The Future of Internal Audit

Day 1: Business Continuity Planning

The key objectives of BCM

• To provide critical services during times of disruption
• The need for management leadership
• Linking the BCM plan with strategic objectives
• Ensuring the resources for BCM are available
• Communicating the importance of the process
• Ensuring the intended outcomes are achieved
• Directing and supporting the personnel involved
• Determining the BCM owners across the business
• Exercise 1 – Assessing the effectiveness of BCP key objectives

Evaluating the BCM model

• Understanding the business impact of major events
• Determining strategies to deal with these events
• Ensuring that ISO 22301 is adopted
• Reviewing and conducting a gap analysis of the current BC policies
• Improving understanding of the risk profile of such incidents
• Preparing for each different emergency situationDevelopment of procedures to recover from a disaster
• Preparing the actions to take during the recovery phase
• Testing the business recovery process
• Keeping the plan up to date
• Establishing a BCM culture across the organisation
• Identifying gaps
• Exercise 2 – The BCP model

Reviewing the resilience of critical business processes

• Identifying the critical processes and their relative importance
  • Explosions
  • Fire
  • Sabotage and terrorist attacks
  • Epidemics
  • Supply chain failure
  • Flooding
  • Earthquake
  • Significant political risk
  • Loss of IT
  • Loss of critical data
  • Loss of Telecoms network
  • Major Electricity outage
  • Vehicle incidents
  • Plant closure
  • Inability to access offices
• Assessing the internal and external risks impacting continuity of these processes
• Evaluate what plans are currently in place to deal with the risks
• Which processes need further attention
• Which can be further developed as a cross business process
• Which events currently have no plan
• Allocating responsibility for actions
• Exercise 3 – The process to deal with loss of critical business activities

Ensuring specific plans for each type of incident

• An incident resulting in the death or serious injury
• Kidnap of staff
• An incident resulting in the complete suspension of business activities
• An incident resulting in the complete suspension of a key project
• Act involving gross mismanagement of funds
• Event that may have legal repercussions
• Incident that lead to public or other retaliation
• Incident resulting in negative coverage in the mediaOutbreak of conflict in a community served by the business
• Natural disaster
• Exercise 4 – Reviewing the specific plans

The BCP testing process

• The need for all aspects of the plan to be tested
• BCM Test plan
• Desk check
• Communication testing
• Physical tests
• Completing the tests
• Testing Feedback
• Overall Test Evaluation
• Exercise 5 – Assessing the BCP testing plan

Day 2: The BCM Process in practice

The Crisis management (CM) plan

• Has the plan been developed in conjunction with the strategic planning process?
• Crisis Risk owners – how these personnel are chosen and how ownership is enforced
• Are annual statements required by these risk owners?
• Assessing the risk tracking process
• Using the risk register as a crisis management decision skeleton
• The steps taken to coordinate and link the output
• Flagging interdependencies – if one risk treatment is changed the other
• party or parties impacted are notified
• Has the CM process been used to break down the barriers
• Assessing reports for senior management
• Auditing the process
• Exercise 6 – Reviewing the crisis management plan

Reviewing emergency preparation

• Establishing an Emergency Operations Centre
• Emergency authority procedures
• Determining time bands to cover
• The emergency period (minutes to hours)
• The crisis period (hours to days)
• The recovery period (days to weeks)
• The key documents and where held + the ownersKey Systems
• Key system suppliers
• ICT and Communications back-up strategy
• Information back-up strategy
• Key partners emergency contact information
• Back-up power
• Off-site storage
• Alternative locations
• Media Liaison
• Insurance cover
• Exercise 7 – Assessing emergency preparedness

The incident management process

• Initial assessment
• What are the known facts of the incident and what is/is not confirmed
• What action has already been taken and by whom?
• Is there anything that needs to be done immediately to protect
• against further harm / damage?
• Immediate actions
• Assignment of roles
• Emergency Operations set up
• Communications schedule agreed
• incident support personnel
• External expertise (legal, negotiators etc,) required?
• Security networks activated
• Recovery
• Assessment
• Exercise 8 – The incident management process

The BCM communication process

Assessing Recovery planning

Evaluating the effectiveness of post event reviews