A large government contractor required an evaluation of their business continuity plan (BCP), which consisted of three related plan documents, to validate the plan aligned with industry standards and established frameworks, and more importantly, met the continuity and recovery needs of the organization.
Baker Tilly, working as internal audit, conducted a review of the three plans that constituted the organization’s entire BCP to validate that the proper processes and controls, necessary for addressing business continuity and disaster recovery risks, existed and were operating. Specifically, Baker Tilly assessed whether the plan included key components such as a defined governance structure, a detailed business impact analysis, periodic training and related policies and procedures. In addition, the review confirmed whether the plan was tested to ensure continuous operability of the organization’s business functions, inclusive of supporting business applications and information technology (IT) systems (e.g., networks, workstations) in the event of a disruption. Baker Tilly also conducted interactive tabletop exercises with key stakeholders to simulate three scenarios where the organization would invoke the BCP, including a ransomware attack, an insider threat, and cloud vendor disruption.
The organization used Baker Tilly’s recommendations to improve aspects of their plan including a more inclusive business impact analysis, improved coordination with third-party vendors, periodic testing of the plan and the integration points with other organizational plans. Additionally, Baker Tilly’s after action reports summarizing each tabletop exercise, noting strengths and opportunities for improvement identified during the exercise and recommendations for addressing identified deficiencies.
For more information on this topic or to learn how Baker Tilly specialists can help, contact our team.