Business continuity plans go better with internal audit

Businessman with coworkers in conference room Disruptions caused by COVID-19 have reminded organizations of the need for a comprehensive and up-to-date continuity plan. And disruptions aren’t limited to 100-year events. There are numerous recurring and localized circumstances that can impact the operations of a business, including severe weather, utility and telecom outages, and the growing number of cybersecurity threats.

Internal audit can play a crucial role in helping to discover business continuity plan weaknesses and assist in providing guidance to revise and upgrade recovery strategies and plans to protect operations against future disruptions.

“Certainly, many organizations didn’t anticipate a global pandemic when they wrote their business continuity plans,” said Scott Peyton, a partner in Grant Thornton’s Internal Audit Cybersecurity practice. “But there also are localized events where the need for a strong business continuity plan comes into play.”

Added Vik Rai, director with Grant Thornton’s Internal Audit Cybersecurity practice: “You have to take a look at these massive events and ask. ‘How are we really prepared for this?’ But you also have to take a look at some of those smaller events that could be right around the corner that have the potential to amplify into catastrophic events.”

Developing a sound business continuity plan involves four key steps:

  • Identifying emerging threats and developing response methods
  • Examining internal audit focus areas, including a thorough understanding of an organization’s operational objectives, risks and processes
  • Assessing an organization’s current continuity program in terms of people, process and technology
  • Integrating program enhancements to prepare for inevitable risks

“All of these factors have a direct impact on the way we operate, the way we behave, the way we respond, the way we come together,” Rai said. “What actions do we need to take as an organization to continue to not just to survive but to be better prepared?”

Identifying and responding to threats Under COVID, organizations have had to respond and adapt to a variety of challenges, including changing work environments, an increasingly competitive landscape, volatile financial markets, disrupted supply chains, internet glitches and a divided and political environment.

All these elements exposed out-of-date and untested incident response and business continuity plans.

“It always comes down to we have a business continuity plan, we have the recovery strategies, but we’ve not tested it because we don’t think it’s really necessary,” Rai said. “That’s a mistake.”

A strong plan contains the following elements:

  • Good governance, including leadership, involved decision-making and appropriate escalation
  • Up-to-date and well-tested public relations policies, with key issues decided in advance, and planned responses and media releases
  • Crisis preparedness: updated plans integrated with change management that have been rehearsed and tested
  • Quantifying risk and mitigation effectiveness that justifies investment
  • Metric and reporting that enables executives to make informed decisions on business continuity funding

Internal audit’s role
Amy Flynn“Internal audit leaders can play a critical role by providing insights and challenging traditional assumptions in their organization's business continuity, disaster recovery and crisis management programs.” --   Scott Peyton
Internal Audit Cybersecurity Practice
Grant Thornton LLP
Internal audit provides a thorough understanding of an organization, including its strategic goals and objectives, its risks and critical business operations, and the strategies and processes for recovery. It can contribute a lot to business continuity management (BCM).

“Internal audit leaders can play a critical role by providing insights and challenging traditional assumptions in their organization’s business continuity, disaster recovery and crisis management programs,” Peyton said.

A sound BCM program should:

  • Align with strategic goals and objectives, including enterprise risk management (ERM), which identifies risks to strategic objectives and competitive opportunities
  • Identify critical business operations and processes, and develop safeguards for employees, customers, products and services from disruptions
  • Develop response and recovery plans and incorporate proactive measures to mitigate disruptive events
  • Test and evaluate response and recovery capabilities

“A well-designed BCM program aligned to your business objectives helps you define a recovery strategy that is critical to your business operations and allows you to quickly respond and recover from an event,” Rai said.

Amy Flynn“A well-designed BCM program aligned to your business objectives helps you that is critical to your business operations and allows you to quickly respond and recover from an event.” --   Vikranth Rai
Internal Audit Cybersecurity Practice
Grant Thornton LLP
Internal audit also provides insights into management’s ability to manage and control risks, disaster recovery and crisis management. Internal audit’s independence provides objectivity, it understands trends and behaviors, it identifies areas of improvement and provides transparency to management for handling risks related to continuity and resiliency.

“It really comes down to the internal audit team helping connect the dots and enabling management to make decisions that strengthen the overall BCM program maturity,” Rai said.

Business continuity risks frequently fall into these categories:

  • People. An organization needs to address the risks from a loss of critical staff and processes that are dependent on a third-party supplier.
  • Process. An organizational process should align with ERM objectives. It should manage risk of a deviation from consistent processes. And it should adopt a change management process.
  • Technology. An organization should address strategies for data protection. It also should address risks that protect against high redundancy levels in telecommunications infrastructure.

Authoritative frameworks As internal audit leaders looks for guidance on how to best assess the strength and maturity of their organization’s Business Continuity Program against the inevitable risk of business disruption, they can often look to standard frameworks for business continuity management and choose the standards that best align with its industry.

The Federal Financial Institutions Examination Council offers a BCM handbook, the International Organization for Standardization and the International Electrotechnical Commission (ISO/IEC) provides security and resilience with BCM, and the National Institute of Standards and Technology offers a contingency planning guide for IT systems. An organization may combine these standards to best align with its operations.

“Being able to tie the risks into the frameworks, then look at the technical capability elements is one way to strengthen your business continuity program,” Rai said.

These frameworks have become particularly effective in addressing cybersecurity threats, which have only grown exponentially over the years.

A 360-degree view of risk While business continuity planning is designed to anticipate future risk, it also can be valuable to examine the past to identify events and incidents that disrupted operations, from power outages and cyber-attacks to severe weather.

“When you take a step back and look at all the events that have materialized over the last 100 years, you’ll see that almost every 10 years there is a wide-scale event that causes us to say, ‘How are we really preparing for this? And do we have a plan?’” Rai said. “Being able to look back and look forward certainly goes a long way in making sure that you have a strong, built-in program that you’re fully aware of and confident about.”


Scott Peyton Scott Peyton
Internal Audit Cybersecurity Practice
T +1 303 813 3971

Vikrant Rai Vikrant Rai
Internal Audit Cybersecurity Practice
T +1 212 624 5212