Based on the perspectives of top risk management professionals, OnRisk 2020: A Guide to Understanding, Aligning, and Optimizing Risk offers a detailed look at how risk management can help organizations identify key risks and plan effective responses. The report identifies the top 11 risks likely to impact organizations in 2020.
Risk #4: Business Continuity / Crisis Response
How do organizations respond to “…challenges, from cyber breaches and natural disasters to reputational scandals and succession planning. This risk examines organizations’ abilities to prepare, react, respond, and recover.”
Even before the outbreak of COVID-19, an organization’s ability to prepare, react, respond and recover from a crisis was identified as a key risk that will be increasingly relevant going forward. Now, in the face of all the challenges arising from the pandemic, those responsible for their organization’s Risk Management function are likely to agree.
When asked whether their organization had the knowledge and capability to address a disaster, board members and management often shared the perception that their organizations were limited in this area. At the same time, CAEs expressed more confidence about their organization’s knowledge and capability. This disparity suggests there is an opportunity for Internal Audit to provide insight into organizational capabilities that may not be visible to their board or management team.
Assessing the organization’s Business Continuity / Crisis Response capabilities against a defined framework can help align these perceptions. One framework that incorporates best practice guidance and organizational operational objectives in the event of a disaster is the National Institute of Standards and Technology (NIST) Contingency Planning Guide.
Internal Audit should assess the organization’s response capability across all components of a recovery plan including:
- Human capital. The people within your employee workforce who possess the skills, knowledge, and experience to continue the operations of your organization
- Facilities. The physical locations required to operate your business
- IT assets. The IT asset infrastructure and services required to support the business operations, including overlooked assets like email and telephony communications
The assessment should include every phase of an event:
- Incident management. The immediate response within an organization to address the disaster and resume critical functions after the occurrence of a disastrous incident.
- Disaster recovery. The process of returning to a state of minimum functionality after a disastrous incident.
- Business resumption. Resuming full operational capacity following a disastrous incident.
Individual components and phases should have specific activities associated with their response.
Each item is interrelated and supports the organization’s progress, from the occurrence of a disaster to maintaining minimum functionality to reduced operations and ultimately returning to complete operational capacity. This is outlined in the graphic below:
As audit teams review the organizational capability around the Business Continuity / Crisis Response, it may be tempting to focus on the organization’s response to the recent COVID-19 crisis. Internal Audit should ensure that the scope is inclusive of all response activities for crises applicable to the organization. The response requirements for a pandemic may differ significantly from the response to a facility fire or a geographic flood. Now that we know we can’t exclude the possibility of a pandemic, SANS provides a policy template for Pandemic Preparedness to consider including in the organization’s holistic Business Continuity Planning.
Weaver is here to assist you in understanding and assessing your organization’s ability to respond to crises and manage business continuity. Contact us with questions or concerns about how your organization can evaluate its knowledge, capability and preparedness for crisis response and business interruptions.
Authored by Morgan Page, CIA.
Resilience and Recovery Resources
Read related articles and reference materials to help you equip your team and organization for recovery and resilience. If you need assistance in crafting your team's response to current market events, please contact our Weaver professionals as we are here to assist you during this time.
Read More Insights