Ideagen advert TeamMate DataConsulting advert

Business continuity planning

No organisation can have complete control over the business environment in which it operates. Every organisation requires a fit for purpose continuity plan and arrangements to recover key business processes following a disaster. Such disasters are not restricted to fire, flood or other causes of property damage, it can be caused by industrial action, sudden loss of key personnel, breakdown in key supplies, including loss of power, or malfunctions of hardware or software. Disruption can also be in the form of cyber-attacks, an increasing area of concern for many organisations.

Historically, the risk of a critical incident did not feature on an organisation's risk register; there was a culture where there was an assumption that everybody would 'rise to the challenge' should such an event materialise. Today, however, the risk of a critical incident features on most organisations' risk registers, ranging from global banks to small charities.

For the purpose of this piece of technical guidance we will cover traditional business continuity incidents such as power outage, flood, fire and snow.

What is business continuity planning?
The continuity planning process
Internal audit's role in business continuity planning
Other roles of internal audit
Internal audit and its own BCP
Relevant legislation
Other related Standards
Conclusion


What is business continuity planning?

Business continuity planning is an aspect of organisational and operational security, and is therefore the responsibility of management to ensure that adequate arrangements are in place. Business continuity planning is often also called crisis management; contingency planning or business continuity management.

Business continuity planning involves having plans and procedures in place that enable the recovery of key business processes following a disaster or incident. The overall objective of a Business continuity plan (BCP) is to maintain the integrity of an organisation’s data, operational service and other facilities and, if necessary, provide a temporary or restricted service until normal service can be resumed.

To be successful, an effective BCP will rely upon a range of skills as well as an understanding of many factors:

  • the business environment and its objectives and strategies
  • the full range of risks that may face the business and the most effective options for managing those risks, and
  • the people, communications and other support services on which the organisation relies.

It is essential that the right resources are available to keep critical functions going after an event. This includes having sufficient people with the required expertise, skills and experience, and importantly the motivation to lead and manage the organisation through the difficult period, including, for example, being able to manage messages and communication with the media, where this is applicable. The BCP will need to cover key areas such as: access to key records, reliable means of communicating with staff and others, procuring goods and services required to ensure disruption is kept to a minimum and the ability to provide welfare and accommodation for employees as well as being able to carry on paying them. 


The continuity planning process  

One of the key factors to consider when discussing business continuity planning is the need to regularly review and test the plan. Organisations evolve, or diversify, which results in the need to ensure that the Plan is fit for purpose at any point in time. 

One of the key messages from the 9/11 attacks was the assumption that in the event of an incident/disaster organisations can immediately revert to manual processes may be a flawed assumption. Therefore when testing and creating the BCP it is essential that all potential options to enable a business to operate after an incident are considered.

To produce a comprehensive plan requires a range of skills due to the large number of questions that will need to be considered during the process. The overall process should be considered a project and broken down into stages which may include:

1. Raising awareness

Ensuring that senior management are engaged in raising awareness of the risks in place, and how these are being mitigated.

2. Ownership

The business needs to assign an overall owner for the BCP, usually in the event that the plan has to be invoked the owner of the plan will take initial responsibility to ensuring that the all key stakeholders understand their responsibilities, key groups are in place and key messages are communicate both internally and externally.

3. Business impact review

Such a review examines each business system to identify the business impacts should that system cease to function, and as a result establish the criticality to the business. This review may also identify any obvious areas where controls might be improved to reduce the likelihood of a disaster occurring. Impacts are often classified as either hard or soft.

Hard impacts will include:

  • Financial loss which may arise through the loss of an asset either by destruction or the cost of repairing any damage to it or replacing it.
  • Increased operating costs arising from the need for staff to work overtime, the hiring of additional staff or renting additional accommodation.
  • Financial penalties that may arise as a result of breach of contract through the inability to maintain agrees service levels, or, dependent on the business sector in which the organisation operates, statutory fines.

Soft impacts will include:

  • Loss of reputation
  • Personal safety
  • Operational capability
  • Morale and psychological impact

4. Recovery options

This involves identifying and considering potential recovery options for each system that is to be covered by the plan. Remember that ‘recovery’ in an incident scenario isn’t about restoring all systems to a fully operational situation but rather restoring sufficient system to enable the business to operate in an ‘incident/disaster’ scenario.

5. Development

During this stage, detailed BCPs will be developed and risk reduction measures installed. In addition, a management framework for maintaining and periodic testing of the plan should be put in place.

6.  Awareness and testing

There is an ongoing need to raise awareness of business risk as well as of the policies for business continuity and of the BCP itself, including employees’ roles and responsibilities. Personnel must know practical details such as whom to contact in an emergency and where to go. The plan itself must be tested periodically, as discussed throughout this document. 


Internal audit’s role in business continuity planning

There are three aspects to internal audit's involvement in business continuity: 

  1. The primary role of internal audit in the area of business continuity planning.
  2. Other roles undertaken by internal audit in the area of business continuity planning.
  3. Business continuity planning for the internal audit department itself. 

The primary role of internal audit

Internal audit provides independent and objective assurance. It would therefore be expected that internal audit would perform a review of the adequacy of the current continuity arrangements, in particular where management have identified the area as being one of high risk to the organisation.  Internal audit may undertake the review through observation i.e. attending a test of the BCP and observing whether or not the delivery of the plan is ‘fit for purpose’ thereby enabling them to provide independent and objective assurance to the board and audit committee. 

An internal audit review in this area may include a review of whether: 

  • Appropriate consideration has been given to devise, document, maintain and communicate effective business continuity.
  • There are adequately documented, maintained and communicated processes, policies, standards and service level agreements in place.
  • Business disruption is kept to a minimum in the event that a function or activity is rendered inoperative.
  • Testing of the business continuity arrangements has been considered, including requirements for working from home, using any remote sites and testing the communication channels.
  • Staff awareness of the business continuity plan has been considered.
  • Appropriate definition of critical services and business approval of recovery time objectives (RTOs) and recovery point objectives (RPOs) have been considered.
  • Defined business continuity invocation criteria and procedures with defined roles and responsibilities of the incident/crisis management team have been considered.
  • The organisation’s operations, personnel needs and client service requirements are considered in the overall business continuity process.
  • Sufficient business continuity management awareness training has been devised for staff in order that they can discharge their duties during a disruptive event and understand their responsibility to alert management to potential business disruption, risk exposure or threats.

Other roles of internal audit

Internal audit, whilst not responsible for the preparation of the BCP, can, in their consulting role, advise management on its content headings and outline, and associated risks. For example, they should encourage management to move away from focusing the plan solely around IT-related issues and ensure that there is adequate focus on the recovery of all business processes.

In their consulting role, internal auditors can add further value by undertaking the roles of observer and evaluator, assisting management to assess the feasibility of the plan and making suggestions to improve the plan or subsequent versions of it. 


Internal audit and its own BCP

The internal audit department itself is required to participate in the organisational approach to contingency planning and consider the risks to its own activities, identifying key business processes and their time-scales for recovery; and designing procedures to protect audit files and working papers.

The BCP for internal audit should be based upon developing a controlled resumption of the internal audit service as space and equipment becomes available, and as the business returns to full operation. In the short term, it may be appropriate to release staff to the business to assist in operational activities during the intervening period or to carry out special reviews to ensure that any revised procedures introduced during the emergency still provide an adequate degree of operational control. 


Relevant legislation

In the United Kingdom, the Civil Contingencies Act 2004 is split into two parts, Part 1 addresses local arrangements for civil protection and Part 2 concerns the conditions and scope of the necessary emergency powers. The Act requires local authorities to have in place contingency plans, emergency planning and business continuity plans and also to provide assistance to businesses in relation to business continuity management.

There is of course also a legal requirement under the Companies Act (2006) and Charities Act (2016) for Directors and Trustees, respectively, to safeguard the organisation’s personnel and assets. 


Other related Standards

The International Standards Organisation (ISO) published an International Standard in June 2012 (ISO 22301) addressing business continuity management in order to assist organisations in becoming more resilient. ISO 22301 is designed to provide a framework to plan, establish, implement, operate, monitor review maintain and continually improve business continuity management systems. ISO 22313 was also introduced to provide guidance, where appropriate.


Conclusion

Businesses must have plans in place to cope with disasters or incidents that may arise often with little warning, and be in a position to activate those plans quickly. Whilst it is recognised that there are significant costs in developing a business continuity plan, it should be considered to be a key requirement of any organisation.

An effective plan ensures that the essential business activities of the organisation are able to continue or restart in the event of a disaster or other unforeseen events with a minimum of fuss.

To be effective, the plan must address a number of issues and the organisation must have a clear strategy aimed at ensuring that systems can continue to run with the minimum of disruption or recovered from back ups (in the case of technology) and operating within an acceptable timeframe.


Further reading

Supplementation guidance

Business Continuity Management

GTAG10 Business Continuity 

Blog

Richard Chambers – The Extraordinary Risk of Business Continuity Interruption

External resources

Business Continuity Institute 

The British Standards Institute

Content reviewed: 28 March 2017