Copy 1 ss540 audit guide 201214 rar bia rs plan
-
Upload
bcm-institute -
Category
Documents
-
view
948 -
download
0
Transcript of Copy 1 ss540 audit guide 201214 rar bia rs plan
Standardised Audit Program
document.xlsx 1 05/03/2023
Risk Analysis and Review Clause Component Yes No
1 5.1
2 5.1 / 5.2.2 Policies
3 5.1 Policies
4 5.2 Policies
5 5.2.1 Policies
6 5.2.3 Policies
7 5.2.4 Policies
8 5.2.5 Policies
9 5.2.6 Policies / People
10 5.4.2 People
11 5.5 Infrastructure
Specific comments regarding deficiencies/ effectiveness
Are internal and external risk events and impacts identified and reviewed by all business units and their operational processes?
Policies / Processes
How is this done and are records available for audit ?Are both qualitative and quantitative impacts evaluated ? Records available ?Is procedure for identification of external and operational risks established and available ?Has the BCM committee reviewed the findings and recommendations of risk analysis efforts? Selected appropriate cost effective treatment?How are identified risks treated and are they documented ?Is list of potential disasters established and what is selected as the most probable disaster ?Is risk analysis carried out consistently across all business units ? Are records of analysis available for all business units ?Are people involved or responsible for risk analysis competence ? Are training records available for these training conducted ?Are roles and skills of essential staff and external parties needed identified, established and documented ?Has risk review and anaysis been performed on critical equipment and facilities? Are there available risk treatments for all identified risks?
Standardised Audit Program
document.xlsx 2 05/03/2023
Business Impact Analysis Clause Component Yes No Specific comments regarding deficiencies/ effectiveness1 Was the BIA process completed ? 6
2 6.1
3 6.1
4 6.2 Policies
5 6.2.1 Policies
6 6.2.1 Policies
7 6.2.1 Policies
8 Is there a BCM Steering committee ? 6.2.2 Policies
9 6.2.2 Policies
10 6.2.2 Policies
11 6.2.2 Policies
12 6.2.2 Policies
13 6.2.2 Policies
Was the BIA conducted on a periodic and systematic basis ? i.e. pre-determined frequency? Are there any business or technology changes that require a review of the BIA ?Are there policies to govern assessment of losses due to interruptions to business operations or processes ?
Is the MBCO of the organization clearly stated and documented by the Exe Mgt?How is the MBCO clearly defined and approved by the Exe Mgt ?Are there any significant internal or external changes especially for legal or contractual requirement that requires a review of the MBCO ?
Is there a list for review of potential threats and risks for each business unit for the BCM Steering committee ?
Is the list reviewed by the BCM Steering committee ?Is the list of CBF produced and priortised by the Committee?Is the list of CBF the decision of the Committee ?Are there any discrepancies of the CBF between the Business Unit Head and the BC team ?
Standardised Audit Program
document.xlsx 3 05/03/2023
Business Impact Analysis Clause Component Yes No Specific comments regarding deficiencies/ effectiveness14 Has the CBF been prioritized ? 6.2.2 Policies
15 6.2.2 Policies
16 6.2.2 Policies
17 6.2.3 Policies
18 6.2.4 Policies
19 Does the CBFs support the MBCO ? 6.2.4 Policies
20 6.2.5 Policies
21 6.2.5 Policies
22 6.2.5 Policies
23 6.2.5 Policies
24 6.2.5 Policies
25 6.3 Processes
26 Are all the individual BU identified by: 6.3.1 ProcessesName and description?Processes employed?Supporting systems?
Is the prioritized list reviewed and approved by the BCM Steering committee ?Has the recovery prioritization of CBF been done in conjunction with allocation of resources ?Are there policies to ensure that the MBCO comply with legal and regulatory requirements ?What is the expertise level of personnel undertaking the BIA ?
What considerations are the priority for analyzing the impact of risk on CBFs ?
Establish and approve the recovery priority with the allocation of resourceIs workplace safety and health considerations considered in the prioritization of the CBFsAre legal and regulatory requirements considered in the prioritization of CBFs
Are quantitative or qualitative impacts considered for the CBF's impact of risk?
Are there processes established to identify different disruptions to the business operations and functions ?
Standardised Audit Program
document.xlsx 4 05/03/2023
Business Impact Analysis Clause Component Yes No Specific comments regarding deficiencies/ effectivenessSpecial skills and expertise required?Resource requirements?
28 6.3.1.1 Processes
29 6.3.1.2 Processes
30 6.3.2 Processes
31 6.3.2.1 Processes
32 6.3.2.2 Processes
33 6.3.2.3 Processes
Are the operational constraints of each Business Unit CBFs provided ?Has each BU identify the minimum level of services that must be provided to support the organisation 's MCBO
Has an assessment of CBFs been done ?Has inter-dependencies been identified for internal and external parties ?
Has alternate process been examined and documented?Has the documentation done for all the CBF and processes? I.e. SOP, flowcharts, manuals.
Standardised Audit Program
document.xlsx 5 05/03/2023
Strategy Clause Component Yes No Specific comments regarding deficiencies/ effectiveness
1 What is the scope for Recovery Strategy? 7.1 Scope
2 7.2 Policies
3 7.2.1
4 7.2.1
5 7.2.2
6 7.2.2
What are the policies guiding the evaluation of recovery strategies?
Does the BCM Steering committee review and approve recommended BCM strategies?
BCM Steering Committee
Does the BCM Steering committee formulate the organisational recovery strategy based on probable disasters and CBFs?
BCM Steering Committee
Was the strategy formulated based on risks faced by CBFs from one or a combination of the following:a. Revert to alternate processing capability;b. Arrange reciprocal arrangements, e.g. with another organization in the same industry;c. Establish alternate site or business facility;d. Arrange for alternate source of supply, e.g. of raw materials;e. Outsource to external vendor(s);f. Transfer of operation(s) to subsidiary business units;g. Rebuild from scratch after disaster;h. Do not take any action.
Strategy Formulation
Is a set of guidelines established to guide the decision making process for the above strategy?
Strategy Formulation
Standardised Audit Program
document.xlsx 6 05/03/2023
Strategy Clause Component Yes No Specific comments regarding deficiencies/ effectiveness
7 7.3 Processes
8 7.3.1
9 7.3.1
10 7.3.2
Does the BCM steering committee undertake the following set of activities based on the feedback from business units with CBFs?
a. deliberate on the recovery strategies for various CBFs and formulate an organisational recovery strategy in conjuction with probable disasters; andb. consolidate recovery requirements based on the organisational recovery strategy into contract specifications
Are there processes for a given recovery strategy to determine the following requirements:a. Skill set required by supporting staff;b. Technology and equipment;c. Facilities;d. Off-site storage and alternate site(s); ande. Alternate processing capabilities.
Recovery Strategy Requirements
Were the non-tecnology continuity issues for each support service of CBFs reviewed?
Recovery Strategy Requirements
Does a set of criteria have been established to guide the evaluation of the appropriate recovery strategy for each CBF?
Recovery Strategy Evaluation
Criteria
Standardised Audit Program
document.xlsx 7 05/03/2023
Strategy Clause Component Yes No Specific comments regarding deficiencies/ effectiveness
11 7.4 People
12 7.4 People
13 7.5 Infrastructure
14 7.5.1
15 7.5.1
16 Have the existing facilities been reviewed? 7.5.2 Facilities
17 7.5.2.1
18 7.5.2.2
1920
Does the organisation have adequate number of staff with relevant skill set to support the organisational recovery strategy?
Does the alternate infrastructure have been examined if the existing infrastructure is indaquate to support the recovery strategy?
Does the organisation capable of providing the necessary infrastructure to support the organisational recovery strategy?
Is there a review of existing technology and equipment?
Technology and equipment
Does a list of technical specifications for the technology and equipment have been specified?
Technology and equipment
Does deliberation on the facilities used to support alternate processing include the following considerations:a. Acquisitions;b. Mutual agreement;c. Outsource to external vendors; andd. Manual workarounds
Alternate Processing
Does the criteria to guide the selection process of alternate processing vendors have been established?
Alternate facilities
outsourcing
Standardised Audit Program
document.xlsx 8 05/03/2023
Strategy Clause Component Yes No Specific comments regarding deficiencies/ effectiveness
2122
Standardised Audit Program
document.xlsx 9 05/03/2023
BC Plan Clause Component Yes No Specific comments regarding deficiencies/ effectiveness
1 8.2 Policies
2 8.2.1 Policies
3 8.2.2 Policies
4 Policies
5 8.3 Processes
6 8.4 People
Is policy and process established and documented to govern the development of BC plans ?
Is the BC Plan, and subsequent changes, reviewed and approved by the BCM Steering Committee?
Is an Emergency Operations Centre set up and associated conditions for operation and closure established and the head appointed ?
Is policy governing emergency response and the priority for actions to be carried out established and documented ?
8.2.5 / 8.2.6
Are formal processes established for each component of the BC plan to determine their requirements?1) Pre-incident preparation2) Initial damage assessment…13) BC plan distribution and control
Who are the people in the BCM Steering Committee? Are roles and responsibilities established and documented including :8.4.2 ) BCM Coordinator....8.4.8) Damage assessment team (DAT )
Standardised Audit Program
document.xlsx 10 05/03/2023
BC Plan Clause Component Yes No Specific comments regarding deficiencies/ effectiveness
7 People
8 8.4.11 People
9 8.5 Infrastructure
10 8.5.1 Infrastructure
11 8.5.2 Infrastructure
Is procedure established to manage appropriate medical attention, assembly area and personnel safety ?
8.4.9 / 8.4.10
Is contact list for key personnel drawn up and maintained ?
Does the BC plan address the requirements needed to operate and maintain all the infrastructure componenets to ensure that CBFs can continue within the planned levels of disruption?
Are critical and general equipment / supplies as well as communication requirements established and documented ?
Are EOC as well as alternate site requirements identified and documented ?
Standardised Audit Program
document.xlsx 11 05/03/2023
Testing and Exercising Clause Component Yes No Specific comments regarding deficiencies/ effectiveness
Standardised Audit Program
document.xlsx 12 05/03/2023
Progamme Management Clause Component Yes No Specific comments regarding deficiencies/ effectiveness
123456789
10111213141516171819202122