An organisation does not have complete control over the business environment in which it operates. Every organisation requires a fit for purpose Business Continuity Plan (BCP) and Business Continuity Management (BCM) arrangements to recover key processes following a disaster. This is not restricted to fire, flood or other causes of property damage – BCP events can also be caused by industrial action, sudden loss of key personnel, breakdown in key supplies, including loss of power, cyber-security attack, or malfunctions of hardware or software. Organisations must consider their ability to ‘keep the lights on’ in the face of a variety of threats.
Cyber-attacks and data breaches continue to cost organisations billions of dollars annually despite being long-recognised as key risks that most organisations are taking /should be taking steps to manage. It is therefore essential for organisations to be aware of business continuity vulnerabilities and to devise suitable plans and responses to the threats they represent. The most successful and sustainable organisations will be those that are best prepared for a whole spectrum of risks materialising.
This technical guidance covers traditional business continuity incidents, taking a business continuity, organisational resilience and crisis management perspective, including the likely implications and impacts. It also looks at the need to consider planning for the ‘when’ rather than the ‘what if’.
Considerations and topical impacts
Six point business continuity planning process
Internal audit's role in business continuity - pandemic scenario
Internal audit's role in business continuity - general
Other roles for internal audit
Internal audit's own BCP arrangements
“Business continuity (BC) is defined as the capability of the organisation to continue delivery of products or services at acceptable predefined levels following a disruptive incident”, (Source: ISO 22301).
Business continuity planning (BCP) is one aspect of organisational and operational sustainability and is therefore the responsibility of all levels of management to ensure that adequate arrangements are in place. BCP is also called crisis management; contingency planning or business continuity management (BCM). The terminology employed varies across organisations and between particular disciplines or specialisms.
The Business Continuity Institutes defines “BCM as a holistic management process for identifying potential impacts from threats, and for developing response plans”. BCM aligns business continuity capabilities with risks. The aim of BCM is to enable any organisation to restore critical operational activities, manage communications, and minimise financial and other effects of a disaster, business disruption, or other major events.
Organisational resilience is the ability to anticipate, plan for, respond and adjust to incremental change and unexpected disruptions to endure, prosper and achieve organisational objectives.
Some factors to consider when developing a BCP are listed below. It is vital for an organisation to have a clear understanding of these factors, together with the skills and competence in each of these areas:
A clear understanding of these allows management to develop business continuity (BC) arrangements that are suitable for the needs of the organisation and to remain resilient in the event of a disaster.
It is essential that the right resources are available to keep critical functions going after an event. This includes having sufficient people with the required expertise, skills and experience, and importantly the motivation to lead and manage the organisation through the difficult period. This includes, for example, being able to manage messages and communication with the media, customers, supplier and local community, where this is applicable.
An effective BCP will need to cover areas such as: access to key records, reliable means of communicating with staff and others, securing an alternative location to operate from, procuring goods and services required to ensure disruption is kept to a minimum and the ability to provide welfare and accommodation for employees as well as being able to carry on paying them.
Climate change is arguably the most acute challenge facing our planet during the 21st century. In 2020, the World Economic Forum’s Global Risks report identified that five of the top ten global risks relate to environmental issues such as flooding and pest diseases, with climate change high on the risk agenda in terms of impact and likelihood.
There are social as well environmental effects caused by climate change, which can bring disruption to organisations and threaten the global economy. BCM seeks to manage wide ranging internal and external threats and must now pay particular attention to those related to climate change to ensure these are managed effectively.
Each threat can have varying degrees of impact on key business processes, which could negatively affect compliance with regulations, personnel safety, protection of the environment, the ability to maintain operating standards and the organisation’s reputation. It has been reported by the Global Commission on the Economy that between now and 2100 (approximately), there could be potential financial losses from $4.2trn to $43trn, due to the impact of climate change.
The impacts of flooding and coastal change in the UK and Ireland are significant and anticipated to increase as a result of climate change. The Committee on Climate Change in its UK Climate Change Risk Assessment (2017 Synthesis Report) stated that there is a critical need for the development of stronger policies to tackle and manage risks including flooding and coastal change risks to communities, businesses and infrastructure; risks to health, wellbeing and productivity from high temperatures and risks to domestic and international food production and trade.
Climate change risk management needs to be incorporated into mainstream business management strategies, such as BCP and BCM and consider not only domestic impacts but those across the globe. If your organisation has a global footprint it is essential to understand legislation and regulations across the different territories as they impact climate change.
One of the biggest lessons to take from the pandemic is the importance of crisis preparedness and operational resiliency. BCPs are not simply about power outages. Did your organisation have plans in place for a major pandemic? Having now experienced the devastating impact of a global pandemic a new precedent has been set in what is required of good BCP.
Many internal auditors will have noteworthy anecdotes about organisational preparedness, including one BCP that referenced in the event of a pandemic to go to an allocated space in the car park. Being resilient as an organisation means being able to absorb impacts and adapt to survive and prosper. For example, Tesco found themselves on the front foot having undertaken a doomsday planning exercise back in 2016. The learnings from this helped them in the early weeks of the initial lockdown.
When assessing the adequacy of a BCP, internal auditors should consider the lessons from the pandemic. Planning should enable a relatively smooth transition away from the disruption having agreed priorities and knowledge of the core operations to protect value and maintain operations.
The lessons associated with the mass ordering of PPE for instance are much wider than procurement processes. Continuity planning requires comprehensive understanding of the supply chain, its pinch points, alternative sources of supply, novel approaches that could be enacted in times of crisis etc.
Going forward, essential considerations are about flexible working anywhere: virtual technologies, adaptive tools for working in different ways and collaborative efforts such as supplier funds within an industry to maintain cash flow and protect critical partners/suppliers.
As a result of the pandemic, organisations should be reevaluating their continuity planning, undertaking meaningful scenario tests and putting BCP at the top of the agenda.
The pandemic demonstrated unprecedented reliance on technology, particularly cloud services, which organisations cannot be complacent about. What is the plan if the next crisis event takes out national infrastructure such as telecoms or electricity?
Supply chains were compelled to adapt to widespread disruption caused by Covid-19 in both supply and demand. Consequently, many of the global impact changes are likely to become permanent having accelerated emerging trends such as digitisation and automation. Further enforced change is likely in the coming years due to climate change, resource availability, trade agreements and geopolitical issues.
Typically, the more complex, lengthy or lean a supply chain, the greater the impact of a disruption. During the pandemic many supply chains were impacted, irrespective of region and reach. BCM arrangements need to be dynamic and practical. A plan is of little use if alternative options are out of date or it is based on theoretical assumptions not real-world situations.
Leveraging advanced technologies such as the Internet of Things, artificial intelligence, robotics, 5G, and Digital Supply Networks (DSNs) are intended to foresee and meet future challenges. Whether pandemic, terrorism, regulatory change, sudden spikes in demand, supplier bankruptcy or labour disputes, organisations that deploy DSNs will often be better prepared to deal with the unexpected such as the pandemic or the impact of climate change.
The impact and challenge to the coronavirus pandemic has increased the need for organisations to ensure that their BCP is fit for purpose. To produce a comprehensive plan requires a range of skills and business understanding due to the large number of questions that will need to be considered during the process. The overall process should be considered a project and can be broken down into a number of key stages such as:
Ensuring that senior management are engaged in raising awareness of the business-critical risks including those associated with climate change, cyber-security, supply chains and a pandemic, and how these are being identified, mitigated and reported.
The business needs to assign an overall owner for the BCP and BCM, usually in the event that the plan has to be invoked. The owner of the plan will take initial responsibility to ensuring that the all key stakeholders understand their responsibilities, key groups are in place (with current contact details) and key messages are communicated both internally and externally. The owner is responsible for ensuring appropriate governance over the organisation’s BCP and BCM activity. There will also need to be a group/committee that the owner reports into should it be necessary to invoke the BCP, it is likely that the group/committee will include the CEO and the CFO as business decisions may need to be made quickly.
BIA is the process of evaluating an organisation’s activities and impacts that may be caused by an event. It is the foundation of the entire BCM process. It comprises specific techniques and methods that help with risk assessment in the situations, when an impact (financial, structural, economical) could cause disruption to an organisation’s activities such as the supply of key products and services (critical activities) or stakeholder goodwill. BIA is also used to determine the minimum levels of resources needed to restore critical operations at fixed times and to certain levels.
Conclusions from an impact analysis, together with the risk assessment covering disruption of the organisation’s critical activities are the basis for BCM strategies that identify options and ways to reinstate these critical operations at the desired time in case of disruption. The BIA should be reviewed at regular intervals or when there are significant changes in the organisation and the environment in which it operates. In some parts of the organisation that are subject to continual change or are highly critical functions, it may be that this is an agile process, embedded in business as usual – the supply chain for example.
A BIA may also identify any obvious areas where controls might be improved to reduce the likelihood of a disaster occurring. Impacts are often classified as either hard or soft.
Hard impacts will include:
Soft impacts will include:
Accurate risk assessments will need to consider a diverse range of existing, new and emerging business continuity threats. The pandemic clearly demonstrated the need to consider responses to remote likelihood risks and climate change is a good example of where scientific data is continually evolving the risk landscape.
This involves identifying and considering potential recovery options for each system, key process, staff, suppliers, services and products that is to be covered by the plan. This should include recovery options for disasters. It should be noted that ‘recovery’ in an incident scenario isn’t about restoring all systems to a fully operational situation but rather restoring sufficient key IT systems and processes to enable the business to operate in an ‘incident/disaster’ scenario.
During this stage, detailed BCPs will be developed and risk reduction measures implemented. In addition, management should introduce an appropriate governance framework for maintaining and regularly testing of the plan(s) to ensure these are fit for purpose, up to date and relevant. This is vital to ensure organisations are able to deal with unplanned challenges such as the pandemic, or more common, less critical incidents.
There is an ongoing need to raise awareness of business continuity risk as well as the BCP, including employees’ roles and responsibilities. Personnel must know practical details such as whom to contact in an emergency and where to go. The plan itself must be tested periodically - perhaps every six months - and outcomes of tests should be reported, with owned, tracked action plans developed where improvements are required. There are many different ways of testing BCPs ranging from scenario planning, to desktop role plays and large-scale, physical exercises and drills. It is vital for organisations to continue to conduct scenario planning and test BCP to provide opportunities for improvements and to ensure the BCP is fit for purpose and suitable for the needs of the organisation.
Additionally, organisations should ensure that their plans are kept up to date to reflect changes in key processes. Complex risks increasingly result from third party contractors and a lack of business continuity preparedness. Think about just-in-time stock management, logistics and service provisions. Organisations cannot rely on contractual clauses requiring a third party to have a BCP, it is important to know that such plans can be relied upon if required.
Internal audit can review whether the business has carried out a post-mortem to determine how well it coped with the pandemic crisis and whether the business continuity or crisis response plans were fit for purpose, were followed and whether they require updating.
Internal audit may even choose to carry out an independent post-mortem of its own. This can help test the integrity of the conclusions drawn from the first line’s own assessments. The most mature approaches will go further than simply updating and adding global lockdown scenarios to BCPs.
True operational resiliency will require that businesses identify and map key people and business units, set impact tolerances and test response and recovery actions based on those tolerances.
Internal audit can highlight to the board any gaps in the maturity of the organisation’s approach to resiliency. Internal audit should seek evidence of the governance around crisis decision-making and the integrity of data and information reported to crisis committees.
The CAE may have a seat at the crisis committee in an advisory capacity to share views on how decisions might impact upon the business and its risk exposure. If this is the case, internal audit assurance will need to be mindful of perceptions around independence concerns given the CAE’s proximity to the crisis management decision-making body.
Internal audit can also check the preparedness of the company to communicate with customers, the public and the media swiftly and effectively in crisis situations. There should be evidence of clear responsibilities and reporting as it relates to crisis management and damage control in the public domain. Internal audit has a role to assess the adequacy of controls designed to ensure the appropriateness of interactions on social media, eg who can use these platforms, are they allowed to use their own name and what they are permitted to say.
There are three aspects to internal audit's involvement in business continuity:
It would be expected that internal audit could review the adequacy of the BCM arrangements, where management have identified this as an area of risk to the organisation. Internal audit may undertake the review through observation ie attending a test of the BCP, including relevant stress testing exercises including finance, and observing whether the delivery of the plan is ‘fit for purpose’ thereby enabling them to provide assurance to the board and audit committee.
The table below focuses on some common business continuity risks, providing example potential controls and mitigations to help the internal auditor plan and perform an internal audit engagement. It also includes some further questions to consider. Any internal audit programme should be developed based upon the organisation’s own circumstances, environment and priorities.
Example questions to consider
Risk: Failure to develop, manage and implement a robust business continuity plan and understand business requirements resulting in the inability to continue to deliver core business functions in the event of a major incident such as the pandemic and climate change.
Documented business continuity plans focusing on impact rather than cause should be regularly reviewed, updated and are available to all key stakeholders.
Thorough business impact analysis (BIA) sets out the recovery priorities, objectives and targets.
Assessments consider the peaks within the business cycle.
Has appropriate consideration been given to devise, document, maintain and communicate effective business continuity?
Are the BCP and BCM arrangements adequately documented, maintained and communicated?
Has a BIA has been conducted? Does the BIA include activities that support the provision of services?
Does it assess the impacts over time of not performing these activities? Is the BIA relevant (was it done 4 years ago and never revisited)?
Has the organisation set a prioritised timeframe for resumption (at a specified minimum acceptable level), taking into consideration the time within which the impacts would become unacceptable?
Risk: Failure to communicate the business continuity plans effectively to all areas of the organisation, resulting in staff being unaware of their roles and responsibilities in the event of an incident.
Business continuity governance structure is clearly defined and communicated to all staff.
Business continuity roles, responsibilities and accountabilities are defined and communicated to appropriate staff.
Business continuity policies and procedures are in place and have been communicated to appropriate staff.
Decision making is undertaken within the structures defined, by appropriate staff and documented.
Management trails of decisions made are retained.
Has staff awareness of the BCP been considered and is business continuity and associated planning and management been included in staff induction or training?
Risk: Insufficient senior management buy-in leads to failure to effectively embed the business continuity framework.
Policies affecting business continuity policies are defined, and approved by senior management.
The business continuity team is led by a sufficiently senior individual with clear reporting lines and escalation existing to senior management.
Senior management have dedicated sufficient resources to the delivery of the business continuity framework.
Does the organisation have BC policies which have been approve by the board?
Have the organisation’s operations, personnel need, and client service requirements been considered in the overall business continuity and BCM arrangements?
Risk: Failure to test the business continuity plan adequately could result in potential weaknesses remaining unidentified, and a lack of preparedness in the event of an incident including third parties.
The business continuity plan is tested at least on a regular basis eg annually.
Lessons learned are captured, documented, and acted upon to ensure that business continuity procedures can meet the recovery objectives.
Major incident lessons learned are robust (have ownership, accountability, sign off, include all / appropriate stakeholders).
Have changing regulatory or policy requirements been factored into the BCP as organisations strive to do business in the crisis environment?
Are the plans tested periodically and outcome documented?
Are there arrangements in place to update lessons learned from testing and exercises?
Risk: There are inappropriate arrangements for disaster recovery leading to failure to restore critical ICT systems and data along with other key systems and processes in the event of a major incident such as cyber-attacks.
There is a DR plan in place. The plan should contain roles and responsibilities, incident response, plan activation and document history.
Third party vendors (where relevant) are included and consulted on the DR responsibilities and arrangements.
A full DR test is performed and tested to ensure that all services can be recovered.
Is the DR plan fit for purpose and tested periodically?
Additional questions internal auditors should consider, as identified in Risk in Focus 2021, include:
Internal audit, while not responsible for the preparation of the BCP and BCM, can, in their consulting role, advise management on its content, headings and outline, together with the associated risks. For example, we would recommend management to move away from focusing the plan solely around IT-related issues and ensure that there is adequate focus on the recovery of all business processes and BCPs include an element of forward planning. Horizon scanning is an important exercise as it enables organisations to independently assess emerging threats which may impact on business performance.
Internal audit can add value in a consulting role by undertaking the roles of observer and evaluator (critical friend/trusted advisor), assisting management to assess the feasibility of the plan and making suggestions for improvement.
The importance of BCP and impact of environmental challenges such as climate change and the pandemic resulted in internal audit conducting other activities eg undertaking reviews in new areas of risk such as management’s response to the pandemic, return to office plans for staff (post COVID -19), fraud prevention (including post event assurance), supply chain risks and the continued impact of climate change.
Internal audit can add value by providing assurance on the effectiveness of controls that have been modified to accommodate remote working, perform focused internal audit testing on risks that are unique to, or most impacted by, the new and continually emerging risks in periods of high uncertainty. Doing this will provide the board and the audit committee with an independent view on an organisation’s BCP and BCM arrangements. Conversely, whilst management is devoting all its resources to reacting and managing the pandemic, internal audit has the opportunity to provide real time assurance, report on the areas for improvement, and identify good practices and lessons learned as the crisis continues.
The internal audit department itself is required to participate in the organisations approach to contingency planning and consider the risks to its own activities, identifying key business processes and their timescales for recovery; and designing procedures to protect audit files and working papers. BCP can impact internal audit in a variety of ways from the nature of the work undertaken, supporting the organisation through to the collection of evidence when working remotely. The internal audit risk register is instrumental in forming an appropriate BCP (click here for additional guidance on creating an IA risk register).
Internal audit’s BCP should be based upon developing a controlled resumption of the internal audit service as the business returns to full operation. In the short term, it may be appropriate to release staff to the business to assist in operational activities during the intervening period or to carry out special reviews to ensure that any revised procedures introduced during the emergency still provide an adequate degree of operational control.
In the United Kingdom, the Civil Contingencies Act 2004 is split into two parts: part 1 addresses local arrangements for civil protection and part 2 concerns the conditions and scope of the necessary emergency powers. The Act requires local authorities to have in place contingency plans, emergency planning and business continuity plans and to aid businesses in relation to business continuity management. There are a number of publicly available plans which can be reviewed and factored into an organisations BCP arrangements eg the National Risk Register (NRR). The NRR provides information on potential risks that could occur in the next few years and which could have a span of impacts on the UK. The NRR contains useful ideas that can be drawn upon by businesses to help them make informed decisions regarding the risks to plan for and their probable consequences.
There is a legal requirement under the Companies Act (2006) and Charities Act (2016) for Directors and Trustees, respectively, to safeguard the organisation’s personnel and assets. They are to ensure that assets and resources are only used to support or carry out the purposes of the organisation and avoid exposing the organisation’s assets, beneficiaries or reputation to undue risk.
Effective BCP provides organisations with the ability to absorb shocks caused by disruptive events and can help ensure the continuity of supply of their most vital business services.
Intrinsically, this is highly relevant to achieving the outcome of operational resilience. The Financial Conduct Authority expect firms to proactively identify, test and modify pertinent capabilities (such as people, processes, systems) which mitigate harm in the event of an incident. If there gaps in BC arrangements, appropriate actions to reduce the impact of risk should these occur. This should be part of the ongoing assessment of systems and controls to help organisations to be better prepared to respond and recover when events occur.
The International Standards Organisation (ISO) published an International Standard in June 2012 (ISO 22301) updated in late 2019 to signify ongoing changes in business continuity including international best practice to help organisations respond to, and recover from, disruptions effectively. ISO 22301 is designed to provide a framework to plan, establish, implement, operate, monitor review maintain and continually improve business continuity management systems. ISO 22313 was also introduced to provide guidance, where appropriate.
Businesses must have plans in place to cope with disasters or incidents that may arise with little or no warning and be able to activate those plans quickly. While it is recognised that there are significant costs in developing a comprehensive and effective BCP, it should be a key requirement of any organisation.
To be effective, the plan must address a number of issues and the organisation must have a clear strategy aimed at ensuring that systems can continue to run with the minimum of disruption and restore business as usual within an agreed timeframe.
Organisations should compare, contrast and evaluate their current planning arrangements factoring in horizon scanning, and incorporating lessons learnt from crises such as the pandemic, climate change, cyber-attacks, financial stability as well as looking to other organisations both internal and external to your sector.
Guidance | Crisis management - extreme events
Blog post | Business continuity and crisis planning
IIA Global Practice Guide | Business Continuity Management
IIA Global GTAG10 | Business Continuity