Skip to main content


Preparing for Risk in a Changing Landscape: Business Continuity / Crisis Response

Executive Resource
Check out our resources to assess your organizational risk and how your business can prepare or recover from a crisis when tested.
December 22, 2021

 OnRisk – A Guide to Understanding, Aligning, and Optimizing Risk identifies and defines key risks, as perceived by boards, management, and chief audit executives (CAEs). The report discusses how the three key players in an organization’s risk management align (or misalign) in their view of these risks. It offers a detailed look at the greatest challenges for the upcoming year and how aligning risk management can increase success. The following article addresses one of the key risks identified in the second annual OnRisk report: Business Continuity / Crisis Response.

Having gone through an unpredicted global pandemic, an organization’s ability to prepare, react, respond and recover from a crisis was identified as a key risk that will be increasingly relevant going forward. In the face of all the challenges arising from the pandemic, those responsible for their organization’s Risk Management function are likely to agree.

When asked whether their organization had the knowledge and capability to address a disaster, board members and management often shared the perception that their organizations were limited in this area. At the same time, CAEs expressed more confidence about their organization’s knowledge and capability. This disparity suggests there is an opportunity for Internal Audit to provide insight into organizational capabilities that may not be visible to their board or management team.

Assessing the organization’s Business Continuity / Crisis Response capabilities against a defined framework can help align these perceptions. One framework that incorporates best practice guidance and organizational operational objectives in the event of a disaster is the National Institute of Standards and Technology (NIST) Contingency Planning Guide.

Internal Audit should assess the organization’s response capability across all components of a recovery plan including:

  1. Human capital. The people within your employee workforce who possess the skills, knowledge, and experience to continue the operations of your organization
  2. Facilities. The physical locations required to operate your business
  3. IT assets. The IT asset infrastructure and services required to support the business operations, including overlooked assets like email and telephony communications

The assessment should include every phase of an event:

  1. Incident management. The immediate response within an organization to address the disaster and resume critical functions after the occurrence of a disastrous incident.
  2. Disaster recovery. The process of returning to a state of minimum functionality after a disastrous incident.
  3. Business resumption. Resuming full operational capacity following a disastrous incident.

Individual components and phases should have specific activities associated with their response.

Each item is interrelated and supports the organization’s progress, from the occurrence of a disaster to maintaining minimum functionality to reduced operations and ultimately returning to complete operational capacity. This is outlined in the graphic below:

Preparing for risk in a changing landscape: Business Continuity / Crisis Response

As audit teams review the organizational capability around the Business Continuity / Crisis Response, it may be tempting to focus on the organization’s response to the recent COVID-19 crisis. Internal Audit should ensure that the scope is inclusive of all response activities for crises applicable to the organization. The response requirements for a pandemic may differ significantly from the response to a facility fire or a geographic flood.

Weaver is here to assist you in understanding and assessing your organization’s ability to respond to crises and manage business continuity. Contact us with questions or concerns about how your organization can evaluate its knowledge, capability and preparedness for crisis response and business interruptions.

© 2021