No organisation can have complete control over the business environment in which it operates. Every organisation requires a fit for purpose continuity plan and arrangements to recover key business processes following a disaster. Such disasters are not restricted to fire, flood or other causes of property damage, it can be caused by industrial action, sudden loss of key personnel, breakdown in key supplies, including loss of power, or malfunctions of hardware or software. Disruption can also be in the form of cyber-attacks, an increasing area of concern for many organisations.
Historically, the risk of a critical incident did not feature on an organisation's risk register; there was a culture where there was an assumption that everybody would 'rise to the challenge' should such an event materialise. Today, however, the risk of a critical incident features on most organisations' risk registers, ranging from global banks to small charities.
For the purpose of this piece of technical guidance we will cover traditional business continuity incidents such as power outage, flood, fire and snow.
What is business continuity planning?
The continuity planning process
Internal audit's role in business continuity planning
Other roles of internal audit
Internal audit and its own BCP
Other related Standards
Business continuity planning is an aspect of organisational and operational security, and is therefore the responsibility of management to ensure that adequate arrangements are in place. Business continuity planning is often also called crisis management; contingency planning or business continuity management.
Business continuity planning involves having plans and procedures in place that enable the recovery of key business processes following a disaster or incident. The overall objective of a Business continuity plan (BCP) is to maintain the integrity of an organisation’s data, operational service and other facilities and, if necessary, provide a temporary or restricted service until normal service can be resumed.
To be successful, an effective BCP will rely upon a range of skills as well as an understanding of many factors:
It is essential that the right resources are available to keep critical functions going after an event. This includes having sufficient people with the required expertise, skills and experience, and importantly the motivation to lead and manage the organisation through the difficult period, including, for example, being able to manage messages and communication with the media, where this is applicable. The BCP will need to cover key areas such as: access to key records, reliable means of communicating with staff and others, procuring goods and services required to ensure disruption is kept to a minimum and the ability to provide welfare and accommodation for employees as well as being able to carry on paying them.
One of the key factors to consider when discussing business continuity planning is the need to regularly review and test the plan. Organisations evolve, or diversify, which results in the need to ensure that the Plan is fit for purpose at any point in time.
One of the key messages from the 9/11 attacks was the assumption that in the event of an incident/disaster organisations can immediately revert to manual processes may be a flawed assumption. Therefore when testing and creating the BCP it is essential that all potential options to enable a business to operate after an incident are considered.
To produce a comprehensive plan requires a range of skills due to the large number of questions that will need to be considered during the process. The overall process should be considered a project and broken down into stages which may include:
Ensuring that senior management are engaged in raising awareness of the risks in place, and how these are being mitigated.
The business needs to assign an overall owner for the BCP, usually in the event that the plan has to be invoked the owner of the plan will take initial responsibility to ensuring that the all key stakeholders understand their responsibilities, key groups are in place and key messages are communicate both internally and externally.
Such a review examines each business system to identify the business impacts should that system cease to function, and as a result establish the criticality to the business. This review may also identify any obvious areas where controls might be improved to reduce the likelihood of a disaster occurring. Impacts are often classified as either hard or soft.
Hard impacts will include:
Soft impacts will include:
This involves identifying and considering potential recovery options for each system that is to be covered by the plan. Remember that ‘recovery’ in an incident scenario isn’t about restoring all systems to a fully operational situation but rather restoring sufficient system to enable the business to operate in an ‘incident/disaster’ scenario.
During this stage, detailed BCPs will be developed and risk reduction measures installed. In addition, a management framework for maintaining and periodic testing of the plan should be put in place.
There is an ongoing need to raise awareness of business risk as well as of the policies for business continuity and of the BCP itself, including employees’ roles and responsibilities. Personnel must know practical details such as whom to contact in an emergency and where to go. The plan itself must be tested periodically, as discussed throughout this document.
There are three aspects to internal audit's involvement in business continuity:
Internal audit provides independent and objective assurance. It would therefore be expected that internal audit would perform a review of the adequacy of the current continuity arrangements, in particular where management have identified the area as being one of high risk to the organisation. Internal audit may undertake the review through observation i.e. attending a test of the BCP and observing whether or not the delivery of the plan is ‘fit for purpose’ thereby enabling them to provide independent and objective assurance to the board and audit committee.
An internal audit review in this area may include a review of whether:
Internal audit, whilst not responsible for the preparation of the BCP, can, in their consulting role, advise management on its content headings and outline, and associated risks. For example, they should encourage management to move away from focusing the plan solely around IT-related issues and ensure that there is adequate focus on the recovery of all business processes.
In their consulting role, internal auditors can add further value by undertaking the roles of observer and evaluator, assisting management to assess the feasibility of the plan and making suggestions to improve the plan or subsequent versions of it.
The internal audit department itself is required to participate in the organisational approach to contingency planning and consider the risks to its own activities, identifying key business processes and their time-scales for recovery; and designing procedures to protect audit files and working papers.
The BCP for internal audit should be based upon developing a controlled resumption of the internal audit service as space and equipment becomes available, and as the business returns to full operation. In the short term, it may be appropriate to release staff to the business to assist in operational activities during the intervening period or to carry out special reviews to ensure that any revised procedures introduced during the emergency still provide an adequate degree of operational control.
In the United Kingdom, the Civil Contingencies Act 2004 is split into two parts, Part 1 addresses local arrangements for civil protection and Part 2 concerns the conditions and scope of the necessary emergency powers. The Act requires local authorities to have in place contingency plans, emergency planning and business continuity plans and also to provide assistance to businesses in relation to business continuity management.
There is of course also a legal requirement under the Companies Act (2006) and Charities Act (2016) for Directors and Trustees, respectively, to safeguard the organisation’s personnel and assets.
The International Standards Organisation (ISO) published an International Standard in June 2012 (ISO 22301) addressing business continuity management in order to assist organisations in becoming more resilient. ISO 22301 is designed to provide a framework to plan, establish, implement, operate, monitor review maintain and continually improve business continuity management systems. ISO 22313 was also introduced to provide guidance, where appropriate.
Businesses must have plans in place to cope with disasters or incidents that may arise often with little warning, and be in a position to activate those plans quickly. Whilst it is recognised that there are significant costs in developing a business continuity plan, it should be considered to be a key requirement of any organisation.
An effective plan ensures that the essential business activities of the organisation are able to continue or restart in the event of a disaster or other unforeseen events with a minimum of fuss.
To be effective, the plan must address a number of issues and the organisation must have a clear strategy aimed at ensuring that systems can continue to run with the minimum of disruption or recovered from back ups (in the case of technology) and operating within an acceptable timeframe.