Skip Ribbon Commands
Skip to main content

The Role of the Internal Auditor in Business Resilience


​​​​​​​On a hot, dry day in early May 2016, winds whipped a wildfire in northeastern Alberta into a massive, out-of-control inferno, driving flames and heavy smoke straight into the town of Fort McMurray. Within hours, almost 90,000 people had been evacuated from the region, including workers from oil sands operations representing about 20 percent of Canada’s crude oil production.

Industry, commerce and private enterprises were shut down, most for at least three weeks, others for longer and some, permanently. The economic toll on the province, corporations, business and individuals is expected to top $9 billion—Canada’s most costly natural disaster to date.

For the people of Alberta, this was the second major natural disaster in three years as the devastation and impact of the 2013 southern Alberta floods is still fresh in the minds of many. However, it is important to note that other less severe and widespread business disruptions also happen. Power outages, cyber-attacks, IT system failures, loss of key suppliers and individual building failures frequently take place.

In all cases, the businesses and organizations that come out with the least amount of damage are those which not only have an emergency response plan in place, but ones with complete business resilience programs that include risk management, emergency plans, crisis communications plans and fully implemented, up-to-date and tested business continuity plans.​

The Current State

Many organizations have sound individual plans for their business units but lack synergy between them, sometimes resulting in disjointed and potentially ineffective and inefficient programs. While the continuity, emergency response, disaster recovery and crisis communications plans often are not integrated and developed according to a consistent understanding of the recovery priorities of the business, there are often gaps between business resilience programs and the strategic goals of the organization. This misalignment is further compounded by the fact that business continuity plans may be developed in isolation of the business units which they are to support and, as a result, will not meet the needs of the business during recovery. 

ASEBP’s Business Continuity Experience

Darcy Atkinson knows the value of a good business continuity plan. As the Chief Risk Officer for the Alberta School Employee Benefit Plan (ASEBP), Atkinson is in charge of ensuring ASEBP’s 130 employees can meet the needs of 110,000 covered members and their dependants, during good times and during events like the Fort McMurray wildfire. During the fire, ASEBP had to react quickly and ensure that immediate support was available by expediting replacement of life-sustaining prescribed medications, medical supplies and equipment. Covered members were also reminded of crisis supports ASEBP had available and were reassured that maximums and claiming cycle constraints would not apply due to the crisis.

Amidst the Fort McMurray crisis, Atkinson was reminded how customized, holistic and organizational-wide a business resilience plan needed to be. ASEBP was able to support their covered members impacted by the crisis, but if the crisis also required the evacuation of all ASEBP employees at the same time, the outcome would have been much different. Its emergency response plan and business resilience programs would be pushed to the maximum —worst case scenario, to a breaking point. This would make supporting their covered members during a disaster exponentially more difficult.

This reminder also had a secondary effect - it was the catalyst for an internal audit of ASEBP’s current business resilience plan.

The Role of the Internal Auditor in Business Resilience

Internal auditors get a unique view of an organization because they have visibility into all facets of the business. They possess a valuable strategic perspective, while also being able to dive deeper into the moving parts of any business. They can check for silos and make sure programs not only comply with leading practice standards, but are also comprehensive and integrated.

From an internal auditor’s perspective, it is their role to confirm that the organization has the plans and structures in place and is adequately protected, relative to an overall risk management plan. This includes ensuring the continuity, emergency response, disaster recovery and crisis communications plans are integrated, aligned with best practices and, more importantly, the organization’s culture and strategy. It is also essential that the plans have been tested and practised by the teams responsible for their execution.

There are three key principles internal auditors need to take into account when reviewing emergency management and business continuity programs:

  1. The program should be integrated with governance, risk and control, performance improvement and linked with other existing business programs.
  2. Plans should be risk-based and, while aligned with recognized standards, tailored to fit the specific needs of the organization
  3. The overall program should include all components and elements as shown in the diagram below.​

  • Policy
  • Program Structure and Management
  • Program Integration
  • Risk Assessment
  • Hazard Identification and Risk Assessment
  • Business Impact Analysis
  • Emergency Procedures
  • Emergency Plan
  • Crisis Management Plan
  • Crisis / Emergency Communications Plan
  • Business Continuity Plan
  • Policies, Procedures and Guidelines
  • Training and Awareness
  • Compliance Testing and Benchmarking
  • Exercises / Testing
  • Maintenance
  • Program Audit and Review

Emerging Trends in Business Resilience

Strategic Perspective: Emergency management and business continuity are being viewed from a more strategic perspective, becoming a value proposition rather than a cost centre. It is about maintaining a competitive advantage before, during and after a major event – this includes risk-based mitigation efforts as well as response and recovery plans.

“People always think that couldn’t happen to us, we can do it on the fly. It’s that battle between investing capital in a proactive manner for an event that may not happen as planned or at all, or relying on the expertise of your staff and their ability to react on the fly.” said Atkinson. Many companies are operating from a tight budget, a focus on making profits now and a misplaced belief that emergency systems will support long-term recovery. But once that one in a hundred years event arrives, or your particular organization’s disruptive event occurs, the value of having invested in a plan is reflected in a company’s bottom line almost immediately.​

Use of Subject Matter Experts: Companies are also realizing the importance of having subject matter experts on board. Oftentimes internal audit does not have the resident skills and expertise and runs the risk of disengaging operational staff with misaligned or impractical recommendations that do not truly reflect the needs and priorities of the business resilience program.  Bringing on experts helps to ensure that internal auditors can maintain independence from business resilience programs and that the programs are truly customized to address unique industry, geographical or business risks, while aligning with leading practice. In addition, experts can help internal audit create buy in to implement recommendations that will truly elevate the program, building on industry trends and leading practices that an internal auditor may not be aware of or able to access.

Creating Buy In: For a business resilience program to succeed, the business itself has to own it—not the auditor, or the person responsible for making sure the plans are in place. People have trouble getting buy in from executives and management because they can’t effectively link business resilience to the strategic priorities of the organization, so it becomes just another cost centre. Internal auditors can help change that perception because they take a strategic view when they are completing their audits and can champion the need for a strategic and integrated program.

Size to Fit: When auditing a program, the key is to balance meeting standards of practice with how those apply to and fit a specific organization. If the program is built fundamentally on leading practices and you tailor it to fit the organization’s unique needs and risks then it is likely to be accepted, implemented and ultimately successful.

For more information, contact:

Cliff Trollope, CBCP, CRM, CAS, Business Resilience Practice Leader, [email protected]

Mariesa Carbone, CPA, CA, ABCP, CRMA, National Enterprise Risk Services Leader, [email protected]