The past year has taught internal auditors that business disruption can be global and that it can last a long time. Shocks to the business are not limited to power cuts and IT outages: Organizations are now at the mercy of potentially long-tail political and economic turmoil as recessions around the globe loom large. And ultimately, the pandemic has demonstrated that there is a big difference between having a business continuity plan and having business continuity capability.
“The most fundamental business continuity plans have typically focused on the response to standard types of scenarios, such as a fire that results in the total loss of a site, flooding, security incidents, and utility failure,” says James Elliott, a regional manager at Norwich, U.K.-based QMS International, a quality management specialist. “These become obsolete in a pandemic situation when many are working from home.”
Typically, business continuity planning has revolved around issues that organizations could reasonably expect to deal with at some point in the future: COVID-19 has put an end to that. “If you live in an area that suffers from earthquakes or hurricanes, for example, then naturally your business continuity plans will take such situations into account,” says Jim Zeches, an Atlanta-based senior GRC consultant at IT Governance USA. “What the COVID-19 pandemic has done is make many organizations firefight situations they believed would never take place, and it’s obvious how little many have planned for such eventualities.”
The continuity plans that most organizations have been reliant on are no longer fit for purpose in a post-COVID world. The pandemic has forced every organization to rethink business continuity management and reevaluate what in-house capabilities they need so that they can react to short- and long-term disruption in the future.
The Right Focus
Despite many organizations’ unpreparedness for the pandemic, Zeches doesn’t think they need to go back to the drawing board. “Instead of trying to plan for every disaster that could come into play, organizations should focus on what individual, specific activities would mean for the business,” he says. “Rather than thinking up scenarios such as, ‘How should I prepare for a global pandemic,’ or ‘What should I do if an asteroid strikes,’ organizations should be thinking even more granularly and considering their everyday logistics.”
Zeches suggests, for example, that organizations consider what they would do if employees can’t physically access the office, or if an internet outage occurs, or how work can be done confidentially if employees are working from home with nonemployees in the household. “These are the kinds of straightforward questions that can be worked through and applied to a whole host of situations outside of the organization’s control,” he says.
Such approaches resonate with other internal audit leaders. Ben Getz, audit director at Peoria, Ill.-based insurer RLI Corp., says “you can test for various scenarios, but you can’t plan for every scenario. Once you recognize that fact, the key issue becomes one where measuring resilience is vital.”
While organizations can’t plan for every eventuality, Getz says they can review how well they could cope with issues such as a power outage, a local or national lockdown, a major IT failure, and immediate or long-term supply chain disruption. They also can check whether continuity plans are in place, whether they are adequately resourced, and who in the organization is in charge of implementing them — in whole or in part. And they can ensure that testing is in place to determine whether plans work and whether management and staff can understand and follow procedures during testing exercises. “There is no doubt that internal audit has a strong role in reviewing and contributing to these plans,” he says.
Getz’s colleague, Seth Davis, RLI’s vice president and controller, says one of the key steps to reviewing historic business continuity plans is for organizations to look at the parts that have worked during the pandemic, and the parts that failed or did not work as well as hoped. They then need to examine why some aspects of the plan succeeded while others didn’t and determine what changes need to be made as a result.
“Internal audit should review which parts of the business were most adversely impacted by the pandemic and assess whether the current ways of working are sustainable or whether they might create new risks that need to be assessed and controlled,” Davis says. “The audit function should also review not only the organization’s overall resilience, but the resilience of different departments and operational areas to see if there might be any flaws or potential holes.”
Other experts take a similar position. Alistair Smith, internal audit, risk, and control director at energy firm EDF in London, says that effective business continuity planning requires a strong audit role to make sure everyone in the organization knows what to do in the event of a crisis. “Internal audit has a duty to ensure that management is aware that business continuity planning needs to change so that it looks at short-, medium- and long-term impacts, and that any revised plan can be easily understood and simply followed,” he says. “When disaster strikes, management needs to be confident that the plan works and that everyone knows what they’re doing.”
Plan for Impact, Not Scenarios
Matthew Watson, managing director at internal audit and risk consultancy Protiviti in Washington, D.C., agrees that business continuity planning is no longer about planning for what kind of scenarios are most likely to happen: It is now focused on how an organization can deal with the impact from any disruptive event, irrespective of what it may be. “Trying to plan for every scenario is not effective,” Watson says. “It is much better to lay out what skills and resources the organization has and show how these can be used to form a response to a particular event.”
According to Watson, organizations need to assess what the impact of any disruption could be on key pillars of the business — such as people, technology, and operational processes — and review how long they could cope before the organization risked failure. “Once you understand the impact of an adverse event, you can then think about what measures need to be put in place to mitigate the dangers by carrying out a business impact assessment,” he says.
As part of the assessment, Watson recommends that internal auditors review historical assumptions around previous business continuity measures “to see if they still hold true.” He points out that measures that weren’t considered feasible years ago may now be relatively simple to implement, citing remote working as an example. “Five years ago most organizations would never have thought that they could cope with most of their workforce working outside of an office, yet now it has proven to be an alternative, and effective, way of working,” he says.
Watson also says that internal audit should check whether the organization might be exposed to a “single point of failure,” pointing to several questions practitioners should consider:
- Does the organization rely heavily on a key individual, supplier, or customer?
- Could the organization survive if a key market were cut off?
- Is one product or service responsible for more than half of the organization’s revenues?
He suggests that auditors should note any indication that the organization relies too heavily on one or two providers for operational support and report it to management as a potential risk.
To win over management, Watson suggests that internal audit should coordinate its response with other assurance functions such as risk management, compliance, IT, and human resources. “If these functions work together and speak with a unified voice to give a consolidated view, it is more likely to get management’s attention,” he says.
Watson also says internal audit should quantify what the impact to the business would be if a particular kind of disruption should occur. Without evidence to show how the event might impact operations or an estimated financial cost if no action is taken, he says, auditors will have a difficult time convincing the board to act.
Watson advises citing known examples. “For instance, could the company be hit with a multimillion-dollar fine under Europe’s General Data Protection Regulation if customer data is hacked as part of a cyberattack?” he asks. “Can the company be forced to pay out to contractors under a clawback clause if a power outage or flood prevented it from completing an order? What would the financial costs be to the business if the company was forced to outsource operations to another provider in order to fulfil contractual obligations?”
He also suggests determining whether these scenarios have occurred at other companies and, if so, how badly they were impacted in terms of cost and recovery time. Showing management and executives that internal audit has thought through the implications of these kinds of scenarios, he says, will help get them on board.
Ibrahim Alfaifi, head of Internal Audit at Saudi Arabia’s Ministry of Human Resources and Social Development in Riyadh, says that one of the key ways to demonstrate to the board the need to invest resources in a comprehensive business continuity plan is to show them just how long the organization could afford to stop operations if disaster struck tomorrow. This, Alfaifi says, will help get the board’s attention.
“Once you know how exposed the organization is, which parts of it are most likely to be impacted — and how quickly these impacts will be felt — you then have a very good idea of where the main weaknesses are, how strong the business continuity plan needs to be, and the key areas it may need to focus on,” he explains.
Ultimately, the success or failure of a business continuity plan depends on the willingness of management to back it — not just in terms of leadership, but also in terms of resources. “Management should not regard an investment in business continuity as a ‘cost’ but more like a ‘benefit,’” Alfaifi says. “There is an obvious return on investment if an organization’s business continuity plan works effectively. It offsets risk and makes the organization more resilient in the long term.”
He adds that internal audit has to remind management — and perhaps the organization generally — that business continuity is not a one-off, short-term activity. “It is not just a plan that is drawn up and reviewed at the end of the year,” he says. “Internal audit needs to make sure that management takes ownership of it like it would with any other risks, and that plans are regularly reviewed, tested, updated, and improved where necessary.”
Alfaifi says internal auditors also need to make sure the organization reviews the business continuity plans and resilience testing of its suppliers. “It is important to question your suppliers about their business continuity plans so that you have more assurance that they can continue to provide their services if disaster happens,” he says. “Internal auditors should check the service level agreements their organizations have with third parties to see what provisions and contingencies they have in place to continue to provide services if their own operations are disrupted, as well as what clawback clauses you have if they fail to honor their contracts.”
Capturing Stakeholder Input
Experts say organizational reviews of business continuity should incorporate a wide spectrum of views to identify what risks are in danger of being ignored and where there might be possible gaps in assurance. Nick Watson, commercial partner specializing in risk management at Keystone Law in London, says organizations need a business continuity plan that is formed from the input of key stakeholders from strategic, operational, and support functions, as well as “relevant specialists.” He also says internal auditors need to think more broadly so that any business continuity plan captures both short- and long-term impacts, as well as “indirect” impacts — for example, those that will affect customers, markets, and supply chains.
More regular, robust testing is also a “must,” he says. “While a practical test designed around the immediate aftermath of a disruptive event — such as requiring office personnel to work remotely for 24 hours — will be an adequate assessment of the ability of an organization to respond to a trigger event and continue operating in the immediate future, it will not allow an organization to test the plan’s ability to support the business in the context of an enduring disruptive scenario such
Instead, he says, internal audit should push management to try out a more complex case study to see if it can make smart, tough decisions quickly, cooperate well, delegate appropriately, and communicate effectively. The case study should be monitored, and the monitor should chair breakout sessions where both the monitor and the participants evaluate their responses and actions. The outcomes of any such review need to be reflected in updates to the business continuity plan, which should be reviewed regularly, he says.
Nick Watson adds that to ensure the business continuity plan is fit for purpose, auditors need to understand what “fit for purpose” looks like. “You need to have defined that purpose clearly, designed a plan that is focused on that purpose, and then set the test up correctly in the first place.”
The New Business Continuity
There is no doubt that business continuity planning is a necessity, and that internal audit has a vital role to play. But it is also evident that the nature of business continuity management has changed: It is no longer tenable for organizations to “guess” which scenarios are most likely to impact them and then prepare for the worst. Organizations need to be resilient to withstand any kind of sudden — and long-standing — shock, and internal audit has a crucial part to play in making that happen.