Skip Ribbon Commands
Skip to main content

Hell or High Water – Auditing Business Continuity Programs

13/06/2016


​​​​On a hot, dry day in early May, winds whipped a wildfire in northeastern Alberta into a massive, out-of-control inferno, driving flames and heavy smoke straight to the town of Fort McMurray. Within hours, almost 90,000 people had been evacuated from the region, including workers from oil sands operations representing about 20 percent of Canada’s crude oil production.

Industry, commerce and private enterprises were shut down, most for at least three weeks, others for longer and some permanently. The economic toll on the province, corporations, business and individuals is expected to add up to $9 billion – Canada’s most costly natural disaster to date.

Resilient entities that will come out with the least amount of damage following a major event will be those which not only have an emergency response plan in place, but ones with an implemented, up-to-date and tested business continuity plan. Successful organization are those that have established an integrated programs of emergency response, disaster recovery and business continuity to maintain a competitive advantage before, during and after a major event.

Six Fundamentals of Business Continuity Programs

From an internal auditor’s perspective, it is your role to confirm that the organization has the plans and structures in place and is adequately protected, relative to an overall risk management plan. This includes ensuring the continuity, emergency response, disaster recovery and crisis communications plans are all aligned with best practices and – more importantly – the organization’s culture and strategy. It is also essential that the plans and teams have been tested and practiced by the teams responsible for their execution.

There are six underlying principles internal auditors need to take into account when reviewing emergency management and business continuity programs.

  1. The program must be integrated and linked with governance, risk and control, performance improvement and / or other existing business programs.
  2. Key stakeholders in the response and recovery process have been identified, engaged and managed.
  3. The business continuity plan is only created after a comprehensive analysis and risk assessment is completed, one that enables fully understanding the business, from inside and out.
  4. Senior management requirementshave been identified and supported.
  5. The strategic aspects and value proposition of the plan (such as minimizing financial losses, protecting people and assets) are made clear and link to and support overall business objectives.
  6. Best practices have been customized and tailored to suit the structure, culture and budget of the organization.

Come Hell or High Water

When floodwaters from the Bow River engulfed the Calgary Stampede site and stadium in 2013, just weeks before its famous 10-day annual extravaganza, the organization sold tee shirts with the logo “Come Hell or High Water,” and put its emergency response and crisis management plans into action. The site was cleared, stadium events relocated or rescheduled and the show went on, on time. The key to the venerable organization’s success was not only the heroic efforts of all involved, and the fact that they had plans in place, but also that the plans were fully implemented, tested and kept up to date.

The Calgary Stampede trained the right people, tested it on an annual basis and built relationships with the people linked with the city and emergency services. They had the network in place and the trust built between the key players. Given the plans were updated and reviewed regularly, when the 2013 flood hit, they were as ready as they could be.  

The organization responded and implemented its plans, rather than just reacting, enabling the Calgary Stampede to carry on.

Custom vs Compliance-loaded

Darcy Atkinson, CPA, CMA, knows the value of a good business continuity plan. As the Chief Audit Executive for the Alberta School Employee Benefit Plan, Atkinson is in charge of ensuring the ASEBP’s 130 employees can meet the needs of 110,000 people covered within the plan, during good times and during events like the Fort McMurray fires.

After the Fort McMurray wildfires, he realized how customized, holistic, and organizational-wide a business resilience plan needed to be.

Internal auditors get a unique view of an organization because they have visibility into all of the different parts. They possess a valuable strategic perspective, while also being able to dive deeper into the moving parts of any business. They can check if there are silos and make sure the program not only complies with leading practice standards, but is also comprehensive and integrated. Which is what business resilience is all about at the strategic and operational level; all-inclusive and sized to fit the organization.

Many organizations have sound individual plans for their business units but lack synergy between them, sometimes resulting in disjointed and potentially ineffective programs. While the continuity, emergency response, disaster recovery and crisis communications plans often aren’t integrated and developed according to a consistent understanding of the recovery priorities of the business, more importantly there are often gaps between business resilience programs and strategic goals of the organisation.

As an auditor you are looking for the synergy between plans and the organization as a whole, and how they interconnect. The same holds with gaps between continuity program and strategic goals: if one of your goals is to be responsive and available, then from a business continuity perspective, you have to design your program to meet those goals.

Emerging Trends

Business continuity is being viewed from a more strategic perspective, becoming a value proposition rather than a cost centre. This is about maintaining a competitive advantage before, during and after a major event.

“People always think that couldn’t happen to us, we can do it on the fly. It’s that battle between being proactive and reactive,” said Atkinson. Many companies are operating from a tight budget, a focus on making profits now and a misplaced belief emergency systems will support long-term recovery, he noted. But once that one in a hundred years event arrives, the value of having invested in a plan is reflected in a company’s bottom line almost immediately.

Companies are also realizing the importance of having subject matter experts on board. An internal auditor knowledgeable in the business evaluates the business resilience program against standards and practices unique to the business, as well as assesses after the fact to see how recovery went. They come in and check if the proper preparation and risk mitigation were completed prior to an event: were plans developed, were they risk-based plans, were they practiced?

As a generalist in internal auditing, “We don’t know all that – we don’t know what to cut, what’s important, what’s not important,” said Atkinson. “We don’t know what areas are more challenging than others, we don’t know how to test. That’s why I am looking for an expert to assist in evaluating our program.” It is critical to either engage experts to evaluate your resilience programs or to form part of your internal audit team so as to allow you to truly add value in building a customized program that does more than satisfy minimum standards – that truly protects the brand your organization has taken so many years to build.

As a search and rescue volunteer, Atkinson finds having to manage untrained volunteers takes precious time away from the event. During a crisis at work it’s the same thing, he said, managing people who don’t know what to do is a nightmare and eats up all your resources.

Creating Buy-In

For a business continuity plan to succeed, the business itself has to own it — not the auditor, not the person responsible for making sure the plans are in place, not the business continuity unit itself. At the end of the day, the person in charge of payroll, for example, is the person who understands operation, recovery and resilience requirements. The business continuity team oversees and ensures all those pieces are in place and exercised, but it’s the business unit that needs to ensure it truly reflects the business, their priorities and how they get their business back up and running. They also understand how that integrates with the broader corporate recovery goals and operations and can design a plan that will succeed.

People have trouble getting buy in from executives and management because they can’t link all things about business resilience to strategic priorities of the organization, so it becomes just another cost centre. Internal auditors can help change that perception because they take a strategic view when they are completing their audits.

By making a complex concept simple and understandable to executives and management, auditors will likely be more successful than trying to force a one-size-fits-all program onto an organization.  When auditing a program, the key is to balance meeting standards of practice with how those apply and fit a specific organization. If the program is built fundamentally on leading practices and you tailor it to fit the organization’s unique needs then it is likely to be accepted, implemented and ultimately successful.

About the Authors:

Mariesa Carbone, CPA, CA, ABCP, CRMA. Enterprise Risk Services, MNP, [email protected]

Cliff Trollope, CBCP, CRM, CAS. Enterprise Risk Services, MNP, [email protected]