Internal audit can play a crucial role in helping to discover business continuity plan weaknesses and assist in providing guidance to revise and upgrade recovery strategies and plans to protect operations against future disruptions.
Developing a sound business continuity plan involves four key steps:
- identifying emerging threats and developing response methods
- examining internal audit focus areas, including a thorough understanding of an organization’s operational objectives, risks, and processes
- assessing an organization’s current continuity program in terms of people, process, and technology
- integrating program enhancements to prepare for inevitable risks
Identifying and responding to threats
Under COVID, organizations have had to respond and adapt to a variety of challenges, including changing work environments, an increasingly competitive landscape, volatile financial markets, disrupted supply chains, internet glitches and a divided and political environment. All these elements exposed out-of-date and untested incident response and business continuity plans.
A strong plan contains the following elements:
- good governance, including leadership, involved decision-making and appropriate escalation
- up-to-date and well-tested public relations policies, with key issues decided in advance, and planned responses and media releases
- crisis preparedness: updated plans integrated with change management that have been rehearsed and tested
- quantifying risk and mitigation effectiveness that justifies investment
- metric and reporting that enables executives to make informed decisions on business continuity funding
Internal audit’s role
Internal audit provides a thorough understanding of an organization, including its strategic goals and objectives, its risks and critical business operations, and the strategies and processes for recovery. It can contribute a lot to business continuity management (BCM).
A sound BCM program should:
- align with strategic goals and objectives, including enterprise risk management (ERM), which identifies risks to strategic objectives and competitive opportunities
- Identify critical business operations and processes, and develop safeguards for employees, customers, products, and services from disruptions
- Develop response and recovery plans and incorporate proactive measures to mitigate disruptive events
- Test and evaluate response and recovery capabilities
Internal audit also provides insights into management’s ability to manage and control risks, disaster recovery and crisis management. Internal audit’s independence provides objectivity, it understands trends and behaviors, it identifies areas of improvement and provides transparency to management for handling risks related to continuity and resiliency.
Business continuity risks frequently fall into these categories:
- people. An organization needs to address the risks from a loss of critical staff and processes that are dependent on a third-party supplier.
- process. An organizational process should align with ERM objectives. It should manage risk of a deviation from consistent processes. And it should adopt a change management process.
- technology. An organization should address strategies for data protection. It also should address risks that protect against high redundancy levels in telecommunications infrastructure.
As internal audit leaders look for guidance on how to best assess the strength and maturity of their organization’s Business Continuity Program against the inevitable risk of business disruption, they can often look to standard frameworks for business continuity management and choose the standards that best align with its industry.
The Federal Financial Institutions Examination Council offers a BCM handbook, the International Organization for Standardization, and the International Electrotechnical Commission (ISO/IEC) provides security and resilience with BCM, and the National Institute of Standards and Technology offers a contingency planning guide for IT systems. An organization may combine these standards to best align with its operations. These frameworks have become particularly effective in addressing cybersecurity threats, which have only grown exponentially over the years.
A 360-degree view of risk
While business continuity planning is designed to anticipate future risk, it also can be valuable to examine the past to identify events and incidents that disrupted operations, from power outages and cyber-attacks to severe weather.
Grant Thornton library articles: Business continuity plans go better with internal audit