How can internal audit assess business continuity and crisis management plans?

PwC’s Mark Stock looks at the important role that internal audit can play in helping businesses to prepare for the unexpected.

Risks are by their nature uncertain but what is certain is that the unexpected happens! Business find themselves caught out by events more and more!  We don’t have to think too hard to find examples – there are any number of recent cyber-attacks in the news, or Volkswagen and the emissions scandal, or BP and the Gulf of Mexico disaster, or the business disruption caused by flooding.

It is not that these examples are unforeseeable – but when they occur and what impact they have is becoming much more unpredictable. This is especially true with the growth of social media, where bad news stories can go viral with an impact that is an order of magnitude greater than might be expected.

Since the 1960s, and well before the term ‘black swans’ was coined, it has been understood that complex systems are more susceptible to unpredictable risks and more care was needed to design systems where safety was paramount, like aircraft flight systems or nuclear industry control systems.

But now day to day business is just as complex - businesses are increasingly interconnected and communications are ever faster, business networks are becoming more complex. As a result, both threats and impacts are becoming far less predictable. We are having to respond to unpredictable situations more often and more rapidly.

When something goes wrong in a big and public way, the political response always seems to be “We will put in more controls, and make sure that it never happens again”.

It’s an understandable reaction, and sometimes it is appropriate. But there’s an argument that it might be to worst possible answer. The cumulative effect is an expensive array of stifling controls designed to encourage conformity of behaviour. But in any crisis, and in preparing for the unexpected, it is all about the quality of decision making.

And planning for a crisis needs to support the best possible decision making, and not to lay down detailed guidelines for dealing with every eventuality you might imagine.

How does internal audit assess readiness for dealing with the unexpected?

Auditing Business Continuity Management (BCM) inevitably leads to the reviewing the quality of the decision making and communication of the most senior executives. In fact, it should start with that! And you will need to be prepared for some uncomfortable conversations!

Imagine trying to tell Dick “Gorilla” Fuld, the former CEO of Lehmans, as he headed into the crisis that brought his bank down, that statements such as “When I find a short-seller, I want to tear his heart out and eat it before his eyes while he's still alive” are really not going to help!

The board and top management are prone to over-estimate their own fire-fighting capabilities. They tend to like facts, not hypothetical scenarios. This means that they are more vulnerable to procrastination or hesitancy when dealing with unpredictable and unknown risks.  

Internal Audit can help in two ways. Firstly, by including top level crisis exercising as part of their definition of effective risk management and resilience, and assuring what is done under this banner. Secondly, by helping keep things grounded with a focus on capability – the ability to respond, rather than a focus esoteric threats.  A focus on threats means grinding through an assessment of the likelihood and impact of transport strikes, pandemics, extreme weather, terrorism blocking transport, fires, flood, and so on – and top management soon lose interest in these which individually are unlikely to happen or cause much harm. You recognise instead that these are just examples of threats that might prevent your people from getting to work. Collectively this is a much more likely, and you plan instead around how you would cope in that situation.

The biggest mistake people make is to undertake an audit based on whether or not you have plans and whether or not you meet some hypothetical specification for BCM, instead of looking at whether the plans will really work and are fit-for-purpose.

This tick-box mentality is not helped by standards and regulation, which encourage auditors to assess plans against a generic specification, which in turn leads to less experienced auditors being deployed who are unable to challenge the effectiveness of the plans. By contrast, good practice in leading Internal Audit departments starts with an assessment of the current operating environment for the unit being reviewed, and then the plans are assessed to see whether they are fit for purpose in that context. In doing so, the auditors will also evaluate the thought-process the planners have gone through to make sure that priorities and plans match the business requirements.  

In leading businesses, Internal Audit can help by ensuring that there is clarity and alignment in the statements of risk appetite and the desired state of preparedness.

All good BCM plans have at their heart a framework – their design effectiveness relies on clear accountability and authority to make decisions and the operating effectiveness relies on competency and confidence to make decisions often at speed often without all the facts known.  

Our three top recommendations for successfully auditing BCM and Crisis Management are: 

• Make sure plans are based on a sound understanding of both what matters to the business and what the business depends on. Making sure that the most important things you have and do are resilient is the best way to protect yourself against a wide range of risks, regardless of how predictable they are.
• Focus on ‘Does it work’ rather than ‘Have we got…’.  The latter is a tick-box approach to auditing BCM - looking to see if plans exist or tests have taken place doesn’t tell you whether the plans will work – worse than that it provides false assurance.  You need to drill down into how the plans were put together and whether they have been properly exercised.
• Make sure that senior management have set the parameters of resilience, preferably in the form of Risk Appetite, and that they understand and have endorsed the ongoing development and maintenance of your capability to respond.

About the author

Mark Stock is a member of the ICAEW’s Internal Audit Panel and a Partner in Risk Assurance at PwC.