What are the technologies that can help minimize an organization’s risk exposure during a business disruption?
Knuff Use of secure and reliable cloud solutions minimizes risk exposure if an organization is confident in its cloud solution’s ability to adapt quickly. Access to cloud solutions ensures that, regardless of where staff may be, installation and setup of critical systems is not required. Consider licensing tools that permit offline working for situations where internet connectivity is a challenge. Ensure the organization has a cloud and/or mobile communication tool that allows concise communication at the beginning of the disruption and effortless collaboration as the organization adapts and moves through it. Human engagement is critical to minimize and address risk. Check the contract for terms on warm and hot sites (backup sites) to ensure the company has the right level of support in its service agreement for cloud solutions.
Zitting In short, cloud. Building a digital infrastructure based on credible, industry-leading SaaS business applications and collaboration tools can dramatically reduce disruption risk. Applications with layers of redundancy ensure availability as well as meeting committed uptime levels, and can quickly evolve tool sets for changing needs.
Governance technology is a critical layer that sits on top of smart digital infrastructures to manage risk through digital capabilities. Once a business disruption occurs, organizations should use governance technology to watch for cyber breaches, changes in employees’ digital behaviors, and business operations that bypass internal controls or make them obsolete. Agile risk management and business continuity technology — specifically that which is powered by robotic data automation, analytics, and machine learning — enable organizations to identify risk landscape shifts much quicker than via manual assessments.
How does reliance on remote working technologies impact business continuity efforts?
Zitting Risks include new vectors for attack via employee devices and home networks, overloading of VPNs and related infrastructure, and new social engineering/phishing schemes. In some industries, the impact on business continuity was more drastic; for example, in health care, remote work resulted in a shift in the “core product” from traditional in-person care to telemedicine. When the core product goes through such a rapid digital transformation, risk impacts are also felt in other areas, including how it’s sold, delivered, and accounted for. Organizations focus on the continuity of the product/service and its sales but can be slower to achieve continuity of internal control systems. Internal audit may be the last line of defense in this regard, but it’s often the first to consider it, so it is critical it can reassess the business in real time and check for critical controls that are degrading or becoming obsolete.
Knuff Often, the increased reliance on remote technologies improves the agility and velocity in getting back to “business as usual.” Team members are already familiar with, and are likely to have used, the technology in the office and home. Access to these tools changes the staff question from “how will I get work done?” to “how can I help?” Organizations that already had remote staff adapted much quicker during the early stages of the pandemic because they already had these technologies and a blueprint.
What are some key characteristics of audit functions that have added value in this area during the pandemic?
Knuff The first key was already being a trusted advisor, which meant being involved in the business continuity plan activation from the beginning. Chief audit executives (CAEs) who were involved then provided two key deliverables: 1) an updated risk assessment to identify where organizational efforts would be required to react and adapt, and 2) the ability to pivot their audit plan and staff to assist. Another key characteristic was the ability to provide a continuous and immediate feedback loop, so that as internal auditors conducted quick assessments or tested key controls in a new environment, they were not holding back until it was time for a formal report. They were sharing insights immediately with the business so adjustments could be made to minimize risk exposure.
Zitting While internal auditors have continued to do their best work despite the disruption, many have largely taken their cues from executive management. And if management is focused primarily on continuity of operations, rather than controls, organizations are vulnerable to extended and/or more severe disruption. Risks are well-managed when internal audit teams proactively identify key response objectives, such as managing workforce health, safety and job effectiveness, financial contingency management, and customer continuity, and then evaluate the risks, response activities, and control evolutions needed to meet those objectives. These internal audit teams can clearly articulate — for the board and audit committee — the real fallout from the pandemic.
How can internal audit help adopt lessons learned from COVID-19 to enhance business continuity efforts?
Zitting Many previous business continuity plans are no longer relevant, such as those related to working in centralized brick-and-mortar locations. Rather than continuing to audit for compliance with outdated controls, auditors need to execute consultative engagements to help recover and adjust to a new normal. Auditors should evaluate and adjust their organization’s business continuity scenario planning processes in light of the experience of operating in a pandemic, as well as in the broader context of enterprise risk management (ERM). Specifically, they should use any COVID-19-related learning to determine if business continuity planning is ranked appropriately within the company’s ERM. At the same time, auditors can also review operational controls to identify any design flaws based on these learnings.
Knuff Internal audit should ensure all lessons learned are documented. As new routines, processes, and systems are reaching a regulated cadence, internal audit should schedule a retrospective meeting with key stakeholders in the business continuity planning process. The CAE should facilitate the review of lessons learned so that the organization can decide if these lessons should be updates to the existing plan, an entirely new response plan, or adapted as part of standard working practices. Internal audit should follow up on these decisions timely to ensure actions agreed to are taken . Documenting key challenges in the initiation of the plan also will be valuable when simulating future tests of it.
What are the top business continuity-related risks heading into 2021?
Knuff Touchstone Research for Internal Audit, a survey conducted by my company during the pandemic, clearly identifies that third-party risk identification and management, which can include supply chain and cloud solutions, is the biggest risk to address in 2021. Understanding which third parties are critical to continuity and mitigation, monitoring, and even replacement plans will be required. Think beyond suppliers and vendors. Which alliances, partners, business channels, and key clients/consumers also are important to assess and monitor? The second risk to be assessed will be the response of the organization to the new way it interacts with both suppliers/vendors and clients/consumers. Adapting to the digitalization of data and consumer/client interactions for organizations rooted in brick-and-mortar will be a significant challenge.
Zitting We’ve yet to go through a year-end close, financial statements, audits, and many other annual processes that will be dramatically impacted by COVID-19-related challenges. As organizations shift from being valued on revenue and profits to a more total stakeholder value, we also anticipate more events that create continuity risk. For instance, climate change is affecting businesses’ operations whether directly through physical disturbances such as natural disasters, or by changing how they value their assets, or evolving operations to reduce carbon emissions. And, diversity, equality, and social justice will continue to accelerate and create business disruptions in 2021.