Business Continuity Management Program Development Guide Prepared by The NS Emergency Management Office, Winter 2012
Version 1.1 Page 2 of 24
Document Revision History Date Author Revision Notes Fall 2011 Major revision from BCM Guide 2007 v1.0 Page 3 of 24
Preamble The Government of Nova Scotia requires that all provincial departments have business continuity management programs and plans in place to ensure that a continued and reasonable level of service is maintained for the province s population in the event of a crisis. This guide was developed to support the creation of a business continuity management program and plan. It contains the information necessary for government entities and other organizations to get the program and plan organized, supported and completed. When using this guide to build a BCM program it is strongly suggested that the Business Continuity Institute (BCI) Good Practice Guideline (GPG) be used as additional reference material. Much of the material within this guide was taken from the BCI Good Practice Guideline. Comments about this guide, GPG or other business continuity management issues should be directed to: David Roper Security Intelligence Management Services Emergency Management Office 33 Acadia Street Dartmouth, NS B2Y 2N1 OR PO Box 2581 Halifax, NS B3J 3N5 (902) 424-5620 t (902) 424-5376 f Email: ROPERDB@gov.ns.ca Website address: http://emo.gov.ns.ca Page 4 of 24
Table of Contents I 6 II How to Use this Guide 6 III Special Note 7 1.0 Business Continuity Management System 8 1.1 BCM Program Scope 9 1.2 BCM Policy 9 1.3 BCM Program Resources and Ongoing Management 10 1.4 Incident Readiness and Response 11 2.0 Embedding BCM into the Organization s Culture 12 3.0 Understanding The Organization 13 3.1 Business Impact Analysis (BIA) 13 3.2 Continuity Requirements Analysis 14 3.3 Risk Assessment (RA) 15 4.0 Determining Business Continuity Management Strategy 16 5.0 Developing and Implementing a BCM Response 18 5.1 Incident Management Plan 18 5.2 Business Continuity Plan 19 6.0 Exercising, Maintaining and Reviewing Plans 20 6.1 Comprehensive Exercise Program 20 6.2 Exercising 21 6.3 Maintenance 22 6.4 Review 23 Page 5 of 24
Acronyms BC BCM BCMT BCP BCT BIA CCP CEP ET&A GPG IM IMC IMP IMT IRT ITDR MTDL MTPD RA RPO RRA RT RTO RUP SLA Business Continuity Business Continuity Management Business Continuity Management Team Business Continuity Plan Business Continuity Team Business Impact Analysis Crisis Communications Plan Comprehensive Exercise Program Education, Training and Awareness Good Practice Guidelines Incident Management Incident Management Centre Incident Management Plan Incident Management Team Incident Response Team Information Technology Disaster Recovery Maximum Tolerable Data Loss Maximum Tolerable Period of Disruption Risk Assessment Recovery Point Objective Resource Requirements Analysis Recovery Team Recovery Time Objective Rendezvous Point Service Level Agreement Page 6 of 24
I) Nova Scotia has approximately 935,000 people, all of whom rely on the programs and services provided by provincial departments, agencies, boards, commissions and municipalities. In recent history many natural and human-induced events have threatened or interrupted the delivery of these programs and services to the public. Additionally, these events have threatened or interrupted delivery of internal programs and services which support the delivery of public programs and services. The September 11, 2001 terror attacks in the US, and, at home, building fires, flooding, Hurricane Juan in 2003 and White Juan in 2004as well as other extreme weather and human-induced events since that time, are all excellent examples of how easily the programs and services we take for granted may be threatened or interrupted entirely. The province s response to those threats was to create a province-wide Business Continuity Management (BCM) program, initially across all government departments and then throughout all government type entities. The objective was to ensure that urgently required public services could be maintained or resumed quickly after an interruption. This guide has been prepared by the Nova Scotia Emergency Management Office to assist those who wish to implement a BCM program and plan within their organization. The purpose of this guide is to provide the user with a systematic process to build a BCM program and business continuity plan within their organization. Organizations that develop functioning business continuity programs and plans, and then exercise and maintain them, will be far more resilient than organizations that do not. II) How to Use this Guide The process put forward has been adopted and endorsed by the Nova Scotia Emergency Management Office as the Nova Scotia Government best practice. The framework is based upon the Business Continuity Institute (BCI) Good Practice Guidelines 2010 edition. The BCI was established in 1994 to allow fellow practitioners of business continuity management to obtain support and guidance from each other. The institute works to promote the business continuity management profession and has established a body of knowledge known as the BCI Good Practice Guidelines. Each chapter of this guide addresses items in a logical sequence that when followed should establish a business continuity management program and a reliable plan. Please refer to this document s companion book BCM Toolkit for forms, templates, definitions, commentary and other resources to assist in the program and plan development process. Users of this guide should also note that establishing a comprehensive BCM program and the development of reliable business continuity plan is a significant undertaking and that much time and effort is typically required. It i a long term, iterative process, but one with organizational wide benefits if implemented and maintained properly. Page 7 of 24
Special Note Establishing a business continuity management program and plan my take a considerable amount of effort and time depending on the scale of services, the size of the organization and available resources. A realistic allocation of time and other resources will be necessary to ensure success.. Due to the significant effort to set up a full program and plan some organizations may wish to move immediately to protecting and writing plans for services that are known to be urgently required and at risk of interruption. Organizations are encouraged to complete their full/comprehensive BCM as soon as is practicable, recognizing this is dependent upon available time and resources. At any time throughout the planning process, identified high risk single points of failure and vulnerable services should be addressed immediately with appropriate mitigation efforts. Page 8 of 24
1.0 Business Continuity Management System For business continuity management to be effective it must align with and support the organization s goals, objectives and culture. The direction and focus of the organization should be well understood so that the BCM program roll-out meets its needs. Results from the business impact analysis and risk assessment tools later in the program, as well as strategy and action plan development and recovery options, will be greatly enhanced as a result of creating an alignment between the organization and the BCM program from the outset. Key personnel within the organization must be appointed to initiate the program, and the support and commitment of senior management must be secured. Obtain senior management commitment to, and be responsible for, establishing a comprehensive BCM program. Allocate a permanent role within the organization to support BCM. Establish a Senior Level BCM Program Sponsor to guide the early development of the BCM program and get the necessary human and financial resources to initiate the program Document the following: Your organization s strategy, goals and objectives, statutory requirements and regulatory responsibilities, health and safety regulations, internal and external stakeholders, geographic extent and dispersion (regional/satellite offices), changes to staff, technology, mandate, key suppliers, organization s culture, and other information that helps you understand the organization and its needs. Document the strategy, goals and objectives of the proposed BCM program. A senior management team that understands and is committed to supporting a BCM program and plan. BCM established as a permanent part of the organization. Senior level sponsor identified. Documented evidence of the organizations strategy, goals and objectives. Documented evidence of BCM programs strategy, goals and objectives. Page 9 of 24
1.1 BCM Program Scope Identify the scope of the BCM program to be implemented. This allows for deployment of resources across the organization when building and maintaining the program, as well as when responding to business continuity events. Typically all aspects of an organization will be considered within the scope of the BCM program. Phased implementation may be a consideration and reflected in the scope. The scope will take into consideration the programs, services, data and locations that comprise the organization. Write a scoping statement for your organization that includes: a. Programs, services, data and locations to be included. b. Programs, services, data and locations to be excluded and rational for doing so. c. Limitations of and assumptions used to develop the scope. A statement identifying the scope of the BCM program. 1.2 BCM Policy For business continuity management to be effective it must be endorsed by the highest level of the organization. A clearly written policy statement needs to be developed and communicated to all stakeholders. A senior level champion needs to be identified to promote BCM at senior levels and across the organization. A BCM policy sets out the framework by which the BCM program and business continuity plan (BCP) is established and managed. The policy also sets out the performance standards which form the basis of the program audit. Write a BCM policy for your organization. Have the BCM policy statement endorsed by the organization s Senior Management Team. Communicate the finalized policy to all internal stakeholders. A BCM policy for the organization that allows for the establishment of a permanent BCM program that is endorsed by senior management and communicated to all staff. Page 10 of 24
1.3 BCM Program Resources and Ongoing Management Establishing a BCM program will have greater chances of success if the organization creates specific roles and other supports to guide and manage the process from initiation through to maturity. As BCM transitions from a project to a program different skill sets may be required. Project management will lead to program management. Certain individual roles and teams will be necessary to guide the process from project initiation to maturation. The roles required are a BCM Steering Committee Chair, BCM Coordinator and Alternate BCM Coordinator. A permanent Steering Committee with representation from all aspects of the organization should be assembled with a mandate to ensure the efficient and effective ongoing management of the BCM program, abiding by the BCM policy statement previously developed. The BCM Steering Committee should establish a BCM Working Group with representation from all areas of the department to ensure appropriate representation. The Working Group will be led by the BCM Coordinator who is appointed by the Steering Committee. The senior level program sponsor should ensure the appointment of a BCM Steering Committee Chair. The BCM Steering Committee Chair should develop a BCM Steering Committee mandate and ensure the selection of appropriate BCM Steering Committee members. The BCM Steering Committee should develop the roles and responsibilities of the BCM Coordinator and appoint a BCM Coordinator and Alternate. The BCM Coordinator should coordinate the BCM program on behalf of the organization. Use a project management approach leading to a program when initiating the BCM program. Support all aspects of the BCM program with adequate documentation that includes planning, project/program management and incident response. Appointment of a BCM Steering Committee, Chair and mandate. Appointment of a BCM Coordinator and Alternate with roles and responsibilities. A mechanism to establish adequate documentation to support the program and plans. Page 11 of 24
1.4 Incident Readiness and Response It is inevitable that an incident will occur and that a business continuity response will be required. Organizations must therefore maintain a level of readiness even throughout the BCM planning process. When an incident does occur Senior Management will look to its BCM Team to provide leadership, direction and action. To ensure that a business continuity event is handled efficiently and effectively a Business Continuity Management Response Team and an Incident Management Team should be established. es for notification, assessment and BCP activation should be developed and implemented. Establish a(n): a. Confidentiality Declaration b. Incident Management Team c. Business Continuity Management Response Team d. Notification e. Assessment f. Incident Declaration g. Reporting Requirements h. Emergency Operations Centre (EOC) i. Alternate EOC The organization has a minimal ability to respond to an event, although its BCM program is not fully established. Response capability at this time includes: a. Confidentiality Declaration b. Incident Management Team with defined roles and responsibilities c. Business Continuity Management Response Team with defined roles and responsibilities d. Notification e. Assessment f. Incident Declaration g. Reporting Requirements h. Emergency Operations Centre (EOC) i. Alternate EOC Page 12 of 24
2.0 Embedding Business Continuity in the Organization s Culture Embedding BCM into the organization s culture involves assessing the current level of awareness, designing and delivering campaigns to promote the BCM process, and follow-up to determine campaign effectiveness. Critical success factors include visible and continued support for the process by senior management. Reasonable consultation across the organization is a requirement, as it serves to build awareness and buy-in. Without obvious senior management support, operational and frontline workers will not buy-in either.. The behavioral change required to successfully implement BCM will only occur if attitudes and beliefs are also engaged. As a result, changing behavior can be a lengthy process. Determine the current level of BCM awareness and training within the organization. Specify the desired level of BCM awareness and address gaps. Analyze the composition of the workforce to determine the level of awareness and training required based upon direct involvement with BCM. Develop/deliver training based on specific needs of groups being targeted. Request feedback on awareness, education, training and skill requirements to support BCM. Integrate the BCM message into other training such as orientation courses. Offer refresher education, training and awareness activities to ensure staff are kept current. Solicit feedback, determine effectiveness and identify options for further education, training, awareness, professional development and professional practice opportunities. Known level of BC awareness and gaps across the organization to be used as the basis for an awareness and training program. Awareness, refresher and training program that delivers the correct level of knowledge to those who require it based upon their BCM responsibilities. Known degree of cultural change across the organization for business continuity management. Options to further the acceptance of BCM as an ongoing function. Page 13 of 24
3.0 Understanding The Organization It is essential to understand the organization to develop a comprehensive BCM program and a successful BCP. This means understanding all of the following: the organization s mandate, vision, mission, goals and objectives; how your organization operates, who it serves, who relies upon it; how it is organized, how it fits within the context of the other organizations they deal with; its geographic dispersion (satellite office and/or board offices), internal and external dependencies and linkages to other agencies, boards or related organizations. Tools vital to understanding your organization include the business impact analysis (BIA) and the risk assessment (RA). The BIA is a tool used to analyze and understand impacts to an organization as a result of a business continuity event. Data from the BIA is used to develop recovery strategies and is pivotal in the development of a comprehensive BCP. The RA is used to analyze and understand the probability and impact of threats to your department that may lead to an interruption. 3.1 Business Impact Analysis (BIA) Business impact analysis is the foundation on which the whole BCM process is built. It defines, quantifies and qualifies the business impacts of a loss, interruption or disruption of business processes. It provides the data from which appropriate continuity strategies can be determined. Great emphasis needs to be placed on this phase of the program. Data gathered during this phase will impact upon the entire process. Poor quality data collection will result in misdirected or ineffective business continuity strategy development. During this step data gathered will include, at a minimum, all services on a geographic basis, maximum tolerable periods of disruption and recovery point objectives. Compile a list of all internal and external programs/services on a geographic basis. Conduct a business impact analysis on each internal and external program/service. Determine for each program/service the maximum tolerable period of disruption, recovery time objective maximum tolerable data loss and recovery point objective. {See Form 1-Business Impact Analysis.} Prioritize all programs/services based on their recovery time objective. {See Form 2-Service Prioritization.} Present results of BIA to your management team for approval. Page 14 of 24
A list of all internal and external programs/services on a geographic basis. A complete business impact analysis for each program/service indicating the maximum tolerable period of disruption, recovery time objective, maximum tolerable data loss and recovery point objective for each service. A prioritized list of all programs/services based upon the recovery time objective for each service to be used as the service resumption order. Management approval of the BIA results and service resumption prioritization list. 3.2 Continuity Requirements Analysis The continuity requirements analysis collects information on the numbers of resources required to resume and continue the business activities at a level required to satisfy the organization s obligations. Immediately following an interruption required resources may be higher than during normal operating scenarios. This is typically due to workflow backlogs created by the interruption. Along with backlogs, resource levels may be below normal throughout parts of the recovery and restoration period. It is up to the organization to decide the appropriate level of activity following the interruption and throughout the restoration and recovery phases. Determine the resources required to maintain your organization s most urgent programs, services and data. This is a minimum requirement. {See Forms 3A-3D to gather technology, human, facilities, essential records and other resource requirements. See Instruction Sheets 3A-3D.} Obtain sign-off from each program/service owner. Determine the strategy to ensure that adequate resources and services will be obtained to maintain urgently required programs, services and data. Resource requirements for the most urgently required programs/services. Sign-off from each program/service owner. A strategy to ensure that resource requirements for urgently required programs/services may be obtained when required. Page 15 of 24
3.3 Risk Assessment (RA) High risk single points of failure and vulnerabilities should be dealt with immediately. Risk assessment is the process of analyzing the probability and the impact of a variety of specific threats to an organization which may cause a business continuity event. Ideally a risk assessment should be performed on all programs, services, data systems, facilities, equipment, and not just those deemed critical in the BIA. At a minimum, risks that may typically threaten an organization should be analyzed.. All risks should be addressed where time and resources permit. Risks should be prioritized based upon a reliable, qualitative scale. The most urgent risks should be dealt with first and elevated to Senior Management if the severity warrants. Any opportunity to mitigate risks during this stage should be exercised. In addition to vulnerabilities, single points of failure should be a focus of the evaluation due to their potential system wide effects. Conduct a risk assessment of all the internal and external threats that could cause a disruption within the organization. Focus on the resources required to operate the organization s more urgent activities as determined by the BIA. {See Form 4-Risk Assessment Template and Instruction Sheet 4-Risk Assessment} Prioritize threats from the risk assessment template. Identify and document internal and external threats to the organization. Identify and document vulnerabilities and single points of failure and possible mitigation efforts.* Present results of risk assessment and risk prioritization to Senior Management. *High risk single points of failure and vulnerabilities should be dealt with immediately. A prioritized risk assessment of all the internal and external threats that could cause a disruption within the organization. These include vulnerabilities and single points of failure. Prioritized list of mitigation options for the most at risk and urgently required programs/services. Results presented to Senior Management for consideration and direction. Page 16 of 24
4.0 Determining Business Continuity Strategy This step deals with determining and selecting business continuity strategies to be used to maintain the organization s most urgently required business activities and processes throughout an interruption. Each urgently required program/service that an organization delivers externally or internally should have a strategy to deal with a business continuity event causing a complete or partial disruption. Data collected from the BIA stage will guide the strategy development. For each program/service a Minimum Tolerable Period of Disruption (MTPD) and a Recovery Time Objective ( RTO) should have been determined. Ensure the MTPD allows the service to be brought back when required. Setting an RTO with a shorter time frame than the MTPD will allow for a margin of error. An MTDL and an RPO should have also been determined for each urgently required program service. There are several generic strategies to be considered when investigating ways to mitigate the impact of a BC event or reduce the threat. Each strategy needs to be considered for its unique resumption speed, cost, availability and appropriateness for the business function. It s important to be realistic with strategies employed. Costs generally increase for complex solutions or those which require shorter time-frames. Strategy options include: Diverse Site Replication Standby Facilities Subcontracting Work Post-Incident Acquisition Insurance Do Nothing Business Continuity For each program/service select a strategy option. Develop and provide Senior Management with an evaluation report to choose options from which they can select based on the organization s current and future business strategies. Identify activities for each program/service that will have a business continuity plan to support its resumption. Focus efforts on the most urgently required programs/services. Page 17 of 24
Select the most appropriate tactic for each activity based on cost, guarantees, additional benefits and other factors. Ensure actions selected can be completed within the service s RTO. Also ensure that selected tactics do not conflict with each other. Have Senior Management sign-off on selected strategies. A report indicating which strategy option has been selected for each program/service being analyzed. A set of actions that may be used to resume interrupted programs/services for each program/service for which the organization has decided to create a business continuity plan. Confirmation that resumption activities for identified programs/services will provide for restoration within their RTO and RPO. Page 18 of 24
5.0 Developing and Implementing a BCM Response The development of a comprehensive BCM response for an organization typically includes two levels of plans. These are the Incident Management Plan (IMP) and the Business Continuity Plan (BCP). An effective response is characterized by procedures for escalation and control, effective stakeholder communication and techniques to resume interrupted activities. An IMP defines how the strategic issues of an incident affecting the organization would be addressed and managed by Senior Management. A key component of the IMP is a Crisis Communications Plan (CCP). A BCP coordinates the response to an incident across the whole organization. It defines who does what, when, where and provides for the authority and management to do so. A BCP is typically a document made up of several sub-plans. The IMP, CCP and BCP should be designed based upon previously agreed objectives and built using an iterative process. 5.1 Incident Management Plan Effective and rapid management of incidents is critical. It can play a significant role in maintaining the organizations reputation and protecting its financial situation. An Incident Management Plan (IMP) provides a framework for an organization s executive management team to respond to any type of incident. A Crisis Communications Plan (CCP) is a key element of the overall Incident Management Plan and will ensure effective communications with all stakeholders. Appoint a senior management team member as the owner of the Incident Management Plan. {See example Plan and Content in the BCM Toolkit.} Define the objectives, scope, responsibilities and roles of the Incident Management Team. Determine the individuals to fill the roles of the Incident Management Team. Draft, circulate and finalize Plan options. Draft, circulate and finalize a Crisis Communications Plan. {See the Crisis Communications Plan Guide and Template.} Page 19 of 24
The development of Incident Management Plan and Team. The development of a Crisis Communications Plan. Appropriate people are made aware of and have been trained on the plan. 5.2 Business Continuity Plan A business continuity plan coordinates the organization s response to a business continuity event. Plan users should understand the information being relayed about the incident so that an appropriate response can be activated, resources mustered, stakeholders advised and the Incident Management Team appropriately informed. BCP components, content and detail may vary across organizations due to cultural, technical, administrative approaches and the technical solutions required. When writing the BCP use an iterative process that scrutinizes the steps of the plan to ensure it will meet plan objectives. Try to ensure that the plan actions will be realistic, useable and reliable. This is to ensure that no major errors are found during the plan exercising phase. Appoint an owner for the business continuity plan (or each plan for multiple locations). {See example Plan and Content in the BCM Toolkit.} Define the scope, objectives, structure, format, components, and content of the plan. {See example Plan and Content in the BCM Toolkit, BCM Team Responsibilities and Form 5-Action Summary Sheet.} Use information from the BIA, resource requirements and other information as required to draft the plan. Use an iterative process to develop the BCP that includes action plan testing, validation and amendments that meet the objectives set out in the BCM policy for the organization. Ensure appropriate people are made aware of and have been trained on the plan. A business continuity plan and sub-plans for the organization. Appropriate people are made aware of and have been trained on the plan. Page 20 of 24
6.0 Exercising, Maintaining and Reviewing Plans Once the business continuity plans for an organization have been developed, exercising, maintaining and reviewing the plans are the next major steps.. A comprehensive exercise program should be established. Exercising a plan allows users to become familiar with it and identifies weaknesses and areas for improvement. Plan exercise may also serve as a valuable tool in instilling business continuity as part of the organization s culture and may also serve to motivate those who have yet to see the value of this type of planning. No plan should be considered reliable unless it has been exercised and deficiencies have been addressed. As organizations change over time so should the content of their business continuity plans. Once a plan is written it should not be thought of as complete. It should be viewed as a living document that is continually and periodically updated to reflect the changes that have occurred within the organization. Reviews and revisions play a key role in maintaining the overall integrity of the BCM program. Whether done internally or externally they will serve to verify, validate and highlight deficiencies. These deficiencies should be addressed as required. 6.1 Comprehensive Exercise Program A comprehensive exercise program greatly enhances the organization s BCM program and plans. The exercise program should progress from simple to complex as the program matures. External organizations that provide significant resources which help the organization meet its objectives should be included in the exercise program as well. Assemble a list of all recovery processes. Determine a suitable exercise for each process. Develop an exercise timetable that ensures that all relevant people and recovery processes eventually are included in the exercise program. An exercise program that will, over time, include all relevant people and recovery processes that will enhance the organization s BCM program. Page 21 of 24
6.2 Exercising Exercising BC plans can take the form of overview-seminars, drills, table-top, functional and fullscale exercises. The concepts of stringency, realism and minimal exposure need to be well understood and applied within each exercise type of the comprehensive exercise program. All exercises play an important role in the overall BCM program. It is important to demonstrate that an exercise is an opportunity to measure the quality of the planning, competence of the individuals and effectiveness of capability, rather than a simple pass/fail examination. Exercise participants gain increased familiarity and confidence with the BC plans and deficiencies become highlighted. Deficiencies should be addressed as soon as possible. Ensure that when conducting an exercise that it does not expose the organization to unnecessary risks. Develop the scope, objectives and budget for the exercise type to be selected. Determine the type of exercise, the scenario and inputs based on the scope and objectives. Conduct a risk assessment to minimize the risk of an impact on live operations. Conduct the exercise. Debrief exercise participants and prepare an after-action report and submit to the appropriate authorities. Report results of tests, rehearsals and exercises to Senior Management. Ensure errors, failures or other negative findings of the tests, rehearsals and exercises are addressed within the plans The design and delivery of well planned exercises that test/validate business continuity plans. Rehearsal of people, process, equipment, infrastructure and technology to ensure preparedness and identification of gaps. Identification of plan deficiencies and remedial efforts taken to improve recovery plans. Increased awareness and appreciation for emergency procedures and business continuity management. Page 22 of 24
6.3 Maintenance Organizations experience change over time. Technology, human resources, mandates, programs/services, budgets and many other aspects of an organization are susceptible to change. Such changes in one area of an organization may impact upon other areas of the organization. Changes in partnering organizations may also have impacts. As organizations change to reflect current commitments and mandates so should the BCM program and plan content. An outdated program or plan may not permit the organization to respond effectively to a business continuity event when it occurs. Making BCM a permanent component of the organization s management processes will allow BCM maintenance to occur with greater ease. Include BCM and plan maintenance as a regular part of the organization's normal management processes. Ensure the following are reviewed and updated on an annual basis:: mandate, structure, staff, technology, data, IT systems, programs, services, business impact analysis, risk assessment, BCM strategies, resource recovery strategies, incident management plans / incident communication plans, business continuity plans, activity response plans, training and delivery strategies, linkages/contracts with internal/external suppliers and contact lists. Distribute updated BCP documents and maintain version control. Identify changes as revisions are released. BCM plan maintenance embedded within the normal management processes. All significant aspects of BCM program and plan are covered under the maintenance plan. Updated BCP documents distributed with identified changes using version control process. Page 23 of 24
6.4 Review Reviewing the BCM program and plans includes internal and external audits and self assessments. Audits are typically conducted against a previously agreed upon standard and verify that the process has been followed as laid out. Set audit goals, objectives and process. Conduct the audit. Present audit findings to the Senior Management. Develop action plans to ensure audit findings and deficiencies are addressed. Obtain sign-off on the audit report and action plans from Senior Management. Have audit deficiencies addressed within the program and plan. Audit plan goals, objectives and process. A completed audit. Presentation of findings to management. Remedial action plans to address program and plan deficiencies. Page 24 of 24