Guidelines:

• Get the message across – Don’t get the readers lost in details and terminologies.
Apply the KISS principle!
• Provide a concise Executive Summary
• Start with non-technical content
• Start with fewer details and gradually add details
• Protect the information
• Protect yourself (Auditors)

Outline:

1. Executive Summary

The BC Program is assigned the following Recoverability Confidence Rating:

“Pass-pending improvements” with a High confidence value.

2. Introduction
a. Reasons for Audit
3. Scope
4. Approach
5. Audit Statement
a. Pass-Fail (PF) Rating
b. Compliance statement
c. Quality statements
i. Strengths
ii. Weakness
iii. High level recommendations for improvements

PF Rating Value Rating Factor

Fail VL or L There is no assurance that most (if not
all) of the critical business operations
can maintain continuity during a disaster
Pass-Pending M, H, or There is an assurance that most of the
(improvements) VH critical business operations can maintain
continuity during a disaster
Pass M There is an assurance that all of the
critical business operations can maintain
continuity during a disaster with
 Medium Confidence Level.
Pass with High H or VH There is an assurance that all of the
Confidence critical business operations can maintain
continuity during a disaster with High or
Very High Confidence Level.

The BC Program is assigned the following Recoverability Confidence Rating:

Pass-pending improvements with a High confidence value.

The overall rating of BC Program is Average and the controls are in compliance of
current industry guideline with respect to program’s current maturity level. We find that
there is evidence of consistent progress from the initial inception of the BC program. We
also find that there are adequate support and controls in place to allow improvements in
the overall program.

The audit has discovered risk areas and weaknesses in several key quality related aspects
of the program. The risks and weaknesses are primarily related to these areas:

• Program commitment
• Interim BC Plan
• BC Program Management Document
• Risk Management
• Personnel
• Salvage Restoration
• IT Systems Recovery Strategy
• Offsite Data Storage
• Work around Procedures
• Critical Record Storage
• BC Plan Document
• BC Plan testing
• Recovery site change monitoring
• Risk Controls

We strongly recommend developing a plan as part of the BC program to address these

areas in order to improve the overall program quality.

The audit finds the following as the main areas of program strength:

• Management Buy-In
• IT recovery strategy
• IT recovery testing
 • Business Impact Assessment
• SLAs and contract management

6. Audit Progress
a. Compared to previous audit.

7. Program Management: Main Categories

Risk Rating Value

High 7-10
Medium 4-6
Low 2-3

Assessment Rating Value

High 7-10
Medium 4-6
Low 2-3

Program Phases Assessment Risk Risk Concern

Rating Rating Concern
(Low, Area
Medium,
High)
Program Initiation 5 - Average Medium Program • BC coordinator is assigned
commitment; part-time to BC
Budget responsibilities. This can
compromise the effectiveness
and success of BC program.
• BC budget is a part of IT
budget.
• BC program needs a
separate budget and not
simply be part of IT budget.
Lacks detailed budget
spending plan.
 • Based on the current and
future BC program
requirements, the BC budget
needs to be between $500K
and $800K not including
personnel cost.
Program Planning 3 - Weak Low Interim BC • Program is currently relying
Plan; BC on an interim plan.
Program • Project plan is well structured
Management but a complete program
Document document is missing

Functional 5 - Average High Risk • There are major weaknesses

Requirement Management in the risk approach and the
; Personnel; identification of threats.
Salvage • BC program is weak in the
Restoration. evaluation of detailed
personnel requirements
• There are no salvage and
restoration requirements
documented
Design and 4.2 Average Low IT Systems • Overall design is aligned with
Development Recovery the requirements but there
Strategy; are still some gaps and room
Offsite Data for improvements
Storage; • RPO requirements are
Work around unknown for Billing Systems;
Procedures Data integrity testing
procedures are not
documented; Lack a strategy
for remote backup during
recovery period
• Most critical business areas
have work-arounds
documented but with
inconsistent format and partial
information
Implementation 4.5 Average High Critical • There is no internal record
Record storage facility or program;
Storage; BC • BC Plan document is
Plan unstructured and missing key
Document elements.
Testing 5.2 Average High BC Plan Missing testing of key business
testing area recovery capability.
Maintenance 3.9 Average Medium Recovery Lacks proactive change
site change management at recovery site;
monitoring; Lacks periodic risk assessments;
Risk
Controls
Execution NA

a. Areas of Strength
b. Recommendation

8. Program Management: Subcategories

This section provides the results of the audit from Program Lifecycle perspective.
Our audit examined the BC program lifecycle at seven different stages:

a. Program Initiation
b. Program Planning
c. Program Functional Requirements
d. Design and Development
e. Program Implementation
f. Plan Testing
g. Program Maintenance

Each of these stages was assessed in terms of their main aspects (Program Stage
Categories). The ratings, indicating our assessment, are given to a stage or a
category as follows:

1. Weak – value of 0 to 3
2. Average – value of 4 to 6
3. Strong – value of 7 to 10

a. Program Initiation
This phase involves the first step in starting the BC program. Our audit reviewed
the roots of the program to determine if there is adequate management buy-in,
program has been evaluated properly, a formal commitment is given from the
senior management, and there is sufficient support for allocating BC funding.

Program Rating Comments/Suggestions Recommendation

Initiation
Assessment
Subcategories
Management 6.4 This area is well managed
Buy In Average considering the age of the BC
program. Steering committee will
help to improve management buy-in.
Program 5.3 1. Define clear program
Evaluation Average objective. Objectives should be
stated in both general and
specific terms.
2. Board needs to be actively
involved in the BC program
evaluation process at a high
level.
Program 2.9 1. BC coordinator is assigned part- 1. Assign full-time BC responsibility
Commitment Weak time to BC responsibilities. This to BC coordinator
can compromise the effectiveness 2. Define clear roles and
and success of BC program. responsibilities for Steering
(Risk Area) Committee.
2. Roles and responsibilities for 3. Include BC Program as part of
steering committee are not yet Corporate Strategic Objectives
defined. 4. Create a BC policy statement
3. BC Program is not part of 5. Utilize corporate
corporate strategy. communications to communicate
4. Program lacks a formal BC policy BC policy
and policy communication.
Program 4.75 BC budget is a part of IT budget.
Initiation Phase Average (Risk Area)
Budget BC program needs a separate budget
and not simply be part of IT budget.
Overall 4.83 Management Buy-In is high.
Average

b. BC Program Planning

In this phase, plans for the rest of the phases are developed. Our audit reviewed
planning and organization of BC program management. In particular, we
examined aspects related to BC program management document, program
structure, program approval process, and a detailed budget for BC program.

Program Rating Comments/Suggestions Recommendation

Planning
Interim 4.25 Having an interim plan is helpful until
Temporary BC Average a long term plan is developed. The
Plan interim plan needs to be reviewed
carefully if there is a long delay
expected in the completion of the long
term plan. We suggest in particular
assessing the ability to support
recovery for more than two or three
days through the interim plan. (Risk
 Area)

BC Program 4.4 1. Project plan is well structured but 1. Create a BC program document
Management Average a complete program document is which is separate from the BC
Document missing; project plan is part of BC plan
plan (Risk Area); 2. Research industry specific BC
2. Industry specific BC requirements requirements
have not been researched 3. State all key assumptions in the
3. No written program assumptions program document
4. No evidence of program risks in 4. Assess and document key
BC plan or program document program risks and mitigation
steps
Program 3.0 Primary reason for weakness in 1. BC coordinator and her
Structure Weak program structure is part-time roles immediate team members should
assigned to BC coordinator and have full-time dedicated
immediate team member. Secondary positions.
reason is that roles and 2. Establishment of a SC must
responsibilities of individual team become a high priority.
members are not well defined. The
overall program structure is expected
to improve with the establishment of a
BC Steering Committee as planned.
Approval 5.2 The approval process is reasonable
Process Average given the current maturity level and
efforts are being made to improve it.
Overall 3 Weak Program structure is weak due to
part-time roles assigned to BC
coordinator and immediate team
members (Risk Area).

c. BC Functional Requirements

In this phase, plans for the rest of the phases are developed. Our audit reviewed
planning and organization of BC program management. In particular, we
examined aspects related to BC program management document, program
structure, program approval process, and a detailed budget for BC program.

Functional Rating Comments/Suggestions Recommendation

Requirements
Detailed 4.3 1. Documents indicate requirements Recommend inclusion of NFPA 1600
requirements Average referencing DRII guideline and standards as part of detailed
related to BS17799 standard requirements.
standards, rules, 2. There hasn't been any effort to find
and regulations out industry specific requirements
other then SOX
Risk 3.6 1. Risk assessment was not 1. Obtaining qualified experts
Management Weak conducted by a qualified risk assistance to review and conduct
management professional (Risk threats and risk assessments.
Area). 2. Involve senior management in
2. There are many threats that have the risk assessment process.
not been accounted in the 3. Protect the Secondary power
assessment. For example flood generator from potential
Functional Rating Comments/Suggestions Recommendation
Requirements
and pandemic is not part of the flooding – if it is assessed as a
assessment (Risk Area). threat.
3. Analysis is based only on
qualitative approach
4. Secondary power generator is
located on the ground level which
may be exposed to flooding.
5. Senior level management has not
been involved in risk assessment
and approval process
BIA 8.7 BIA was conducted by qualified BIA
Strong experts. It is comprehensive and
based on sound approach.
Offsite Data 5.5 Backup timing requirements are Assess detail data requirements.
Storage Average known but there are weaknesses in
capturing detail requirement
assessment. For example some
users still use CD to store data on
their PC. We didn't see this on the list
of data backup requirements from IT.
Safe handling and storage
requirements and data security
requirements are also not captured
in sufficient detail.
Alternate Work 6 Work area requirements are good in Gather detailed space and non-IT
Area Average general with the exception of space requirements for alternate work area.
and non-IT requirements for long term
alternate work area
Crisis 2.4 Emergency Response (ER) team has Assess BC related CMT
Management Weak not yet assessed the specific BC requirements and determine if the
Center (CMC) response requirements. There is an current EOC design is sufficient.
assumption that the current design of
the EOC will be sufficient to include
BC response activities
Personnel 1.8 BC program is weak in the evaluation Evaluate detailed personnel
Weak of detail personnel requirements such requirements.
as contractor agreements, temporary
staff, detailed skill requirements,
recovery time pay requirements,
union and labor requirements, and
personnel insurance coverage (Risk
Area).
Critical Records 5.5 Critical record requirements are in 1. Assess electronic record
Average place with the exception of electronic recovery requirements.
records. There is no requirements 2. Assign some one with central
analyzed for document management responsibility for coordinating
system. Business units have the critical record continuity.
complete responsibility for critical 3. Assess document management
record recovery. system tool requirements.
SLA and 7.4 SLA and contracts area is assessed As an additional improvement, we
Contract Strong as strong. recommend including worst-case
Requirements non-compliance clauses in all SLAs
Functional Rating Comments/Suggestions Recommendation
Requirements
and Contract agreements.

External 4.75 External coordination requirements 1. Assess requirements for a closer

Coordination Average need to improve. integration of BC with ERP to
improve external coordination.
2. Assess requirements to improve
coordination with Landlord and
building management, insurance
company, and data backup
provider.

Training and 6.5 Training requirements have been Document requirements for
Awareness Strong documented but only for BC teams. personnel outside of BC teams.

Salvage & 0 There are no salvage and restoration Evaluate and document salvage and
Restoration Weak requirements documented (Risk restoration requirements.
Area)
Insurance 3.5 Insurance requirement area is weak. 1. Review insurance policy for
Requirements Weak comprehensive disaster
coverage.
2. Integrate insurance purchase
process with BC program.
3. Determine insurance claim
process.
BC Tools 5 Tools are currently under evaluation. Assess requirements for tool support
Average staff.

Assembly 2.75 Assembly location requirements have 1. Assess detail assembly site
Location Weak not been assessed thoroughly for BC capacity requirements for BC
team members. teams.
2. Assess detail travel and
accessibility requirements for BC
teams.
3. Assess requirements for tertiary
assembly location.
Overall 4.83 Risk management is weak but BIA
Average has a high rating. There are no
salvage and restoration requirements
documented (Risk Area)

d. BC Design and Development

.
Design and Rating Comments/Suggestions
Development
Risk Controls 3.0 Problems in this stage are due to
Weak weaknesses in the previous functional
requirement process. Not all control
options have been analyzed and
residual risks have not been
examined.
IT Systems 5.3 Overall design is aligned with the
Recovery Average requirements but there are still some
Strategy gaps and room for improvements
(Risk Area). Example: Generic
applications such as email are not
part of recovery strategy. Drop ship
of billing system server may not be a
reliable strategy; the ability of people
to get to recovery site on time needs
additional assessment.
Alternate IT 6.85 Recovery site is with a vendor who is
Recovery Site Strong both reputable and reliable. It is
located outside of the regional risk
area. Information security is a
concern because the servers and
work areas are shared among other
clients. There is no guarantee of
access in the time of a disaster.
Service is provided on the first-come-
first serve basis.
Tertiary 0 None exists
Recovery Site Weak
Offsite Data 3 Weak RPO requirements are unknown for
Storage Billing Systems; Data integrity testing
procedures are not documented; Lack
a strategy for remote backup during
recovery period (Risk Area)
Critical Record 4.6 There is no internal records
Storage Average management group or facility besides
the remote storage facility.
Alternate Work 4.7 Interim site exists. There are plans to
Area Average acquire a long term alternate work
area with the same IT recovery site
vendor.
Crisis 6 EOC will be used as CMC. 1st
Management Average location is a leased site 30 miles
Center (CMC) away from HQ. Alternate location is a
hotel meeting room to be
Recommendation
Initiate a risk assessment and
management project with the help of
risk management expert and full
management support.
1. Assess requirements for Email
and other generic applications.
2. Assess requirements of the
ability of people to get to
recovery site on time needs
additional.
3. Align drop ship strategy with
RTO requirements.
1. Implement information security
measures for the recovery site.
2. Consider use of tertiary recovery
site to deal with potential lack of
access to secondary site.
3. Review BC plan of recovery site
vendor.
Consider Canadian site as a
possible tertiary recovery site to deal
with potential lack of access to
secondary site.
1. Assess RPO requirements for
Billing System.
2. Assess and document data
integrity test procedures.
3. Design data backup strategy for
recovery period.
Design and develop an internal
critical document/record
management group and facility in
addition to a remote storage site.
1. Expedite design and
development of alternate work
site.
2. Consider Canadian site as a
possible tertiary work area
recovery site
See recommendations in
requirement stage
Design and Rating Comments/Suggestions Recommendation
Development
Assembly 6 No major concerns except that it has Evaluate design of assembly
Location Average not been evaluated for BC related location to determine if it meets BC
use. requirements.
Data 5.83 The design overall meets the Review data link for improving
Communication Strong continuity requirements but needs redundancy and single-point-of-
Services some additional improvements. For failure. Include this review as part of
example, carrier links to data center risk assessment project.
go through the same conduit through
the single entry to the building (Risk
Area).
Voice 6.6 The design overall meets the Review design to provide additional
Communication Strong continuity requirements but needs redundancy by combining voice
some additional improvements. communication mediums
Work-around 3.6 Most critical business areas have Ensure work around procedures for
Procedures Weak work-arounds documented but with all critical areas are complete and
inconsistent format and partial documented using a consistent and
information (Risk Area) complete format.
Training and 5.2 There are no major weaknesses in Assign training and awareness
Awareness Average this area but there is room for responsibility to a staff. Review
improvements. current training and awareness
design for additional improvements.
Salvage and 0 Functional requirements have not The design and development for
Restoration Weak been initiated yet. See comments Salvage and Restoration must be
from Functional Requirement Table. based on the functional
requirements once they are
completed.
Overall 4.2
Average

e. BC Program Implementation

In this phase, plans for the rest of the phases are developed. Our audit reviewed
planning and organization of BC program management. In particular, we
examined aspects related to BC program management document, program
structure, program approval process, and a detailed budget for BC program.

Program Rating Comments/Suggestions Recommendation

Implemen-
tation
General
Assessment
Risk Controls 3.0 Risk controls are not implemented
Weak due to weakness in risk assessment
phase.
IT Recovery 6.0 Most systems are in place and the
Systems Average plans in place to acquire the rest
Email systems recovery capability is
Program Rating Comments/Suggestions Recommendation
Implemen-
tation
not in place

Alternate IT 9.0 IT recovery site is in final stages of

Recovery Site Strong complete implementation.

A Tertiary 0 None exists

Recovery Site Weak

Offsite Data 5 Backup site is currently in use.

Storage Average Backup frequency needs
adjustments.
Critical Record 2.0 Implemented for document records Design and develop an internal
Storage Weak only. It is remote storage only. There critical document/record
are no internal storage process or management group and facility in
system addition to a remote storage site.
Implement internal record storage
systems and processes.
Alternate Work 4.0 Interim site exists. There are plans to Expedite implementation of alternate
Area Average acquire a long term alternate work work site.
area with the same IT recovery site
vendor.
Crisis 7 EOC will be used as CMC. 1st See recommendations in
Management Strong location is a leased site 30 miles requirement stage
Center (CMC) away from HQ. Alternate location is a
hotel meeting room.
Assembly 7 Assembly location is in place.
Location Average

Data 8.0 Data communication services for

Communication Strong recovery are in place.
Services

Voice 8.0 Voice Communication service for

Communication Strong disaster recovery is in place.

Training and 2.0 Training and awareness program is Expedite initiation of training and
Awareness Weak partially implemented. awareness program.

BC Tools 2.0 There are no major weaknesses in Expedite tool evaluation to begin tool
Weak this area but there is room for usage and deployment
improvements.
Salvage and 0 Salvage and restoration is not yet Expedite salvation and restoration
Restoration Weak included in BCP. See comments from requirement assessment to begin its
Functional Requirement Table. (Risk implementation.
Area)
Program Rating Comments/Suggestions Recommendation
Implemen-
tation
Personnel 4.0 Most of the required personnel are Expedite hiring of staff to fill two key
Average hired except for two key positions positions.
reporting to BC coordinator.
SLA and 7.0 Most of the key SLA have been
Contracts Strong implemented and the rest are under
review.
BC Plan 3.0 Plan document is missing key Redesign BC plan document and
Document Weak sections. Most parts of the document address incomplete areas.
are incomplete.
Overall

f. Plan Testing

g. Program Maintenance

9. Business Unit Confidence Assessment

a. Confidence Level by business units
b. Areas of strength
c. Areas of weakness
d. Recommendations

Confidence Scale: 1 to 10.

1 – 2: Very Low (VL)
3 – 4: Low (L)
5 – 6: Medium (M)
7 - 8: High (H)
9 – 10: Very High (VH)
Business Business Business Systems Work- IT Records Re- Re- Re- All
Department Function Process Not Arounds Strategy Strategy covery covery covery
Tested Team Tasks Tested
Sales Order Customer New Account 0 9 4 9 7 9
Management Service Management
Manage 2 9 3 9 7 9
Customer
Problems
Handle 3 9 4 9 7 9
Product
Returns
Overall 9 4.5 9 3 9 7 9 7.2

Order Receive 6 6 4 9 7 9
Proces- Orders
sing Process IMS 6 6 4 9 7 1
Orders
Fulfill Orders IMS 6 6 3 9 7 1
Overall 1 6 6 3 9 7 1 4.7
Sales and Sales Manage Sales SITS 9 4 7 9 7 2
Marketing Contracts
Sell Product SITS 7 4 7 9 7 2
Develop Sales 7 4 7 9 7 2
Plan
Overall 1 7.6 4 7 9 7 2 5.4

Marketing Provide Sales 8 8 7 4 9 7 9

Lead

Overall 8 8 7 4 9 7 9 7.4
Product Establish 8 5 7 8 9 7 9
Pricing Wholesale
Product Price
Adjust Product 8 5 7 8 9 7 9
Pricing
Establish 8 5 7 8 9 7 9
Online and
Retail Product
Pricing
Overall 8 5 7 8 9 7 9 7.6
Distribution Packaging Package IMS 5 8 7 9 7 1
Products
Order IMS 5 8 7 9 7 1
Packaging
Supplies
Overall 1 5 8 7 9 7 1 5.4
Shipping Create 8 6 8 9 7 8
Shipping
Labels
Attach Invoice 8 7 8 9 7 8
Urgent 8 5 8 9 7 8
Delivery
Normal 8 5 8 9 7 8
Delivery
Scan Package 8 7 8 9 7 8
Overall 7 8 6 8 9 7 8 7.6
Business Business Business Systems Work- IT Records Re- Re- Re- All
Department Function Process Not Arounds Strategy Strategy covery covery covery
Tested Team Tasks Tested
All 6.5
Departments

10. BC Process Assessment (per plan)

a. Risk Management
b. BIA
c. BC Strategy
d. BC Plan Development
e. BC Plan Testing
f. BC Plan Maintenance
11. Summary of Recommendations
12. BC Program Standards and Guidelines for Audit
13. Information Sources
14. Audit Information Confidentially Directives
15. Legal clause to protect auditor
16. Appendices