No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Featured

The Growing Need for Business Continuity Audits

As Risks and Uncertainties Mount, These Audits are Crucial

by Matthew Watson
November 5, 2020
in Featured, Internal Audit
illustration of two businessmen building bridge over cliff

COVID-19 has revealed the importance of having an effective business continuity plan. Protiviti’s Matthew Watson discusses the role internal audit should play in escalating and prioritizing business continuity audits given the realities and uncertainties in today’s business environment.

With so many uncertainties as we head into 2021 – the wait for an effective COVID-19 vaccine, macroeconomic and geopolitical concerns, increased technology outages and cybersecurity risks to name a few – business continuity programs have taken on new urgency. Business leaders, who continuously rate operational resilience and business continuity risk at the top of their biggest concerns, are approaching the new year intensely focused on understanding the critical and potential new risks that could disrupt the already fragile business environment. As noted in Protiviti’s latest Guide to Business Continuity & Resilience, the pandemic’s widespread impact has forced organizations to revisit business continuity plans (BCPs) and explore effective ways to embed BCP practices in day-to-day operations.

With regulators increasingly demanding that companies demonstrate greater resilience, there is a growing need for internal audit to play a bigger role in providing assurance that the governance, risk management and controls that are in place to mitigate risks and enhance resilience capabilities are adequate. This changing dynamic provides an opportunity for internal audit to develop a flexible and comprehensive approach that can be incorporated into existing business continuity and IT audits.

The Business Continuity Audit Process

Business continuity audits should be escalated and prioritized on the 2021 audit calendar – if they haven’t been already – to assess the design and operational effectiveness of the business continuity management (BCM) program and its four life cycle phases: business assessment, strategy design, implementation and quality assurance.

Business Assessment

As part of this process, audit should review the current state of the BCM program and how its foundational elements – including governance, continuity risk assessment activities and business impact analysis (BIA) – are executed. The results of the continuity risk assessment and BIA will drive the definition and development of recovery strategies and solutions. Core business processes and IT applications/systems should be assessed from an overall enterprise impact perspective during the continuity risk assessment and BIA activities. Also, senior management should use the results to measure and manage enterprise-wide risk.

Strategy Design

Assessing strategy design involves a review of crisis management, business resumption and IT disaster recovery strategies. These are essentially the strategies organizations implement to minimize or mitigate the risk of a business disruption. The objective of the audit is to determine whether the strategies are sufficiently defined to communicate and respond to events and recover critical business processes and technology in a timely manner.

Implementation

Organizations should also review how BCM strategies are formalized into documented crisis management, business resumption and IT disaster recovery plans. In this exercise, audit will assess plan content and structure while determining whether the appropriate roles and responsibilities are outlined in the plans and will validate that key individuals have an actionable set of activities they would execute in the event of a business disruption.

Quality Assurance

The quality assurance phase is designed to assess how and whether crisis management, business resumption and IT disaster recovery plans have been properly tested. In an ideal case, plan tests are primarily measured by an expected recovery capability. Sometimes, simulations are developed using probable risks identified in a risk assessment. The main objective of a testing program is to verify the contents of the recovery plans and offer reasonable assurance that the plans will provide the ability to successfully recover the business in a timely manner.

Internal audit should assess the design and execution of the testing program as well as determine whether plans are periodically reviewed and updated to reflect changes in the business over time and how those changes support the timely recovery of critical business processes and technology.

Understanding the Foundational Element of BCM

As previously mentioned, it is important that business leaders have a strong understanding of the foundational elements of their BCM program (governance, continuity risk assessment and business impact analysis) to ensure that areas of potential weakness are quickly addressed. The internal audit function should be able to provide insights in these key areas.

Governance

A successful BCM program requires various levels of accountability and responsibility within an organization. While some organizations may ultimately decide to create a separate business function or unit to own the program, many choose to utilize existing resources and/or business function personnel. Still, as a matter of practice, it is recommended that BCM program ownership be maintained at an executive level within the organization so the program remains visible to decision-makers and influences enterprise adoption while supporting all aspects of a mature program.

Focusing on BCM governance as part of an internal audit is necessary to determine whether there is sufficient oversight and participation from those key individuals tasked with ensuring that the BCPs will facilitate the successful recovery of the business in a timely manner following a disruption. As an example, a review may reveal that a firm’s BCM efforts are led by middle management and executed without proper funding and sufficient resources. Consequently, this governance structure would explain why the firm’s existing continuity capabilities are reactive in nature.

Continuity Risk Assessment

In many firms, business and/or IT management have developed ad hoc recovery priorities based on perceived levels of importance. Failure scenarios and controls assessments are usually incomplete and measurement criteria have not been established. A continuity risk assessment is meant to drive continued enhancement of recovery strategies. Ideally, the execution and review of risk assessments are coordinated with organizational and technology change management or due diligence processes. A review of the continuity risk assessment process should focus on whether results of the assessment process are used to guide BCM program activities.

Business Impact Analysis

A type of risk assessment that serves as the foundation of a BCM program, the BIA enables organizations to capture and effectively measure the potential business impacts of a disruption (i.e., operational, reputation, financial, regulatory or compliance impacts). The objective of the BIA is to establish recovery priorities for business processes and the resources (e.g., technology, workspace, equipment, personnel and third parties) on which each of those processes rely. Audit should assess the BIA to determine whether the process includes sufficient detail to determine business interruption exposures, their impact and recovery requirements used to drive BCM strategy development and planning.

Conclusion

Business continuity planning requires developing playbooks that contemplate a variety of events or disasters that can impact a business and then outlining how organizations should respond during and/or after those events or disasters. It is a process that requires continuous improvement and vigilance. In this period of disruption and uncertainty, business leaders need a deep understanding of the BCM program and plans to recover business processes following a disruption.

However, the responsibility does not fall on management alone. BCM must be embedded in the organizational culture. Audit also has a role to play. As part of a business continuity assessment, internal audit can assess whether employees are clearly aware of their responsibilities in the event of an interruption and whether they are trained on executing the planned procedures to successfully recover business operations in a timely manner.


Tags: Business Continuity Planning
Previous Post

Refinitiv to Add Fraud Prevention Capability with Acquisition of GIACT

Next Post

Beyond “Check the Box” Intermediary Compliance Training Programs

Matthew Watson

Matthew Watson

Matthew Watson is a Managing Director in Protiviti’s Technology Consulting practice and leads the Business Continuity Management practice within the Technology Strategy & Operations solution segment. He is a Certified Business Continuity Professional (CBCP) and has extensive experience helping clients solve challenging issues related to crisis management, business resumption, and IT disaster recovery. Prior to joining Protiviti, he served as a Communications and Computer Information Systems officer in the United States Air Force.

Related Posts

ACGS-strikes-riots-civil-commotion-report-2023_f

Strikes, Riots & Civil Commotion 2023 Report

by Corporate Compliance Insights
March 1, 2023

Is your business prepared for permacrisis? Drivers of Civil Unrest Strikes, Riots & Protests Expected to Test Business Resilience What’s...

The 16th ACES Compliance Summit

The 16th ACES Compliance Summit

by Aarti Maharaj
March 1, 2023

Lean-in and actively engage with today's most innovative and experienced trade compliance professionals during this 3 in 1 event. Featuring...

shifting sands risk

Shifting Sands: Leaders Are Feeling the Pressure of an Uncertain, Dynamic Risk Landscape

by Jim DeLoach
February 22, 2023

The global risk landscape has rarely been more unsettled over the past half-century than it is right now, and a...

jen colts

Football, Pain & Failing Upwards

by Jennifer L. Gaskin
February 8, 2023

This isn’t a story about business, third-party risk management, the DOJ or any of the other topics we normally cover...

Next Post
line drawing of three professionals in training

Beyond “Check the Box” Intermediary Compliance Training Programs

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT