Crisis Management Audit Plan

Similar documents
Emergency Preparedness Guidelines

SCADA Business Continuity and Disaster Recovery. Presented By: William Biehl, P.E (mobile)

DISASTER RECOVERY PLANNING FOR CITY COMPUTER FACILITIES

Ohio Supercomputer Center

Business Continuity Plan

Advisory Guidelines of the Financial Supervision Authority. Requirements for Organising the Business Continuity Process of Supervised Entities

With the large number of. How to Avoid Disaster: RIM s Crucial Role in Business Continuity Planning. Virginia A. Jones, CRM, FAI RIM FUNDAMENTALS

Subject: Internal Audit of Information Technology Disaster Recovery Plan

Australia Pacific LNG Project. Narrows Crossing Pipeline Environmental Management Plan Attachment 3 Crisis and Emergency Management Directive

BUSINESS CONTINUITY PLAN

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

IT Service Continuity Management PinkVERIFY

Business Continuity and Emergency Preparedness Planning. Vandita Zachariah, MA, MBA, CIA HHSC Internal Audit Division May 21, 2010

Title: Rio Tinto management system

BUSINESS CONTINUITY POLICY

Hong Kong Baptist University

ISMS Implementation Guide

Module 13: Emergency Preparedness and Response

BUSINESS CONTINUITY PLANNING

What is an Exercise? Agenda. Types of Exercises. Tabletop Exercises for Executives. Defining the Tabletop Exercise. Types of Tabletop Exercises

AUDITING A BCP PLAN. Thomas Bronack Auditing a BCP Plan presentation Page: 1

Business Continuity Planning and Disaster Recovery Planning

G13 USE OF RISK ASSESSMENT IN AUDIT PLANNING

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

Committed to Environment, Health, & Safety

SCHEDULE 25. Business Continuity

IT Disaster Recovery and Business Resumption Planning Standards

Overview. Emergency Response. Crisis Management

PROCEDURES BUSINESS CONTINUITY MANAGEMENT FRAMEWORK PURPOSE INTRODUCTION. 1 What is Business Continuity Management? 2 Link to Risk Management

Internal Audit Checklist

Data Center Assistance Group, Inc. DCAG Contact: Tom Bronack Phone: (718) Fax: (718)

Continuity Planning and Disaster Recovery

Disaster Recovery and Business Continuity Plan

How to write a DISASTER RECOVERY PLAN. To print to A4, print at 75%.

MARQUIS DISASTER RECOVERY PLAN (DRP)

Business Continuity Policy & Plans

Health, Safety and Environmental Management System

This presentation will introduce you to the concepts and terminology related to disaster recovery planning for businesses.

Corporate Risk Management Policy

All Oil and Gas Companies under the Jurisdiction of the National Energy Board (the Board or NEB) and All Interested Parties

BUSINESS CONTINUITY MANAGEMENT POLICY

Situation Manual Orange County Florida

GUIDE TO DEVELOPING AND CONDUCTING BUSINESS CONTINUITY EXERCISES

Business Continuity Management

Chapter 1: An Overview of Emergency Preparedness and Business Continuity

Safety Regulation Group SAFETY MANAGEMENT SYSTEMS GUIDANCE TO ORGANISATIONS. April

Identify and Protect Your Vital Records

EMERGENCY PREPAREDNESS POLICY

Business Continuity (Policy & Procedure)

Disaster Ready. By: Katie Tucker, Sales Representative, Rolyn Companies, Inc

The Weill Cornell Medical College and Graduate School of Medical Sciences. Responsible Department: Information Technologies and Services (ITS)

The Disaster Recovery Self-Assessment Guide and Validation Model. Jim Kates Cognizant Technology Solutions

Emergency Management Audit For Businesses

Business Continuity Planning (800)

Overview of how to test a. Business Continuity Plan

Hanh Do, Director, Information System Audit Division, GAA. SUBJECT: Review of HUD s Information Technology Contingency Planning and Preparedness

It also provides guidance for rapid alerting and warning to key officials and the general public of a potential or occurring emergency or disaster.

Asset Management Systems Scheme (AMS Scheme)

UNION COLLEGE INCIDENT RESPONSE PLAN

LFRS Business Continuity Planning

Overview of Business Continuity Planning Sally Meglathery Payoff

Business Continuity. Introduction. Safer Business - Better Health. Issue date - December 2007

Business Continuity and Disaster Recovery Planning

Business Continuity Management Policy

COMCARE BUSINESS CONTINUITY MANAGEMENT

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One

Business Continuity Policy and Business Continuity Management System

Criminal Justice and Persons with Cognitive Disabilities. Criminal Justice and Persons with Cognitive Disabilities

Business Continuity and Disaster Planning

Company Management System. Business Continuity in SIA

KPMG Information Risk Management Business Continuity Management Peter McNally, KPMG Asia Pacific Leader for Business Continuity

Business Continuity Management & Disaster Recovery GETTING STARTED Checklist for Local Businesses & Organisations

EMERGENCY PREPAREDNESS PLAN Business Continuity Plan

VICTOR KHANYE LOCAL MUNICIPALITY PLAASLIKE MUNISIPALITEIT. ICT Business Continuity Plan. DRAFT v0.1 Page 1 of 9

Desktop Scenario Self Assessment Exercise Page 1

NEEDS BASED PLANNING FOR IT DISASTER RECOVERY

Program Overview. CDP is a registered certification designed and administered by Identity Management Institute (IMI).

Checklist For Business Recovery

Appendix 6c. Final Internal Audit Report Disaster Recovery Planning. June Report 6c Page 1 of 15

Business Continuity Management Planning Methodology

Disaster Recovery Planning Process

Building and Maintaining a Business Continuity Program

EMERGENCY MANAGEMENT ORGANIZATION

FINRMFS9 Facilitate Business Continuity Planning and disaster recovery for a financial services organisation

NOT PROTECTIVELY MARKED BUSINESS CONTINUITY. Specialist Operations Contingency Planning Business Continuity Manager

It s the Business! Business continuity considerations for all organisations

GLASGOW SCHOOL OF ART OCCUPATIONAL HEALTH AND SAFETY POLICY. 1. Occupational Health and Safety Policy Statement 1

Business Continuity Planning. A guide to loss prevention

Business Continuity Policy

Virginia Commonwealth University School of Medicine Information Security Standard

Transcription:

Contributed 8/30/99 by Denys Martin, <denysmartin@yahoo.com> Background and Rationale You come to your office for the beginning of your workweek and because of some unforeseen event there are no employees, no working telephones, no functioning computers, no utilities. You're the Chief Executive. What would you do? Where would you start? Unquestionably this is a crisis. Remember that you have access to almost none of your regular business tools. If this had been an actual incident; such as many businesses experienced in Wellington, New Zealand in 1997, it would already have been too late to concern yourself with developing a Crisis Management Plan! You need to have a Plan in place to ensure continuity of operations. But, what kind of Crisis Management Plan is an effective one? You need to ask: "What is a crisis for my organisation?" For this audit, the following definition will be used: A crisis can be defined as any unplanned event, occurrence or sequence of events that has a specific catastrophic consequence. Natural disasters, IT viruses, financial manipulation, societal disruption, pollution and stringent regulations are but a few examples of potential crisis situations. The reasons for focusing on these issues may result from a commitment to protect the public, the employees, to comply with government regulations or to protect their organisation from possible liabilities and litigation. The consequences for not focusing on these issues can be disastrous. Audit Standards: A cohesive Crisis Management Plan should have the following components: Compliance Preparedness Training & Resource Development Information Management Critical aspects that must be in the Crisis Management Plan: Effective coordination of activities within the organisations ; Early warning and clear instructions to all concerned if a crisis occurs; Continued assessment of actual and potential consequences of the crisis; Continuity of business operations during and immediately after the crisis. A brief synopsis of the common weaknesses in Crisis Management planning may prove helpful. Possible weaknesses to verify: Denys Martin, MBA, CIA, FCPA 08/30/99 5:53 AM 1 of 5

1. No systematic collection of planning information. This includes such aspects as risk analysis, organisational information, relevant laws, company policy procedures and location specific data. 2. No systematic dissemination of planning information. 3. Failure to identify and establish an incident command structure. This is a common pitfall as many planners try to fit their organisation into a standard incident command system not designed around their particular needs. 4. No, or minimal, coordination with affected entities. Poor communications with external dependencies such as the community, neighboring industries, identified support entities (fire, police, hospitals, etc.) can lead to confusion and chaos during an emergency. A simple issue such as who is the primary contact for offsite agencies during an emergency can cause major disruption during an incident. 5. Lack of, or poorly defined, Organisational Responsibilities. Failure to provide clear, concise procedures defining a person's functions, duties and tasks upon assuming their emergency organisation position. 6. Once developed the Plan is not or is, at best, poorly maintained. The Plan may have been developed to meet a regulatory requirement. 7. There is no provision for testing and review or continued evaluation and periodic update of the material. For example, changed information, such as telephone numbers maybe buried in various paragraphs throughout the plan. 8. The material that was developed is not user-friendly. The plan may contain too much information. Unfortunately, the user has to be a brain surgeon to figure out his/her role in its implementation. There should be simple, easy-to-use supplemental materials that can be used as a quick reference guide during an emergency. 9. Training relevant personnel on the plan and their role in its implementation. 10. The plan needs to be disseminated to the authorities. Failure to include appropriate parties on the distribution list most often leads to failure on their part to respond in the manner hoped for. COMPLIANCE The risk assessment is the initial step, toward reducing vulnerability. All relevant levels of management should become part of the Crisis Management Plan. This can be achieved in several ways: 1. Senior manager directly responsible to top management and the board of directors. The formal assignment of a senior manager to the position such as "Crisis Management Plans, Director," or some other appropriate title, can accomplish the initial portion of this item. Additionally, there should be within the individual's job description some measurement standard to evaluate performance. Denys Martin, MBA, CIA, FCPA 08/30/99 5:53 AM 2 of 5

2. Set aside specific time for reports on crisis management preparedness issues. This can be accomplished by preparing an agenda for senior staff and board of director meetings that includes a discussion of crisis management preparedness as a mandatory item. They should give it more than lip service though. Also, they must make the discussion substantive. Provide more than the dull and tiring statistics on reportable accidents, etc. Include all levels of personnel in the presentation process. 3. Make crisis management planning issues part of the strategic planning process. In one aspect, government regulations are defining strategic implications for companies. 4. Communicate compliance through all levels of the organisation through company policy and procedures. This can be accomplished through formal adoption of policy at the highest levels of the company. Generally, this will require the approval of the Board of Directors. PREPAREDNESS Preparedness used in the broadest context means any and all measures taken to prevent, prepare for, respond, mitigate and recover from a crisis. It's with this perspective that we begin to breakdown the aspect of Preparedness. Preparedness consists of four critical aspects: Preparation and Prevention Detection and Classification Response and Mitigation Reentry and Recovery Preparation and Prevention: Any set of activities that prevent a crisis, reduce the chance of a crisis happening, or reduce the damaging effects of a crisis. Preparation and Prevention activities include, but are not limited to: Development and implementation of the Crisis Management Plan Development and implementation of Crisis Management Plan Implementing Procedures Development and implementation of Crisis Management/Response Training Detection and Incident Classification: Actions taken to identify assess and classify the severity of a crisis. Detection and Classification activities include, but are not limited to: Activation of Crisis Management Systems Escalation of Crisis Management Plan Implementing Procedures Escalation of the Crisis Management/Response Organisation Response and Mitigation: Actions taken to save lives prevent further damage and reduce the effects of the crisis. Response and Mitigation activities include, but are not limited to: Crisis Management/Response operations Subsidiaries Crisis Management/Response operations Denys Martin, MBA, CIA, FCPA 08/30/99 5:53 AM 3 of 5

Continuity of business operations Recovery: Actions taken to return to a normal or an even safer situation following the crisis. Recovery activities include, but are not limited to: Activation of the Recovery Plan Coordination with subsidiaries TRAINING The training of the Crisis Management/Response Organisation is one of the critical success factors that must be addressed if an adequate response is to be achieved. The development of the compliance Plan, involvement of all levels of management and establishing preparedness is only part of the overall process. To ensure an adequate response, a trained organisation is required. A "systems" approach to preparing effective training Plans should consist of: 1. TASK ANALYSIS: determine the skills, knowledge and procedures required for satisfactory performance of each task. 2. INSTRUCTION: Lessons are systematically presented using appropriate instructional methods. Instruction may include lecture, self-paced or group-paced mediated instruction, simulation and team training. 3. EVALUATION: Performance standards and evaluation criteria are developed from the learning objectives. Each trainee's performance is evaluated during the course and during field performance testing. 4. DRILLS: In addition to the formal training Plan, need drills and exercises. INFORMATION MANAGEMENT The need to establish and maintain an ongoing dynamic Crisis Management Plan is essential. In order to facilitate planning requirements, a record of all initiatives should be retained. These records serve to document the accomplishments, requirements, commitments and reports relating to various Plan requirements. The identification of commitments in the areas of compliance, emergency preparedness and training is vital. The establishment of a defined information management system structure will ensure that documentation will be available when needed. Senior management must be kept well informed. Information is a corporate asset. Information is expensive. It must be shared and managed effectively. Information management is also critical during a crisis. The need for active systems to provide information on materials, personnel, capability information on materials, personnel, capabilities and processes is essential. It is extremely important to have a system (and adequate back-up systems) in place that serves to identify, catalog, Denys Martin, MBA, CIA, FCPA 08/30/99 5:53 AM 4 of 5

set priorities and track issues and commitments relating to crisis management and response activities. QUALITY ASSURANCE The Crisis Management Plan should be independently audited for quality assurance from an independent source who can certify the adequacy of the process. Denys Martin, MBA, CIA, FCPA 08/30/99 5:53 AM 5 of 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information