COVID-19 has revealed the importance of having an effective business continuity plan. Protiviti’s Matthew Watson discusses the role internal audit should play in escalating and prioritizing business continuity audits given the realities and uncertainties in today’s business environment.
With so many uncertainties as we head into 2021 – the wait for an effective COVID-19 vaccine, macroeconomic and geopolitical concerns, increased technology outages and cybersecurity risks to name a few – business continuity programs have taken on new urgency. Business leaders, who continuously rate operational resilience and business continuity risk at the top of their biggest concerns, are approaching the new year intensely focused on understanding the critical and potential new risks that could disrupt the already fragile business environment. As noted in Protiviti’s latest Guide to Business Continuity & Resilience, the pandemic’s widespread impact has forced organizations to revisit business continuity plans (BCPs) and explore effective ways to embed BCP practices in day-to-day operations.
With regulators increasingly demanding that companies demonstrate greater resilience, there is a growing need for internal audit to play a bigger role in providing assurance that the governance, risk management and controls that are in place to mitigate risks and enhance resilience capabilities are adequate. This changing dynamic provides an opportunity for internal audit to develop a flexible and comprehensive approach that can be incorporated into existing business continuity and IT audits.
The Business Continuity Audit Process
Business continuity audits should be escalated and prioritized on the 2021 audit calendar – if they haven’t been already – to assess the design and operational effectiveness of the business continuity management (BCM) program and its four life cycle phases: business assessment, strategy design, implementation and quality assurance.
As part of this process, audit should review the current state of the BCM program and how its foundational elements – including governance, continuity risk assessment activities and business impact analysis (BIA) – are executed. The results of the continuity risk assessment and BIA will drive the definition and development of recovery strategies and solutions. Core business processes and IT applications/systems should be assessed from an overall enterprise impact perspective during the continuity risk assessment and BIA activities. Also, senior management should use the results to measure and manage enterprise-wide risk.
Assessing strategy design involves a review of crisis management, business resumption and IT disaster recovery strategies. These are essentially the strategies organizations implement to minimize or mitigate the risk of a business disruption. The objective of the audit is to determine whether the strategies are sufficiently defined to communicate and respond to events and recover critical business processes and technology in a timely manner.
Organizations should also review how BCM strategies are formalized into documented crisis management, business resumption and IT disaster recovery plans. In this exercise, audit will assess plan content and structure while determining whether the appropriate roles and responsibilities are outlined in the plans and will validate that key individuals have an actionable set of activities they would execute in the event of a business disruption.
The quality assurance phase is designed to assess how and whether crisis management, business resumption and IT disaster recovery plans have been properly tested. In an ideal case, plan tests are primarily measured by an expected recovery capability. Sometimes, simulations are developed using probable risks identified in a risk assessment. The main objective of a testing program is to verify the contents of the recovery plans and offer reasonable assurance that the plans will provide the ability to successfully recover the business in a timely manner.
Internal audit should assess the design and execution of the testing program as well as determine whether plans are periodically reviewed and updated to reflect changes in the business over time and how those changes support the timely recovery of critical business processes and technology.
Understanding the Foundational Element of BCM
As previously mentioned, it is important that business leaders have a strong understanding of the foundational elements of their BCM program (governance, continuity risk assessment and business impact analysis) to ensure that areas of potential weakness are quickly addressed. The internal audit function should be able to provide insights in these key areas.
A successful BCM program requires various levels of accountability and responsibility within an organization. While some organizations may ultimately decide to create a separate business function or unit to own the program, many choose to utilize existing resources and/or business function personnel. Still, as a matter of practice, it is recommended that BCM program ownership be maintained at an executive level within the organization so the program remains visible to decision-makers and influences enterprise adoption while supporting all aspects of a mature program.
Focusing on BCM governance as part of an internal audit is necessary to determine whether there is sufficient oversight and participation from those key individuals tasked with ensuring that the BCPs will facilitate the successful recovery of the business in a timely manner following a disruption. As an example, a review may reveal that a firm’s BCM efforts are led by middle management and executed without proper funding and sufficient resources. Consequently, this governance structure would explain why the firm’s existing continuity capabilities are reactive in nature.
Continuity Risk Assessment
In many firms, business and/or IT management have developed ad hoc recovery priorities based on perceived levels of importance. Failure scenarios and controls assessments are usually incomplete and measurement criteria have not been established. A continuity risk assessment is meant to drive continued enhancement of recovery strategies. Ideally, the execution and review of risk assessments are coordinated with organizational and technology change management or due diligence processes. A review of the continuity risk assessment process should focus on whether results of the assessment process are used to guide BCM program activities.
Business Impact Analysis
A type of risk assessment that serves as the foundation of a BCM program, the BIA enables organizations to capture and effectively measure the potential business impacts of a disruption (i.e., operational, reputation, financial, regulatory or compliance impacts). The objective of the BIA is to establish recovery priorities for business processes and the resources (e.g., technology, workspace, equipment, personnel and third parties) on which each of those processes rely. Audit should assess the BIA to determine whether the process includes sufficient detail to determine business interruption exposures, their impact and recovery requirements used to drive BCM strategy development and planning.
Business continuity planning requires developing playbooks that contemplate a variety of events or disasters that can impact a business and then outlining how organizations should respond during and/or after those events or disasters. It is a process that requires continuous improvement and vigilance. In this period of disruption and uncertainty, business leaders need a deep understanding of the BCM program and plans to recover business processes following a disruption.
However, the responsibility does not fall on management alone. BCM must be embedded in the organizational culture. Audit also has a role to play. As part of a business continuity assessment, internal audit can assess whether employees are clearly aware of their responsibilities in the event of an interruption and whether they are trained on executing the planned procedures to successfully recover business operations in a timely manner.