Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

​The Extraordinary Risk of Business Continuity Interruption

Comments Views

​There are few things that capture the public's attention faster than widespread flight delays. Ask Delta Air Lines and British Airways. This summer the two venerable carriers were tested when unexpected technical glitches grounded flights and delayed customer check ins.

In Delta's case, 2,300 flights were cancelled over three days in early August when equipment failures and a subsequent power outage darkened computer terminals at its Atlanta headquarters. All Delta flights were grounded for a time until power was restored.

An IT glitch was blamed for British Airways' kiosk check-in systems shutting down worldwide over part of the long U.S. Labor Day weekend. Gate agents had to manually check in customers, causing extensive flight delays. The social media universe exploded with snarky comments and photos of unhappy travelers camped out in long queues in airports from London to San Francisco. Two of the more creative Twitter hashtags were #TechTakesAHoliday and #goodolpenandpaper.

While the fallout from the British Airways tech hiccup remains to be seen, the impact of Delta's woes clearly reflect how costly such business disruptions can be. The airline recently revised its 3Q earnings forecast downward, reflecting a drop in revenue of about US$100 million.

These incidents offer textbook examples of the need for organizations to develop and maintain disaster recovery or business continuity plans. The good news is that most organizations do. A 2014 study by Forrester Research and Disaster Recovery Journal found 93 percent of organizations had documented business continuity plans. That is up from 77 percent in 2008.

The survey also found:

  • Most business continuity plans are well-funded, with about a third expecting increased budgets.
  • Most businesses conduct business impact analyses and risk assessments annually.

But not all the news is good. According to the Forrester/Disaster Recovery survey:

  • While risk assessments are routine, plan updates are rare. The percentage of plans continually updated has dropped from 26 percent in 2008 to 15 percent in 2014.
  • Just 52 percent of plans are scenario specific.
  • Plans are rarely tested more than once a year.
  • Fewer than 6 in 10 third-party business partners participate in plan tests.

From an internal audit perspective, CAEs can support business continuity by helping the C-suite understand risks, as well as the options created by effective business continuity management (BCM). The value of such management cannot be overstated. Good BCM enables organizations to overcome work stoppages as quickly as possible while maintaining recovery capabilities, restoring resources, managing supplies, and aligning with emergency management processes.

The IIA's Global Technology Audit Guide (GTAG) 10: Business Continuity Management offers in-depth direction on internal audit's role in BCM.

Additionally, one must consider the potential for reputational harm that poorly managed business disruptions create. A key part to the response by Delta and British Airways was to communicate quickly and honestly with customers about the disruptions. By keeping customers informed through traditional and social media, customer expectations were managed, which helped limit the damage.

Indeed, the airline industry offers a good example of how to mitigate reputational risks associated with business disruption. Typically, airlines deal with weather-related cancellations every year, from those caused by typhoons in the South Pacific to blizzards in the busy U.S. northeast corridor. The experience gained by these annual exercises in transparency and customer outreach are especially valuable when unanticipated business disruptions occur.

As always, I welcome your comments.

Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.

 

 

Comment on this blog post

comments powered by Disqus
  • GEICO_September 2019_Blog 1
  • IIA AEC_Spetember 2019_Blog 2
  • IIA Training_September 2019_Blog 3