Why Your Business Continuity Plan Might Fail an Audit (Even if You Have One)

1. Introduction: The "Paper Tiger" Problem

In my years as a Lead Auditor, I have walked into dozens of organizations that proudly present three-ring binders overflowing with hundreds of pages of "preparedness." Yet, when we dig into the operational reality, these systems crumble. This is the "Paper Tiger" problem: a Business Continuity Management System (BCMS) that looks formidable on a shelf but lacks the structural integrity to function during a crisis.

Clause 7.5 (Documented Information) of ISO 22301 is consistently the most frequent source of nonconformities. The reason is simple: organizations treat documentation as a bureaucratic hurdle rather than the foundation of a consistent, repeatable, and reliable system. To an auditor, if a process is not documented, it doesn't exist; if an action is not recorded, it never happened.

2. Takeaway 1: The "Instruction vs. Evidence" Divide

A fundamental failure in many BCMS implementations is the inability to distinguish between documents and records. This isn't just semantics—it is the "Standard’s Divider" between your planning (Clause 7.5.2) and your execution (Clause 7.5.3).

As the saying goes: "Documents guide action; Records prove implementation." Confusing these two weakens your evidentiary chain. Missing documents point to a failure in planning, while missing records indicate a total failure in implementation.

3. Takeaway 2: The Trap of the "Perfect" (but Obsolete) Plan

I often see what I call the "Nonconformity of the Perfect Document." These are beautifully written plans that describe an organization that no longer exists. If your plan reflects last year’s technology stack or a departmental structure that was reorganized six months ago, it is a failure—regardless of how well it is written.

Auditors look for objective evidence that your documentation aligns with current operations and the defined BCMS scope.

Auditor’s Insight: Unapproved documents are not "controlled" documents. Under Clause 7.5.2, every document must meet mandatory identification criteria, including Identification (title/reference), Description (purpose/scope), and Format. Without a formal review and approval for suitability and adequacy, a document is merely a draft, not a part of your BCMS.

4. Takeaway 3: The "Locked Door" Paradox

Clause 7.5.3 requires that documented information be both "Available and Suitable." I frequently encounter the irony of a world-class recovery plan stored exclusively on a primary server that becomes inaccessible the moment a disruption occurs.

"A continuity plan locked in an unavailable system is unusable."

To satisfy the auditor’s requirement for "Availability and Suitability," you must prove that:

• Accessibility: Staff can access the plans exactly where and when they are needed (even during a total IT blackout).
• Protection: The plans are secured against unauthorized access (Confidentiality) and unintended alteration (Integrity).
• Format: The documents are in a medium (paper, electronic, or software) that staff can actually utilize under stress.

5. Takeaway 4: The Golden Rule—"If it isn't recorded, it didn't happen"

From an auditor’s perspective, objective evidence is the only currency. I use staff interviews to strip away the "Paper Tiger" and see if the system actually lives within the organization. If staff cannot tell me where records are or how they are managed, your document control system is broken.

Typical interview queries I use to find gaps include:

• How do you verify you are using the latest version of a procedure?
• Where exactly are the BCMS records (like exercise reports or incident logs) stored?
• How long are records kept? (This is a frequent trap for staff who don't understand the retention policy).
• How are documents accessed if the primary IT network is down?

The Retention Risk: Many organizations fail by deleting evidence too early. Your BCMS must define clear retention periods, storage locations, and disposal methods that account for legal, regulatory, and business requirements. Prematurely disposing of records is a serious audit risk—it is the literal destruction of the evidence I need to certify you.

6. Takeaway 5: Why "More" is Not "Better"

A 500-page BCMS manual is not a sign of preparedness; to an auditor, it is a "red flag" for a lack of focus and usability. "Over-documentation with no clarity" is a common gap. We look for a system that is lean, usable, and controlled.

Common documentation failures include:

• Obsolete plans: Older versions remaining accessible and causing confusion.
• Missing approvals: Documents being used without formal management sign-off.
• Mixed systems: BCMS documents stored in unrelated, uncontrolled departmental folders.

Auditor’s Insight: Categorizing Findings

• Major Nonconformity: A total lack of effective document control or the absence of mandatory documents/records required by the standard.
• Minor Nonconformity: Documents exist but show inconsistent application, such as a few missing signatures or a single plan missing its version history.

7. Conclusion: Documentation as the Engine of the PDCA Cycle

Clause 7.5 is not a bureaucratic hurdle; it is the "memory" of your Plan-Do-Check-Act (PDCA) cycle.

• Plan: You document your strategies.
• Do: You guide action through those documents.
• Check: You retain records as the only evidence of performance.
• Act: You update documentation based on the records of what actually happened.

Without the "Check" (records), your organization is amnesic; it cannot learn, and it cannot improve. If your systems went down tonight, is your "proof" of readiness stored in a way that helps you survive, or is it just another item on the list of things you can no longer access?

Share This Article

Found this useful? Share it with your network: