and holding ISO 22301, ISO 27001, CBCP, and MBCI certifications. He has presented, published and been quoted in numerous industry venues. Mr. Alvord has a BA from Harvard College, MBA from Harvard Business School, and has done doctoral coursework at Virginia Tech. 

Jayne Howe, Associate Partner, Austin Risk Consultants
Jayne Howe, FBCI, MRP, CBRM is the Managing Partner of THE HOWE PARTNERSHIP, a Canadian consultancy specializing in the provision of business continuity planning and management. With over 30+ years of experience in Business Continuity Programs, Jaye was the first female in the world to achieve the highest level of certification (Fellow) from The Business Continuity Institute. Additionally, Jayne is certified as a Master Recovery Planner, and a Certified Business Resilience Manager.  Ms. Howe is the only practitioner in Canada to hold all these designations.

Bob Draper, Associate Partner, Austin Risk Consultants
Bob Draper is a Fellow of the Business Continuity Institute with 35+ years’ experience, developing robust business continuity management policies and strategies across all sectors and in highly regulated environments. His BCM experience has been gained working with a wide range of global organizations in multiple sectors, including central government.  In 1995, he founded Pentire Solutions Ltd, an independent consultancy, having previously worked for Duracell Batteries Ltd managing business continuity and IT services across Europe.

Austin Risk Consultants
Austin Risk Consultants focuses on improving BC, DR and risk programs rapidly using standards-based methods and tools, anywhere in the world, using three key elements: (1) Senior staff, located globally, are deeply involved in all projects, (2) International standards ensures widely accepted work products and (3) Advanced software tools maximize reusability, accuracy, and cost-effective methods.  Throughout, hands-on project leadership from proven resources in close consultation with the client ensures the highest quality deliverables.

www.austinriskconsultants.com