BCM Audits Gone Rogue: What Can Go Wrong, How to Put Things Right

Unfortunately, external audits of business continuity management (BCM) programs have a bad habit of going off the rails. In today’s post, I’ll lay out the kinds of things that commonly go wrong in these BCM audits—and share some tips for how you can increase the odds that if and when your program is audited, the process will be reasonable, rational, and productive.

Related on BCMMETRICS: What’s Up, Doc? When and How to Perform a Current State Assessment

A FACT OF LIFE

Getting audited is a fact of life for many business continuity programs, especially those in the financial industry, banking, healthcare, and other highly regulated areas.

Such audits are generally valuable and important. They make sure BCM programs are in compliance with relevant standards and guidelines, protecting the organizations, their employees, their clients and customers, and the industries of which they are a part.

Most auditors are knowledgeable, well-meaning people who approach their work in a spirit of partnership and moderation. Their goal is not to punish BCM programs but to help them get better. I have worked with many such auditors in the 20 years I’ve been a BCM consultant.

GOING ROGUE

Unfortunately, I have also been involved in many audits that have gotten off track. I think of them as BCM audits gone rogue.

I would even go so far as to say that, in the past couple of years, the audit process has grown increasingly inconsistent in terms of its application, findings, and outcomes.

In recent years, I have seen audits where sloppy programs that should have received critical findings did not receive them, audits where well-managed programs received critical findings they did not deserve, and audits where unwarranted negative findings cost good employees their jobs.

As you can see, I have strong feelings on the subjects of BCM audits.

A LITTLE LEARNING

There is an old expression: “A little learning is a dangerous thing.” Boy, is that true when it comes to BCM audits. I sometimes think that while the auditor who doesn’t know anything about your industry and program is bad, the auditor who knows a little is worse.

I would say the number-one problem with BCM audits is that the people doing them are not sufficiently informed and sophisticated regarding the practice of business continuity management and the proper application of BCM standards and guidelines.

So what kinds of things commonly go wrong in a BCM audit? To find out, buckle up and read on.

WHAT CAN GO WRONG

Below are some of the things that most commonly go wrong during BCM audits. These are problems that I personally have seen or experienced in my 20 years of helping companies’ BCM programs undergo review by external auditors:

• Audit teams don’t read the materials you send them.
• Audit teams lose the materials you send them.
• Auditors lack an intimate understanding of BCM industry standards and guidelines. They don’t understand that standards and guidelines are not the same thing.
• An “us vs. them” attitude develops between the BCM department and the audit team, leading to conflict. This is especially common in highly regulated industries such as the financial industry.
• Audit teams generate findings that have little to do with raising resiliency.
• Auditors require busy work such as generating irrelevant reports or gathering useless data.
• Infighting breaks out among the members of the audit team. In such situations, the BCM department can get caught in the crossfire, resulting in unwarranted negative findings.
• The auditor has a uniquely overbearing attitude. Some auditors see themselves as the “lord of auditing.” They seem to take it as their mission to make your life miserable. This is especially common in the financial industry and other highly regulated sectors.
• The auditor is overly slack and indifferent. They are impressed if you wave a thick book at them and say it contains your recovery plans. They do not adequately perform their role of helping you ensure that your program is sound.

HOW TO PUT ROGUE BCM AUDITS RIGHT

The above paints a pretty grim picture of the BCM audit process.

Fortunately, programs that are subject to audit are not simply at the mercy of the big bad auditors. There are a many things a BCM office can do to increase the chances that, if and when they are audited, the process is smooth, rational, and reasonable.

Here are my tips for making the process of being audited as bearable and consistent as possible:

• Don’t enter the audit process with blinders on. Know where your program stands before the auditors arrive. Use a tool such as BCMMETRICS Compliance Confidence or another BCM Governance, Risk Management, and Compliance (GRC) tool so you have an informed understanding of your program’s level of compliance before the audit. Run reports to identify where you are in compliance and where you have significant gaps. Share these findings, along with your plan to address them, with the audit team. This will help frame the terms of the audit and increase the likelihood that the audit is conducted along lines that you find fair and rational.
• Approach the audit in a spirit of partnership. Try to build a good relationship with the auditing team. Show respect for the role and responsibilities they fulfill. There is no guarantee they will reciprocate, but you should make every effort to put the relationship on a positive footing.
• Provide the auditors a brief orientation to your program. Before the audit starts, give the auditing team a short (15-20 minute) presentation introducing your program. The presentation should use terminology from the standards you are being audited against and show how those standards are applied at your organization. Refer back to the data and information you sent them. An introduction of this type can have a significant positive impact on the outcome of the audit.
• Connect the dots for the auditors. In talking with the audit team, cite “chapter and verse” of the standards and guidelines you use. Explain why you adopted them and how you have complied with them.
• Be smart about the information you send to the audit team. Compile the requested data and information in a logical and highly organized manner. The documents should tell a positive story about your program from end to end. Include a concise list of the materials you sent and where they are going.  It’s true, as I said above, that sometimes audit teams don’t read the materials we send. It’s also true that sometimes we bring this on ourselves by not being careful as to how those materials are selected and organized.
• Avoid a mad scramble at the last minute. Don’t attempt to produce documents which you know you don’t have when the auditor is sitting in your office. If you don’t have it, send it over later. I see this happen a lot. It’s never worth the embarrassment.
• Don’t forget to loop in your own troops. Make sure your BCM office and internal audit team have a clear understanding of the program so they can speak about it as needed during the audit. Everyone at your organization who is involved in the audit should be on the same page.
• If you receive an audit finding that you disagree with, think carefully about how to respond. Many people do not push back against an unwarranted audit finding because they are fearful of the repercussions. In my opinion, a fact-based approach is best. Do you have solid evidence that a finding you disagree with was unwarranted? If so, present your evidence to the auditors.
• The costs of submitting to an unjustified audit finding can be high, including being saddled with needless work that does not raise the resiliency of the program.

DEATH, TAXES, AND BCM AUDITS

Ben Franklin said that, “Nothing is certain but death and taxes.” To many of us in the business continuity field, having our BCM programs audited can be added to that list.

Such audits have an unfortunate tendency to be adversarial, irrational, and counterproductive. But by following the tips outlined above, you can increase the odds that your own experience of being audited is positive, reasonable, and beneficial. With luck, you might be able to turn the auditing process into a chance to improve your program and increase your skills and knowledge as a BCM practitioner.

FURTHER READING

For more information on this and other hot topics in business continuity management, check out these recent posts from BCMMETRICS and MHA Consulting:

• What’s Up, Doc? When and How to Perform a Current State Assessment
• Standard Time: The Best Time to Choose a Business Continuity Standard Is Right Now
• How to Go from Adopting a BC Standard to Knowing What to Do to Comply with It
• The Bright Side of BCM in 2018: 6 Things to Be Thankful For
• Using BCM Software: 4 Ways It Can Change Your Life
• The Face in the Mirror: The Importance of Truly Knowing Your Own BC Program