Auditing Resilience and Business Continuity Plan (BCP)

Nowadays and exacerbated by geopolitical risks, leading organisations are turning BCP requirements into a strategic advantage. Specifically, investments in operational resiliency are assisting organisations to become more responsive to client needs as well as improving operational reliability, quality, efficiency, and ability to cope with external events. Internal audit plays an important role to provide assurance on the resilience of the company and to highlight improvements to implement or propose mitigating solutions to deficiencies.

As organisations face increasingly complex business and operational environments, functions such as business continuity keep evolving. Today, successful resilience and business continuity programmes (BCPs) both address the technical issues involved and strive to support the organisation’s efforts to improve and sustain an adequate level of operational resiliency. Operational resiliency efforts tackle operational risk by identifying potential operational problems and improving the processes and systems used.

At the end of this training, participants will be able to:

• Master the stakes of a BCP audit methodology.
• Allow anticipatory management of crises and risks.
• Recommend relevant actions to create strategic advantage. 
• Add value to the BCP programme.
• Understand the roles of assurance of internal auditors in the BCP plan.
• Understand the different phases of a BCP programme.

The course is based on the ISACA, COBIT approaches and lead auditor ISO 22301 certification, Basel publications of sound practices on operational risk management and operational resilience (issued March 2001), DORA and SOC reports. It will help to prepare the ISO 22301 and CISA methodology (BCP part).

Fundamentals of Business Continuity Planning and ISO 22301

• Essentials of Business Continuity Planning (BCP)

• • Difference between BCP and DR (Disaster Recovery) and integration approach.

  • Strategic importnce and lifecycle of BCP.

  • Basel and the operational risk resilience principles.

• Understanding ISO 22301

• • Key components and requirements of the ISO 22301 standard.

• Implementing ISO 22301

• • Step-by-step guide to implementing ISO 22301 within an organisation.

• Exercise: Creating a BCP Strategy

• • Participants work in groups to draft a BCP strategy based on a given scenario.

COBIT 2019 and CISA Integration in BCP

• Introduction to COBIT 2019

• • Principles and governance frameworks of COBIT 2019 as they apply to BCP.

• CISA's Role in BCP

• • Overview of how CISA guidelines integrate with BCP strategies.

• Risk Assessment and Management

• • Techniques and tools for identifying, assessing, and managing risks from an auditor point of view.

• Workshop: Risk Mapping and Analysis

• • Participants engage in risk mapping exercises for hypothetical organisational threats.

DORA Audit and Digital Resilience

• Digital Operational Resilience Act (DORA) Overview

• • Comprehensive review of DORA requirements and its implications for BCP.

• Preparing for a DORA Audit

• • Key considerations and preparation steps for undergoing a DORA audit.

• Mock DORA Audit

• • Simulation of a DORA audit process, including incident reporting and management.

SOC Reporting and Advanced Crisis Management

• Introduction to SOC Reports

• • Types of SOC reports (SOC 1, SOC 2, SOC 3) and their relevance to BCP.

• Creating and Analysing SOC Reports

• • Guidelines for preparing SOC reports, including case studies.

• Scenario Analysis and Crisis Governance

• • Advanced crisis management scenarios are presented for group analysis.

• Interactive Crisis Simulation

• • A role-play session where participants manage a simulated crisis based on earlier scenario analysis and prepare an internal audit programme.

Case studies related to different disruptions 

Internal auditors (with a good level and experience), compliance officers, business controllers, senior & middle level management officers.

Preferred: at least 3 years’ experience in Audit and/or business control.

No exam is available for this course.