CHAPTER 11: REPORTING AND ASSURANCE
Corporate governance
The buck stops, legally, with directors or governors. They are responsible, whether they like it or not, for ensuring that their organisation’s risks are appropriately managed.
But, in the majority of cases, members of the governing body are unlikely to routinely ask how the BCM programme is coming on, or whether all the documents due for review that month have been reviewed.
Directors of limited companies generally feel that they are protected from any personal liability if things go wrong. There is an exception to every rule, however, and if those directors choose to ignore the risks of interruption to what their organisation does, then they expose themselves to the risk of being personally liable for any losses that may ensue.
It is, of course, highly unlikely that any reader of this book, or any of their directors, would be in such a position. Directors generally rely on the executive to provide them with the information they need to discharge their duties properly.
Like many other reporting mechanisms in bodies corporate, the executive is expected to provide information to the governing body, so that its members can satisfy themselves that the organisation is being properly run; in this case, that its risks of operational interruption are being appropriately managed.
Including a regular report on BCM in the Board’s reporting arrangements, is also likely to help it to become embedded in the organisation’s culture –certainly, it will not detract from it.
Those familiar with other management systems will also be familiar with the business of reporting to their governing body. Certification under ISO22301 does provide something of a short cut for the executive, in assuring the Board that the organisation has, and is, operating an appropriate management system for managing the risks of operational interruption.
The ongoing reporting of reviews, audits and exercises will maintain this assurance as, indeed, will the successful outcome of surveillance visits made by the certification body.
Supplier assurance
A good organisation will already be conducting some form of supplier assurance in respect of financial viability, quality, and so on. Where critical activities are outsourced to suppliers or providers, a maximum tolerable period of disruption will have been established for those activities, and it will be very important to seek assurance from outsource suppliers that they also have appropriate BCM arrangements in place, not least so that the RTO for whatever they provide can be met.
The status of suppliers in respect of BCM should almost certainly form a part of the corporate governance reporting arrangements.
Many organisations will also benefit from seeking this type of assurance, in respect of supplies other than outsourced activities.
Due diligence
Every organisation is interested in what people think of it. Whether in the public or the private sector, no organisation today is immune to scrutiny in one form or another.
In the commercial world, organisations are more and more interested in how other organisations that they deal with are run. Investors are particularly interested, as they usually have more to lose if things go wrong.
The quality of reporting, and strength of assurance in respect of BCM, is already an important factor in due diligence undertaken by customers, investors and suppliers. Certification under ISO22301 will be a very, powerful tool in this respect, and the comprehensive nature of reporting will also serve to enhance the due diligence process, which can happen at any time.