Maintain & Audit Business Continuity Plans
Upcoming SlideShare
Loading in...5
×
 

Maintain & Audit Business Continuity Plans

on

  • 956 views

This document describes how to maintain continuity plans, specifically the COOP and EOP. It describes key plan steps, suggests self-assessment instruments, and makes a case of conducting both ...

This document describes how to maintain continuity plans, specifically the COOP and EOP. It describes key plan steps, suggests self-assessment instruments, and makes a case of conducting both internal reviews and external audits. It identifies the appropriate standards for the public sector, describes the audit elements and process, who should be involved, functions and documents to review, the audit approach, and how to manage shortcomings and make improvements.

Statistics

Views

Total Views
956
Views on SlideShare
955
Embed Views
1

Actions

Likes
0
Downloads
15
Comments
0

1 Embed 1

http://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Maintain & Audit Business Continuity Plans Maintain & Audit Business Continuity Plans Document Transcript

  • " Maintaining and Auditing a Business Continuity Program- A Plan for a Municipality" February 12, 2011 by Andrew M. Amalfitano
  • CONTENTSI. Introduction.....................................................................................................................................................................................3II. Plan ......................................................................................................................................................................................................4 Key Plan Steps: ..............................................................................................................................................................................4 1. On-going .................................................................................................................................................................................4 2. Awareness and Launch ...................................................................................................................................................4 3. Implement .............................................................................................................................................................................5 4. Considerations ....................................................................................................................................................................5III. Audit ..................................................................................................................................................................................................5 Standards..........................................................................................................................................................................................6 Audit Elements ..............................................................................................................................................................................8 Process ...............................................................................................................................................................................................8 Identification of Individuals to be involved in the Audit ...................................................................................9 Functions to be Included in Audit ..................................................................................................................................9 Audit Approach ....................................................................................................................................................................10 Documents to review ..............................................................................................................................................................11 Audit Instrument .......................................................................................................................................................................12 Correcting Shortcomings.......................................................................................................................................................12III. Conclusion ..................................................................................................................................................................................13Appendix A - Continuity Assistance Tool (CAT) .............................................................................................................14Appendix B: Plan Maintenance Example: National Center of State Courts ......................................................16References ..........................................................................................................................................................................................17©AmalfiCORE, LLC Andrew M. Amalfitano 2/12/2011 pg. 2 of 17
  • I. INTRODUCTIONA well developed, dusty plan sitting on a shelf does not ensure the City will be ready to weathera major crisis or disaster. To really be ready, the City must maintain current plans, keep peopletrained and informed, and exercise those plans on a periodic basis.Scheduled, informal reviews1 and annual, independent audits 2 are recommended and cansignificantly improve the overall readiness of the City. Two plans in particular that must bemaintained in a current and effective condition are the Continuity of Operations Plan-COOP andthe Emergency Operations Plan-EOP.Maintaining Continuity of Operations and Emergency Operation Plans can help ensure that theCity is ready for the unforeseen major crisis or disaster. This process includes the review,testing, and update of the plans on a regular and defined schedule.Audits may not always be necessary, however, due to their independent nature, are often avaluable check and balance to internal plan reviews. Audits can objectively determine theadequacy of controls and level of compliance to any appropriate standards.This document describes how to maintain continuity plans, specifically the COOP and EOP. Itdescribes key plan steps, suggests self-assessment instruments, and makes a case of conductingboth internal reviews and external audits. It identifies the appropriate standards for the publicsector, describes the audit elements and process, who should be involved, functions anddocuments to review, the audit approach, and how to manage shortcomings and makeimprovements.1 "REVIEW is the internal quality control process which looks for a practical and effective capability; it checks that nothing has been overlooked; it reviews and assesses the past and considers the future; and it takes note of changing circumstances and makes recommendations where appropriate." [Burtles]2 "AUDITING is the external process which looks for evidence of compliance with policy, prudence with finance, achievement of purposes and justification of claims." [Burtles]©AmalfiCORE, LLC Andrew M. Amalfitano 2/12/2011 pg. 3 of 17
  • II. PLANThe fundamental plan for maintaining and auditing the continuity program at a municipality isto follow the established testing, exercise, maintenance, and review process designated in theCOOP plan itself.This process includes what to review, the frequency of review and update, who is responsiblefor the review, and the criteria by which to determine the viability of the plan. A viable planexists when there is proof (through training, testing, and exercises) that the plan can beimplemented during a crisis or disaster and that the Citys mission essential functions can becontinued successfully.A comprehensive strategy for maintaining plans should inform the maintenance review andaudit planning process. For the public sector, the establishment of a Multi-Year Strategy andProgram Management Plan is recommended.3KEY PLAN STEPS:1. ON-GOING a. Take actions to revise and update plan on a periodic cycle b. Train new personnel and provide refresher training for others c. Conduct periodic exercises, follow up with corrective actions from AAR 4 d. Adhere to general COOP planning requirements e. Identify issues that may impact the COOP and drive the frequency of changes f. Identify the instrument(s) to be used to conduct the audit g. Ensure there is adequate budget and funding for exercises and plan maintenance2. AWARENESS AND LAUNCH3 FEMA (2009) continuity assistance tool document.4 FEMA (2007) http://training.fema.gov/EMIweb/edu/docs/TopOff4_afteraction_report2007.pdf©AmalfiCORE, LLC Andrew M. Amalfitano 2/12/2011 pg. 4 of 17
  • a. Inform those involved b. Get support and agreement from City functional directors c. Designate a review team d. Determine scope of the review or audit • A description of elements that ensure a viable COOP capability. • Identification of resources required to establish each element. • Discussion of organization-specific management and policy issues. e. Appoint and introduce the auditor as needed3. IMPLEMENT a. Begin the audit b. Auditor meets with designated individuals, documents specific findings, uses the identified instrument to score each function, and reports on findings.4. CONSIDERATIONS a. Final reporting of findings b. Recommendations for plan maintenance improvements c. Identification of deficiencies and opportunities for improvement d. Commitment by City management to support, budget, rectify shortcomings by specific dates e. Scheduling of next auditIII. AUDITA continuity audit is an evaluation of a the viability, at a point in time, of the COOP andEmergency Operations in terms of people, the City as an organization, systems, processes, andfunctions. The audit is conducted by an independent person or entity who will focus on thebusiness continuity and emergency operational readiness of the City based on the plancomponents.©AmalfiCORE, LLC Andrew M. Amalfitano 2/12/2011 pg. 5 of 17
  • There are many benefits of a continuity audit at the City. The continuity audit can provide anindependent evaluation of the COOP and EOP plans and identify strengths and weakness of theprogram. An audit can bring to light risks inherent in the plans and suggest strategies to reduceor eliminate the risks. Finally, a thorough audit will report results that includerecommendations for improvements to the plans.An audit of the emergency management/continuity of operations plans at the City will be donein two phases. In the first phase, the Manager of the Office of Emergency Management willcoordinate period reviews, report on findings, and obtain budget and direction to makeimprovements. Phase two will be an annual audit conducted by an independent person ororganization external to the City, that is, not an employee, vendors or supplier, or any persondirectly affiliated with the city.STANDARDSThe most appropriate business continuity standards to follow for a municipality are thoseapplicable to the public sector: NFPA 1600, FPC-65, and FEMA COOP Guidelines. NFPA 1600The NFPA 1600 standard establishes "...a common set of criteria for all hazardsdisaster/emergency management and business continuity programs". [NFPA 1600]NFPA 1600 is a very relevant standard designed to "...apply to public, not-for profit, non-governmental organizations (NGO), and private entities". [NFPA] The standard addressesprogram improvement and provides a self-assessment tool which can serve as a valuablemeans of performing a self-audit of the COOP plan. [NFPA] FPC-65©AmalfiCORE, LLC Andrew M. Amalfitano 2/12/2011 pg. 6 of 17
  • The Federal Preparedness Circular-65, while designed for federal level agencies, suggests thatstates and local government develop similar continuity of operations preparedness programsthat would align with the federal guidelines. As such, maintenance of the COOP should be partof a multi-year strategy and program management plan. FPC-65 includes a definition of the 11elements that agency COOP plans and programs must contain to be considered viable. Whenauditing a COOP plan, each of these 11 elements should be evaluated and assessed". [US DHS-audit forum 2007] FEMA Continuity of Operations Plan GuidelinesThe COOP training provided by FEMA is part of the Continuity Excellence series. One of thefundamental aspects of the training describes the importance of testing, exercises, after actionreporting, corrective action and improvements. These elements constitute direction on how tobest keep updated plans, and maintain and improve agency readiness. [FEMA]In addition, there are other standards that should be reviewed for their applicability to thebusiness of the City.These may include the following:Standard Applies to this FunctionDepartment of Homeland Security and Federal Emergency COOP PlanManagement Agency (DHS/FEMA), Federal ContinuityDirective 1 and Federal Continuity Directive 2Health Insurance Portability and Accountability Act (HIPAA) Human Resources– Regarding medical records protectionsNational Institute of Standards and Technology (NIST) – Information Systems-IT“Contingency Planning Guide for Information TechnologySystems”.Federal Financial Institutions Examinations Council (FFIEC) Finance and TreasuryFEMA: National Response Framework-Incident Management Incident Management andSystem - ICS Emergency Operations PlanFigure 1: Additional Standards©AmalfiCORE, LLC Andrew M. Amalfitano 2/12/2011 pg. 7 of 17
  • AUDIT ELEMENTSAn audit should cover a broad view of the continuity plan as well as a deep-dive into any detailsthat demand further inspection. Typically, a more detailed review is instigated by higher levelfindings that elicit missing data, or are deemed inaccurate, incomplete, or suspect for anyreason.Since a COOP plan includes all essential city functions, this is the only plan that needs to beaudited. However, given the criticality of emergency operations, it would be beneficial toinclude the Emergency Operations Plan in an audit. Therefore, the plans to be reviewed andaudited should be: Continuity of Operations Plan-COOP Incident Management and Emergency Operations Plan-IC/EOPPROCESSThe audit process can be as simple or elaborate as desired, however, simpler and shorter induration is usually better.The process begins with identification of those individuals to be involved with the review oraudit process. This may be an individual or a team, and in the case of an audit will usually be anperson external to the City.The scope of the audit will identify which City functions, plans, and territory will be audited.The scope should be based on applicable standards and those functions represented in theCOOP or EOP plans. Any areas deemed outside of the plans should be excluded from the audit.An approach to the audit should be established based on the goal of the audit. Since the goal ofmost audits is to verify the existence of proof that a plan exists and is viable, then suitablestandards should be used for comparison. The types of questions should be identified early inthe process along with the instrument or tool to be used to score or rate the plans.©AmalfiCORE, LLC Andrew M. Amalfitano 2/12/2011 pg. 8 of 17
  • A list of plan elements, documents to review, and people to interview should be identified andthose involved should be notified in advance.Conducting the audit should be bounded by time and scope with a description of expectationsof the auditor and all those involved. This requires good, clear communication of the intent andpurpose of the audit and expected outcomes.Finally, there should be a pre-determined description of how the results will be reported, towhom, and what action will be taken with those results. Where deficiencies are identified thereshould be an openness to creating and implementing corrective actions, who will beresponsible, and in what time frame those improvements will be accomplished.IDENTIFICATION OF INDIVIDUALS TO BE INVOLVED IN THE AUDITA formal, annual audit can be preceded by informal, more frequent reviews. The reviews shouldinclude conversations with either the director of each city function or a person whom theydesignate. During the formation of the COOP plan, each function identified a representativewho developed their portion of the plan. These individuals would be ideal interviewees for theaudit process, as well as, be involved in regular plan maintenance, testing and exercising of theplan, and the review process. An audit of the EOP would best be conducted by anotherqualified organization who also understands the nature of emergency operations. For this City,the logical choice is the County Office of Emergency Management.FUNCTIONS TO BE INCLUDED IN AUDITThe following functions should be involved with the director of each function being responsiblefor plan review and audit completion:  Office of the City Manager  Buildings & Facilities  Community Services  Finance  Human Resources©AmalfiCORE, LLC Andrew M. Amalfitano 2/12/2011 pg. 9 of 17
  •  Information Technology  Light, Power, and Communications  Public Safety (Police, Fire, EMS, OEM, Emergency Communications)  Public WorksAUDIT APPROACHThe approach to conducting an audit should be supportive and positive with the intent ofidentifying opportunities for improvement. The overall goal, of course, is for the City to beoperationally ready to continue mission essential functions during a crisis or disaster. The auditshould support that goal.The City Managers office should ensure that all departments and functions are made aware ofthe value of an audit and set the expectation for full cooperation. Once awareness isestablished, and an auditor is identified, the process should begin with a conversation andinterview from the top down. The directors of each function would first be interviewedfollowed by a person whom they designate to represent their function. On some occasions theauditor may go beyond these two people for each function depending on what is found duringthe initial functional assessment.A broad range of questions will yield an overall assessment of the general viability of the COOPand Emergency Operations Plan.At a high level, the following types of questions should be considered: a. Does the COOP plan meet (as a guideline) the FPC-65 requirements? b. Does the EOP plan meet (as a guideline) the NFPA 1600 requirements? c. Do we find the specifics in each plan evident in reality? i.e. are the specifics demonstrated by adequate funding, facilities, record keeping, systems integration, trained and dedicated personnel, across all City functions?©AmalfiCORE, LLC Andrew M. Amalfitano 2/12/2011 pg. 10 of 17
  • d. Is there adequate oversight of the COOP and EOP plans to ensure completeness and viability? e. Are each of the 11 elements of the COOP plan reviewed and complete? f. Are each of the 11 elements of the COOP plan tested and exercises at an appropriate frequency? g. Is there evidence of an After Action Report for each exercise and is there documentation of corrective action follow up? h. Does the electronic version of documentation exist, is it backed up adequately, and can it be easily produced when asked? i. Are plans and individual elements up to dateWith these broad and high-level questions asked, the audit can proceed into more detail asneeded to gain a more full and accurate assessment of the current state of the COOP and EOPplans.DOCUMENTS TO REVIEWThe key documents that should be kept up to date and reviewed periodically are those thatsupport the mission essential functions of each city function. For the EOP, the entire planincluding annexes and appendices should be included.All 11 elements of the COOP plan may have documents and if so, all of these documents shouldbe reviewed. In any case, the minimum document review list should be:  Mission Essential Functions  Key personnel contact information  Information System codes, software, keys, passwords  Vital records and data files  Critical vendor and supplier contact information  Building access and security documents©AmalfiCORE, LLC Andrew M. Amalfitano 2/12/2011 pg. 11 of 17
  •  Plans: Continuity of Operations-COOP, Emergency Operations-EOP, Continuity of GovernmentAUDIT INSTRUMENTThe NFPA 1600 standard offers a suggested self-assessment instrument/tool which can be usedby the City to perform a quick evaluation of the conformity to requirements of the COOP andEOP plans. That instrument can be found in the table labeled Table C.1. of Annex C of the NFPA1600 standard. The tool allows indication of "conformity, partial conformity, or nonconformityas well as indicate evidence of conformity, corrective action, task assignment, a schedule foraction, or other information in the Comments column." [NFPA 1600 Annex C]In addition to the NFPA tool, FEMA offers a Continuity Assistance Tool-CAT. The CAT toolprovides a way to identify the strengths and weaknesses of the City continuity plan and showareas that need improvement. See Appendix A for more details.CORRECTING SHORTCOMINGSAny review or audit process will elicit the identification of strengths and weaknesses orshortcomings. These shortcomings should be well documented with clear and conciserecommendations of what actions should be taken to make improvements. Vaguegeneralizations are not useful and should be avoided.As part of the steering of the review or audit, the City Managers office should get agreementwith the functional directors as to who the audience is to hear and consider the findings andtake actions. As a municipality, ultimately any citizen should be able to have visibility to theresults and actions being taken to mitigate and improve the COOP and EOP plans based on thereview or audit findings.©AmalfiCORE, LLC Andrew M. Amalfitano 2/12/2011 pg. 12 of 17
  • A project plan approach should be used to track and demonstrate that improvements havebeen implemented. Typical tracking will include a set of numbered actions, with a description ofwhat complete looks like, the name of the person responsible for seeing that the improvementis completed and an agreed to time frame or due date.III. CONCLUSIONThis document presents a plan for maintaining the COOP and EOP plans of the City. A case ismade of the benefits of conducting both a periodic internal review and an annual independentaudit. A plan is proposed with key actions to be taken along with a description of the elementsand approach of an audit.The municipality as a public entity should conform with established standards from governmententities, namely FEMA continuity guidelines, NFPA 1600 and others pertinent directives.The use of suggested evaluation instruments can help bring consistency to a self-assessmentand provide for a repeatable process. The document establishes the need for transparency ofthe findings and urges prompt and coordinated actions to fix shortcomings and instituteimprovements.The end result of a proper maintenance plan and audit program will be a higher degree ofassurance that the city is ready to continue mission essential functions during a crisis ordisaster. This assurance can only come from a systematic and documented approach to planmaintenance that demonstrates accountability through specific actions.©AmalfiCORE, LLC Andrew M. Amalfitano 2/12/2011 pg. 13 of 17
  • APPENDIX A - CONTINUITY ASSISTANCE TOOL (CAT)5FEMA provides a tool to help public sector organizations like the City to perform a self-evaluation of their continuity programs."CAT PROCESSThe process provided below is the recommended method to apply this tool:Step 1: The continuity manager meets with functional representatives (i.e., IT manager, HR manager, Security managers, etc.) of the organization to review the CAT.Step 2: With the assistance of the continuity manager, the functional representatives review their respective characteristics. Answer each characteristic “Yes”, “No”, or “Not Applicable” (N/A). Flexibility is built into the assistance tool. Therefore, “Not Applicable” (N/A) may be used for those characteristics that do not apply.Step 3: For each characteristic, a “comments” section is provided to enter any helpful notes.Step 4: For each CMF, tally all Characteristics to obtain the “Yes”, “No”, and “N/A” CMF totals. Record this tally in the CMF header.Step 5: Capture each CMF total in Table 2 - Continuity Management Functions Summary on page ix."Example: Excerpt from CAT self-assessment tool1.6.3. Has the organization developed and maintained a vital records plan packet or Yes No N/A6 collection that list records recovery experts or vendors? [CGC 1 Annex I, Page I-3]Comments:1.6.3. Has the organization developed and maintained a vital records plan packet or Yes No N/A7 collection that includes a copy of the organization’s continuity plans? [CGC 1 Annex I, Page I-3]Comments:1.6.3. Has the organization reviewed its vital records plan packet or collection within Yes No N/A8 the past year with the date and names of the personnel who conducted the review documented in writing to ensure that the information is current and with a copy of the review maintained at the organization’s alternate facility? [CGC 1 Annex I, Page I-3]5 FEMA Continuity Assistance Tool (2009)©AmalfiCORE, LLC Andrew M. Amalfitano 2/12/2011 pg. 14 of 17
  • Figure 2: FEMA Continuity Assistance Tool scoring table©AmalfiCORE, LLC Andrew M. Amalfitano 2/12/2011 pg. 15 of 17
  • APPENDIX B: PLAN MAINTENANCE EXAMPLE: NATIONAL CENTEROF STATE COURTS"PLAN MAINTENANCE: The management process of keeping an organization’s Business continuitymanagement plans up to date and effective. Maintenance procedures are a part of this process forthe review and update of the BC plans on a defined schedule. Maintenance procedures are a part ofthis process. "6 Action Tasks Responsible Frequency PositionUpdate and certify the  Review entire plan for accuracy [Name/ AnnuallyPlan  Incorporate lessons learned from real-life activations of the Position plan and from testing and exercises responsible]  Incorporate changes in policy and philosophy  Manage distributionMaintain and update  Obtain current incumbents [Name/ Semi-AnnuallyOrders of Succession  Update rosters and contact information Position]and Delegations ofAuthorityRevise checklists and  Update and revise checklists All Court Annuallycontact information for  Confirm/update information for members of the Emergency Offices Relocation TeamEmergency RelocationTeam membersAppoint new members to  Train new members on their responsibilities [Name/ As neededthe Emergency  Integrate new members into team training Position]Relocation TeamMaintain alternate  Check all systems [Name/ Monthlyfacility readiness  Verify accessibility Position]  Cycle supplies and equipment, as necessaryMonitor and maintain  Monitor volume of materials All Court Ongoingvital records  Assist court staff with updating/removing files Officesmanagement programTrain new court staff  Include in new employee orientation [Name Position] Within 30 days of appointmentOrient new policy  Brief officials on existence and concepts of the COOP plan [Name Position] Within 30 daysofficials and senior  Brief officials on their responsibilities under the COOP plan of appointmentleadershipPlan and conduct  Conduct internal COOP exercises [Name Position] Semi-annuallyexercises  Conduct joint exercises with other courts As needed  Conduct joint exercises with judges and staff6 National Center for State Courts, (2007).©AmalfiCORE, LLC Andrew M. Amalfitano 2/12/2011 pg. 16 of 17
  • REFERENCESBeard, Mike, (2010). "Adding Value to the Enterprise Through Operational Project Auditing". Institute of Internal Auditors. Retrieved 2-11-11. http://www.vbpm.org/home/wp-content/uploads/2010/08/Ops-n-Project-Auditing-IIA-Beach-Cities- 2010009.pdfBurtles, Jim, (2007). "Principles and Practices of Business Continuity- Tools and Techniques". Chapter 12. Rothstein Associates, ConnecticutCrowe, Timothy, J. (2010). "Evaluating Continuity of Operations Plans and Programs". Virginia US Department of Veterans Affairs/Office of Inspector General. Retrieved 2-12-11: http://www.floridaauditforum.org/files/meeting/2010_02/Crowe_Evaluating%20COOPs.pdfDHS-FEMA, (2004). "Federal Preparedness Circular, FPC-65". Retrieved 2-11-11: http://www.fema.gov/pdf/library/fpc65_0604.pdfFEMA, (2009). "Train the Trainer Instructor Guide E/L 550". Continuity Planners Workshop. Chapter 7 Corrective Action PlanningFEMA, (2009). "Continuity Assistance Tool (CAT)- Continuity Assistance for Non-Federal Entities (States, Territories, Tribal, and Local Government Jurisdictions and Private Sector Organizations)". Retrieved 2-11-11: http://www.fema.gov/pdf/about/org/ncp/cat.pdfHiles, A. (Ed.). (2007). The Definitive Handbook of Business Continuity Management. 2nd Edition. England: John Wiley & SonsNational Center for State Courts, (2007). "A Comprehensive Emergency Management Program-Part III, Appendix A".NFPA, (2010). "NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity Programs 2010 Edition: Annex C Self Assessment for Conformity with NFPA 1600 2010 Edition". Retrieved 2-1-11: http://www.nfpa.org/assets/files/PDF/NFPA16002010.pdfNorth Carolina Emergency Management, (2006). "North Carolina Continuity of Operations Planning Manual". 2nd Edition. Retrieved 2-1-11: http://www.nccrimecontrol.org/div/em/documents/COOPPlannin%20Manua%202ed.pdfOffice of Emergency Management, Boulder County Colorado, (2009). "EOP Plan", pg 67. Retrieved 2-11-11: http://www.boulderoem.com/files/Boulder%20-%20BEOP%205-5-09.pdfTexas Dept. of State Health, (2008). "Pandemic Influenza Annex to the Continuity of Operations (COOP) Plan". Retrieved 2-8-11: http://www.dshs.state.tx.us/comprep/pandemic/Pandemic%20Influenza%20Annex_%20DSHS%20Agency%20Level%20C OOP%20Plan.pdfUS Dept. Homeland Security, (May 2007). "Evaluating Continuity of Operations Programs-Approaches & Case Study". NY/NJ/IGAF Conference. Retrieved 2-9-11: http://www.auditforum.org/speaker%20presentations/nynj/nynjiaf%2005%202007/crowe.pdfWold, Geoffrey, (2010). "How to Survive a BCM Audit". Disaster Recovery Journal. Retrieved 2-8-11: http://www.drj.com/2010- articles/summer-2010/how-to-survive-a-bcm-audit.html End of Document©AmalfiCORE, LLC Andrew M. Amalfitano 2/12/2011 pg. 17 of 17