Key business continuity management (BCM) risks pose a threat to business operations, customer relations, and business value. It can lead to business failure. A business impact analysis (BIA), along with risk assessment, forms the foundation of BCM.

When an organization's proper BIA signals business impacts in various scenarios related to possible disruptions, it can prioritize its recovery strategies in the event of an unplanned event or disaster. This allows for efficient business recovery when things go wrong through reduced disruption, backed by support for correct business decisions throughout all stages of the incident response life cycle. BIA and business impact analysis is the first step in business continuity planning. It gives an organization business value by finding ways to keep value-adding business processes running while others are disrupted. A proper BIA uncovers the interdependencies between:

  • business units
  • customers
  • subsidiaries
  • and suppliers.

Improper or no BIA can lead to business interruption estimating X number of dollars for business loss due to a particular disaster or disruption. The best way to mitigate this risk is through the use of a business impact analysis template. It helps prioritize critical functions over less important ones on which the organization depends. When dealing with BCM issues, it's crucial to consider what actions need to be taken following an incident. However, it's also important to know why they need to be taken, and how they can be carried out.

The business continuity audit evaluates if an organization has appropriate BCM measures in place, along with the skills and resources needed to enact them in the event of a disaster or disruption. If these necessary steps aren't taken by businesses after running a BIA report, they are left open to increased risk of business interruption, possible loss of business value, customer dissatisfaction, and legal implications for noncompliance.

Key Aspects of a Business Continuity Audit

When conducting a business continuity audit, it's important to choose an auditor who is an expert in BCP processes. Often, organizations choose to hire auditors who are familiar with the same subject matter as the organization. This can lead to a stereotypical approach. Choosing an auditor who has a diverse background and understands BCP is a better choice. Regardless, of the method chosen, an auditor should understand BCP processes and procedures and be certified in the field. The purpose of a BCP audit is to identify gaps and implement measures necessary to improve BCP processes.

A BCP audit should start by identifying the process controls and metrics that are used to measure success in business continuity. The team should then interview all relevant personnel. The final report should include the results of the interviews and documentation notes. The auditor should also recommend actions to improve the company's BCP. The action plan should include a timeframe for remediation of the existing BCP. The objective of a business continuity audit is to ensure the organization's ability to cope with a disaster. A business continuity audit can be conducted internally or externally. An internal business continuity audit is conducted by an organization's employees. An external business continuity audit, on the other hand, is conducted by a third party.

Whether conducting an internal business continuity audit or engaging the services of a business continuity auditor, it is imperative to keep accurate records. Moreover, it's crucial to accurately represent business activities. It is equally important for business owners and managers to truly understand their business processes and how they interact with each other. Without this understanding, organizations cannot ascertain where stress points exist in BCP processes and what measures must be implemented to ensure survival without interruption of critical business functions.

What to Focus on During a Crisis?

When disaster strikes a small business, three key areas determine whether the company will perform:

  1. property damage assessment;
  2. business interruption assessment;
  3. business recovery capability assessment.

 These three areas overlap, but business owners should make a point to familiarize themselves with each of them independently.

Business continuity planning is an ongoing process. It involves creating business impact assessments, identifying business functions and processes, developing risk management plans, implementing business continuity plans, and testing the plan.

Expert business continuity planners often agree that it is more beneficial for businesses to put off BCP implementation until they have reached a certain size or complexity level. Additionally, most experts suggest waiting until a business is operating at maximum capacity before putting BCP into place. This tactic gives business owners an idea of the kinds of disasters their company could face in terms of what resources would be lost during a disaster of a certain magnitude.

Business continuity planning ensures the business is ready to face any emergency or crisis, minimizing downtime and other business losses. These plans not only save money. They also minimize potential business interruptions by ensuring business owners are well-versed in what should happen before, during, and after the disaster. By having a plan of action already in place, business owners can make sure their business continues to run smoothly. Even though nearly every type of emergency that may arise.

What to do After an Audit?

After the audit, the team should discuss the findings and create a draft report. It is important to ensure that the process is conducted objectively. It should be based on established business continuity metrics and should be conducted professionally. The BCP audit should also include a team that has an understanding of the company's business. Its goal should be to ensure that the company's policies are following the requirements of the law.

The team should be clear about the requirements of the business continuity plan. In addition to identifying and conducting the audit, the team should make sure that the metrics and other factors are up to date. The BCP audit should also incorporate the criteria and time frame of the business and its stakeholders. A team should be objective and present the results objectively. If the audit is thorough, it will be useful to update the company's business continuity strategy.

How business continuity strategy is used in business continuity planning depends on the approach that a company takes to business continuity. NIST SP 800-34 suggests that, when developing business continuity strategies and selecting business continuity objectives and essential services, an organization consider several key elements, such as business requirements and business priorities, organizational constraints, criticality of business functions and essential services, recovery time objectives (RTOs) and recovery point objectives (RPOs), the relative priority assigned to business functions and essential services, legal and regulatory requirements, the financial impact of business disruptions, physical site constraints, resumption times for business processes at alternate sites or recovery facilities.

Randall Lester

Randall Lester

Self employed CPA with 30+ years of experience, specializing in small to medium size businesses. Experienced with mom and pop operations to multistate 500+ employee companies. Extensive knowledge in construction accounting and financial statements on a work in progress basis.