Disruptions caused by COVID-19 have reminded organizations of the need for a comprehensive and up-to-date continuity plan. And disruptions aren’t limited to 100-year events. There are numerous recurring and localized circumstances that can impact the operations of a business, including severe weather, utility and telecom outages, and the growing number of cybersecurity threats.
Internal audit can play a crucial role in helping to discover business continuity plan weaknesses and assist in providing guidance to revise and upgrade recovery strategies and plans to protect operations against future disruptions.
“Certainly, many organizations didn’t anticipate a global pandemic when they wrote their business continuity plans,” said Scott Peyton, a partner in Grant Thornton’s Internal Audit Cybersecurity practice. “But there also are localized events where the need for a strong business continuity plan comes into play.”
Added Vik Rai, director with Grant Thornton’s Internal Audit Cybersecurity practice: “You have to take a look at these massive events and ask. ‘How are we really prepared for this?’ But you also have to take a look at some of those smaller events that could be right around the corner that have the potential to amplify into catastrophic events.”
Developing a sound business continuity plan involves four key steps:
- Identifying emerging threats and developing response methods
- Examining internal audit focus areas, including a thorough understanding of an organization’s operational objectives, risks and processes
- Assessing an organization’s current continuity program in terms of people, process and technology
- Integrating program enhancements to prepare for inevitable risks
“All of these factors have a direct impact on the way we operate, the way we behave, the way we respond, the way we come together,” Rai said. “What actions do we need to take as an organization to continue to not just to survive but to be better prepared?”
Identifying and responding to threats
Under COVID, organizations have had to respond and adapt to a variety of challenges, including changing work environments, an increasingly competitive landscape, volatile financial markets, disrupted supply chains, internet glitches and a divided and political environment.
All these elements exposed out-of-date and untested incident response and business continuity plans.
“It always comes down to we have a business continuity plan, we have the recovery strategies, but we’ve not tested it because we don’t think it’s really necessary,” Rai said. “That’s a mistake.”
A strong plan contains the following elements:
- Good governance, including leadership, involved decision-making and appropriate escalation
- Up-to-date and well-tested public relations policies, with key issues decided in advance, and planned responses and media releases
- Crisis preparedness: updated plans integrated with change management that have been rehearsed and tested
- Quantifying risk and mitigation effectiveness that justifies investment
- Metric and reporting that enables executives to make informed decisions on business continuity funding
Internal audit’s role