The unpredictable nature of the modern business environment has left organisations increasingly susceptible to a myriad of challenges that can disrupt their operations. Economic downturns, natural disasters and cyber-attacks and are just a few examples of crises that may result in significant disruptions to a business’s operations.
In that regard, it is just imperative for the survival of organizations to adopt a proactive business continuity strategy. At its core, business continuity strategy or management is a company’s ability to maintain its essential functions and to continue to provide services during or following a crisis, thus minimizing the potentially adverse impacts on its operations.
Business continuity resonates with operational resilience of a company. This means in considering a business continuity audit, an organization must start by defining its resilience level in relation to the industry in which it operates.
This is because every entity will have a level of resilience beyond which it cannot withstand any form of adverse impacts. Flowing from that, an organization must be able to anticipate, prepare for, respond and adapt to incremental change and sudden disruptions in order to survive.
Resilience allows an organization to absorb internal and external shocks by providing an assurance of the continuity of critical operations. It also involves a strategy that ensures the protection of key processes and resources like systems, data, people and property.
Scope of a BCM Audit
Business continuity or resilience audit should start with a thorough mapping of the organization’s internal processes and its position in the environment in which it operates. Clearly, the audit must alignment with the goals and the organization’s business continuity management (BCM) objectives. It must also incorporate the effectiveness of business impact analysis, risk assessment and risk mitigation methods.
The audit must also cover the adequacy and suitability of BCM strategies and solutions, the compliance of plans and documentation with standards and regulations, the readiness and capability of staff and stakeholders to execute plans, and the performance and outcomes of tests and reviews.
There is also need to be aware of the increasing volatility, uncertainty, complexity, and ambiguity of the present world. All these aspects of the scope are essential to protect critical assets, resources, and operations from various threats. In that regard, a focus must be on these issues during business continuity audit.
Conducting a BCM Audit
A structured audit must be an integral part of an organization’s overall business continuity strategy. A business continuity audit systematically evaluates an organization’s ability to maintain essential functions and services during and after a disruption.
The audit must evaluate how well an organization is complying with its business continuity management (BCM) framework. It starts with defining the objectives and scope while bearing in mind, the business’s needs and expectations. A risk-based approach must be used to prioritize audit areas and focus on the most critical aspects of the BCM.
Business continuity audit requires selection and training of the team to be deployed. Training and involvement of staff and other key stakeholders in the audit process helps to obtain valuable input and feedback.
The next step is to plan and schedule the audit activities such as document review, interviews, observations and tests. Thereafter, the team must collect and analyze data that will help to evaluate the business continuity management (BCM) performance and compliance against the audit criteria.
Furthermore, it is important to record and document audit activities, evidence and results in a clear and consistent manner. The audit team needs to report and communicate audit findings and recommendations to the relevant stakeholders to act on within a set timeframe. The audit cycle requires a follow-up or monitoring to ensure the implementation and effectiveness of the preventive and corrective actions.
Other Issues for Consideration
In conducting BCM audit and resilience planning, it is also important to consider likely incidents from a very broad perspective. Some scenarios could be very instructive based on recent global occurrences. Thus, stress scenarios should not simply derived from past events. They must proceed from a complex worldview.
For example, most traditional corporate resilience plans have typically incorporated a recovery site, which is available for use if the main site is temporarily disrupted by fire or flood.
However, COVID-19 has demonstrated the value of thinking beyond the simple replacement of a worksite to a completely different paradigm of “working from home” where an organization’s data can be saved in the cloud. Indeed, due to new or emerging world disruptions, one can say that inter-relationships between risks can no longer be narrowed to historical correlations as crises can completely change the dynamic of these relationships.
Once scenarios have been established and developed, they must be escalated to the organization’s executive and the board/audit committee. Those scenarios should include full narratives of the improbable events instead of relying on aggregated risk indicators known for the usual risk reporting process.
What is useful to management is the story behind those events rather than the simplified characterization of the probability/severity of the risks. In the case of the pandemic scenario, the full narrative will now have to include the possibility of a significant number of employees who are unable to work due to sickness while most others will work and communicate from home.
This means that the organization will also have to assess their digital strategy to support this mode of working and look at further risks that can have an impact on those scenarios. An example would include: What if network providers fail or are experiencing bandwidth issues? How will employees be able to balance work and personal life depending on their living arrangements? There again, scenarios must incorporate action plans which can be regularly tested and implemented in a streamlined manner without excessive governance or bureaucracy.
Why Business Continuity Audit is Important
The audit can help an organization to identify gaps, risks and opportunities for improvement in its business continuity plans, policies and procedures. It is essential for improving a company’s resilience by providing actionable insights and recommendations to address those gaps. Audits can also improve confidence and credibility in business continuity plans and capabilities while demonstrating an organization’s commitment and accountability to customers, regulators and investors. Moreover, they ensure compliance and alignment with the latest standards, regulations and best practices.
Conclusion
Business continuity and crisis management has become essential for organisations striving to withstand and recover from unexpected disruptions. These crises or events manifest themselves in many different ways. This means that there will never be a single model of business continuity and crisis management that is valid for all organisations. However, BCM audit can offer a unique skill set and objective perspective. It provides invaluable assistance for organizations in identifying their risks, monitoring their processes and evaluating their business continuity plans and processes. Their involvement can make a substantial difference and provide crucial support to businesses during challenging times. As organisations continue to navigate the complexities of the modern business environment, recognizing the pivotal role of audit in business continuity and crisis management is no longer an option but a necessity.
BERNARD BEMPONG
Bernard is a Chartered Accountant with over 14 years of professional and industry experience in Financial Services Sector and Management Consultancy. He is the Managing Director of J.S Morlu (Ghana), an international consulting firm providing Accounting, Tax, Auditing, IT Solutions and Business Advisory Services to businesses, government and not for profits.
Our Office is located at Lagos Avenue, East Legon, Accra.
Contact: +233 302 528 977
+233 244 566 092
Website: www.jsmorlu.com.gh