BCM Audits Gone Rogue…

Michael Herrera

As BCM professionals we have all gone through audits of our programs at one time or another and dealt with the questions, the need for a better understanding of BCM, and the cautious concern waiting for the final report, etc.

At MHA, we are the BCM Office for a good number of our clients.  We manage each program using industry best practices and standards as our measuring stick to ensure the program provides the highest level of resiliency and meets/ exceeds compliance requirements.  We know which of our managed programs are in line with best practices and which ones need more time and work.  Internal and external audits are a part of our daily consulting efforts.

We are finding that a good number of the audits we have recently dealt with have become increasingly inconsistent in their application, findings and outcomes.  Common conditions found during recent audits:

  1. Audit Teams Don’t Read What You Send Them
  2. Lack Intimate Understanding of BCM Industry Standards and Guidelines
  3. Don’t Grasp Difference between Standards and Guidelines
  4. Generate Findings that Often Have Little to Do with Raising Resiliency
  5. Regularly Lose Data/Information Sent to Them
  6. Require Busy Work Generating New Reports or Gathering Useless Data
  7. “Them versus Us” Mentality Leading to Conflict
  8. Infighting Amongst the Audit Team Members

It’s important to state that we are not saying all audits have proceeded in this manner but a good share has progressed in this manner.  What is most interesting to us is we work at programs in critical industries that should have findings but receive none and other programs that are highly sophisticated and mature receiving findings that make no sense.

So, how do we make Audits bearable and consistent as possible?

  1. Due your own diligence before the audit using a BCM GRC tool like BCMMETRICSTM (www.bcmmetrics.com) so you know where you stand (level of compliance and successes/opportunities) before the audit.  Run reports to identify where you are in compliance and where you have big gaps.  Share your due diligence.
  2. Educate auditors in the BCM process and how it’s applied at your organization before the audit starts by having a short presentation (15-20 min) to go over the program. Make sure you are well prepared and use terminology from the standars you are being audited against.  Refer back to the data and information you sent them.
  3. Compile requested data and information in a logical and highly organized manner.  The documents should tell a positive story of your program from end to end.
  4. Don’t attempt to produce documents you know you don’t have at the last minute.  It’s not worth the embarrassment.
  5. Ensure your BCM Office and internal audit have a clear understanding of the program to be able to speak to it as needed during an audit.

What do you do when you disagree with an audit finding?

We have been taught to not push back on audits in fear the repercussions could be greater if we voiced our opinion.  I believe that if you have solid evidence a finding was not merited, push back by all means.  We have cases of management not pushing back for fear of repercussions and then being saddled with needless work that does not raise resiliency of the program.

In closing, we believe working with auditors is a great investment in time that can lead to increased management focus and support when a partnership approach is used throughout the audit engagement.