47
The role of Internal Audit in Business Continuity Management Institute of Internal Auditors April 22, 2020

Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

  • Upload
    others

  • View
    7

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

The role of Internal Audit in Business Continuity Management

Institute of Internal Auditors

April 22, 2020

Page 2: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

PwC

Contents

2

1 Introduction 3

Objectives: Introduction by participants and understand their individual objectives and exposure to BCM.

2 Overview of Business Continuity Management

The Case for BCM: This section defines BCM and addresses the importance of Business Continuity Management.

Defining BCM: This section outlines BCM objectives and details the components of a BCM program.

The BCM lifecycle: This section provides an overview of the phases involved in implementing a BCM program.

Industry standards: This section provides an overview of the Business Continuity Institute Good Practice Guidelines.

6

3 How to audit a BCM program 31

The audit process: This section lists the key activities and procedures involved in auditing a BCM program.

4 The role of Internal Audit

Bringing value: This section gives insight into the ways that Internal Audit can bring value to a BCM program.

Notable considerations: This section highlights key areas of focus for Internal Audit.

38

5 Impact of COVID-19 on IA 41

Key considerations: This section provides a lifecycle and points to consider when auditing entities after COVID-19.

6 Guides and resources 45

Additional resources: This section lists publically available guides and resources for further information.

Page 3: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

Introduction

Page 4: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

PwC 4

With you today

Sarah is a Senior Manager with PwC’s Risk Assurance practice and

leads the firm’s BCM practice in the west. She has over 10 years of

experience working with public and private sector clients in Canada, the

U.S., and internationally to design, develop, implement, validate, and

audit BCM programs for small to mid-sized and fortune 100 companies.

Sarah has led multiple BCM engagements with global organizations

across major industry sectors including financial, insurance, energy,

utilities, oil and gas, retail, healthcare, and others. Sarah is a Certified

Business Continuity Professional (CBCP) and Member of the Business

Continuity Institute (MBCI). She is actively involved in the industry as

board member, researcher and author with organizations including the

Business Continuity Institute and the Disaster Recovery Information

Exchange (DRIE West).

Edward MatleyPartner, PwC

Ed is a Partner in PwC’s Risk Assurance practice and leads the firm’s

Business Continuity Management (BCM) practice in Canada. He has

more than 20 years of management and business advisory experience

with specialization in BCM, helping clients to develop Incident

Management, Emergency Management, Crisis Management, BCM, IT

Disaster Recovery, and Enterprise Risk Management programs. He has

led and delivered numerous BCM engagements ranging from Health

Check reviews to facilitating workshops and assisting clients in

developing, implementing, and auditing pragmatic BCM programs. He is

a member of the Canadian mirror committee for ISO Technical

Committee 292, which is responsible for the development of the ISO

standard for Business Continuity Management - ISO 22301.

+1 604 806 7634

[email protected]

+1 403 390 3888

[email protected] VakilSenior Manager, PwC

Page 5: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

PwC 5

Objectives

Discuss ways to best audit the program 2

Provide an overview of a Business Continuity Management program 1

Discuss potential roles for IA in enhancing and sustaining a program3

Please participate by posting questions

or comments in the chat!

Discuss the impact of COVID-19 on IA 4

Page 6: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

overview

BCM

Page 7: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

PwC 7

The case for BCM

The world is becoming increasingly

complex and the disruptions

organizations face may come from

both natural and man-made hazards.

The purpose of BCM is to ensure that

you are more resilient to potential

threats and enable you to resume

operations under adverse conditions.

Shown here are the top global risks

society will face according to the

analysis of the World Economic

Forum, which maps the likelihood and

impact of these challenges.

Page 8: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

PwC

“80% of businesses without Business Continuity Plans go out of business within 13 months of a major incident”

- BCI

8

Evolving

risks

Breach in

industry

regulation

Supply

chain

disruption

Loss of

market

share

Lack of

continuity

across

services

Damage to

reputation

Threat to

employee

safety

The case for a BCM program →

According to ISO, implementation of BCM may:

● Protect life, property and the environment

● Protect and enhance reputation and credibility

● Contribute to competitive advantage

● Reduce costs arising from disruptions

● Improve the capability to remain effective during disruptive incidents

● Assist in making interested parties more confident in the organization’s success

● Reduce legal and financial exposure

● Demonstrate the ability to manage risk and address operational vulnerabilities

Page 9: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

PwC 9

What is Business Continuity Management (BCM)

The purpose of BCM is to ensure the entity is more resilient to potential threats and enable the entity to

resume or continue operations under adverse conditions.

BCM is a holistic process that:

Identifies potential

threats to an

organization and the

impacts to business

operations

Provides a

framework for

building

organizational

resilience and an

effective response

Safeguards the

interests of key

stakeholders,

reputation, brand

and value-creating

activities

Page 10: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

PwC 10

Incident timeline

Time

Risk Reduction

Event

BIA

Strategy

Exercise

Awareness

Plans and

procedures

Prepare

(Business as Usual)

Business Continuity (BC)

Disaster Recovery (DR)

Crisis Management (CM)

Emergency Management (EM)

Respond Recover Restore

Page 11: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

PwC 11

Defining components of BCM

BCMS: Part of the overall management system that establishes, implements,

operates, monitors, reviews, maintains and improves business continuity.

BCP: Guides

organizations to

respond, recover,

resume, and restore to

a pre-defined level of

operation following

disruption that impacts

its assets.

EM Plan: Designed to

respond to issues

where there may be a

threat to life safety of

staff or the public.

DR Plan: A written plan for

recovering one or more

information systems at an

alternate facility in

response to a major

hardware or software

failure or destruction of

facilities.

CM Plan: Outlines the processes

used to respond to a

critical situation that would

negatively affect an

organization's profitability,

reputation or ability to

operate.

Crisis Comms Plan: Provides policies and

procedures for the co-

ordination of

communications within the

organization and any

applicable outside agencies

in the event of an incident.

Owners

Health and

Safety

Business

FunctionsExecutive Team Communications Technology

Business Continuity

Management System

Emergency

Management

Plan

Business

Continuity PlanCrisis

Management

Plan

Crisis Comms

PlanDisaster

Recovery Plan

Page 12: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

PwC 12

Policy and program management (PP1)

Policy and Program Management is the professional practice

that establishes the organization's policy relating to

business continuity and defines how the policy should be

implemented, controlled, and validated throughout the

business continuity program.

Key deliverables:

• BC Policy & Governance Framework

• Business Continuity Management System

(BCMS)

Embedding

Policy and program management

Page 13: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

PwC

To communicate the framework

around which the BCM program is

designed and built and establishes

the organization’s principles,

guidelines & minimum standards

relevant to BC.

13

Primary objectives

● Define BCM program scope by

considering the organization’s

products and services to be

included in the program

● Top management action,

support, and commitment is

required to set up, draft and

review the policy

Key considerations

A clear and concise BC Policy that

has been communicated throughout

the organization and is accessible for

external scrutiny to be reviewed

every year.

Outputs

Policy and program management (PP1)BC policy

• BC policy

• BCMS

Policy and program

management

Defines the organizational policy relating

to BC and how that policy will be

implemented, controlled and validated

1

Page 14: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

PwC

Policy and program management (PP1)BCMS

• BC policy

• BCMS

Policy and program

management

Defines the organizational policy relating

to BC and how that policy will be

implemented, controlled and validated

1

To successfully complete an

implementation of BC, but the long-

term goal of the BCM program is to

improve organizational resilience.

Primary objectives

● A BCMS is a formalised method

of ensuring the BCM program is

implemented and managed to a

recognised standard, usually

ISO 22301, which involves the

Plan-Do-Check-Act cycle

● Some companies may choose to

be certified, be aligned to these

standards, or not have a

formalized BCMS in place at all

Key considerations

● Documentation to provide an audit

trail including a BC policy

● Management processes and

controls to support the policy

● Formal management review of

BCMS performance and corrective

actions

Outputs

14

Page 15: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

PwC 15

Embedding (PP2)

Embedding is the professional practice that defines how to

integrate business continuity awareness and practice into

business as usual activities.

Embedding

Policy and program management

Key deliverables:

• Training materials

• Awareness campaign

Page 16: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

PwC 16

Embedding (PP2)Training and awareness

To raise awareness about business

continuity through communication,

encourage buy-in from interested

parties, ensure required

competencies and skills are in

place, and ensure appropriate

training and learning opportunities

are provided.

Primary objectives

Successfully embedding business

continuity is a result of:

● Understanding and influencing

organizational culture

● Developing BCM competencies

● Conducting training and

implementing awareness

campaigns

Key considerations

● Training materials

● Awareness campaign

Outputs

• Training

• Awareness campaign

Embedding business continuity

Integrates BC into day-to-day business

activities and organizational culture2

Page 17: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

PwC 17

Analysis (PP3)

Analysis is the professional practice within the BCI BCM

Lifecycle that reviews and assesses an organization in terms of

what its objectives are, how it functions and the constraints of

the environment in which it operates.

Embedding

Policy and program management

Key deliverables:

• Business Impact Analysis (BIA)

• Threat assessment

Page 18: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

PwC

Analysis (PP3)Business Impact Analysis (BIA)

• BIA

• Threat assessment

Analysis

Reviews and assesses an organization’s

objectives, how it functions and the

constraints of the environment in which it

operates

3

The BIA is the foundation on which the BCM program is

built. It identifies business continuity requirements,

providing information to determine the most appropriate

business continuity solutions. The BIA identifies the

urgency of each business activity undertaken by the

organization by assessing the impact over time of an

interruption to this activity on the delivery of products

and services.

Primary objectives

● What type of BIA should be conducted based on the

client’s needs and maturity?

● Impacts to which functions keep senior management

up at night?

● What is the scope of the BIA (e.g., what business

functions and process granularity should be included

in the BIA?)

● What impact categories are relevant to the client

(financial, regulatory / legal, reputational, customer,

employee, etc.)

● What variables will define the criteria for criticality of

each impact category to meet the needs of my

client’s organization?

Key considerations

18

Page 19: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

PwC 19

• BIA

• Threat assessment

Analysis

Reviews and assesses an organization’s

objectives, how it functions and the

constraints of the environment in which it

operates

3

● A map of products and services in the organization and the processes and the operational activities that support them

● Standard framework to assess the impact of disruption and define unacceptable loss

● A list of most urgent products, services and processes and justification for exclusions

● The Maximum Tolerable Period of Disruption (MTPD) of products, services and processes

● A list of prioritized minimum resources needed for resumption and recovery of core and support business functions

● The gaps between resources needed and resources possessed

Outputs

Analysis (PP3)Business Impact Analysis (BIA)

Page 20: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

PwC 20

Analysis (PP3)Threat assessment

To identify unacceptable levels of risk, single points of

failure, and where controls, mitigations, and

management processes are non-existent, weak or

ineffective by focusing on the potential for high

probability and high impact events.

Primary objectives

● Standard risk assessment framework and an

understanding of the entity's tolerance for risk

● A list of threats that could disrupt most urgent

activities prioritized by likelihood and severity

● Heat map to visualize priority of risks for mitigation

● Identification of any unacceptable single points of

failure and evaluation of current controls

Outputs

• BIA

• Threat assessment

Analysis

Reviews and assesses an organization’s

objectives, how it functions and the

constraints of the environment in which it

operates

3

Page 21: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

PwC 21

Design (PP4)

Design is the professional practice within the business

continuity management lifecycle that identifies and selects

appropriate solutions to determine how continuity can be

achieved in the event of an incident.

Embedding

Policy and program management

Key deliverables:

• Continuity and Recovery Strategies and Tactics

• Threat Mitigation Measures

Page 22: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

PwC

Design

Identifies and selects appropriate

strategies and tactics to determine how

continuity and recovery from disruption

will be achieved

4

• Continuity and recovery

strategies and tactics

• Threat mitigation

To design solutions that enable the

organization to respond to an

incident, and continue to provide its

prioritized activities, as identified in

the Analysis stage.

Primary objectives

Design plays a key role in BCM

program development by

consolidating selected solutions to

ensure that opportunities for

organization-wide collaboration are

considered prior to progressing to the

implementation stage.

Key considerations

● Business Continuity Solutions,

Strategies, and Tactics

Outputs

Design (PP4)Continuity and recovery strategies

22

Page 23: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

PwC 23

Design

Identifies and selects appropriate

strategies and tactics to determine how

continuity and recovery from disruption

will be achieved

4

• Continuity and recovery

strategies and tactics

• Threat mitigation

To identify and select proactive

measures that can be implemented

to reduce the likelihood and/or

impact of disruption to the

organization’s most time critical and

urgent activities.

Threat mitigation measures are

targeted at unacceptable

concentrations of risk, single points

of failure and the main threats to the

organization’s most urgent activities,

all of which were identified and

prioritized in the Analysis stage of

the BCM Lifecycle.

Primary objectives

Collaboration with risk, physical

security, and information security

professionals should be undertaken

at this stage.

Key considerations

● Mitigation measures for main

threats, single points of failure and

unacceptable concentrations of

risk

Outputs

Design (PP4)Threat mitigation

Page 24: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

PwC 24

Implementation (PP5)

Implementation is the professional practice within the BCM

Lifecycle that executes the agreed strategies and tactics

through the process of developing the Business Continuity

Plan (BCP). The aim is to identify and document the

priorities, procedures, responsibilities and resources to

assist the organization in managing a disruptive incident,

while implementing continuity and recovery strategies to a

predetermined level of service.

Embedding

Policy and program management

Key deliverables:

• Response Structure

Page 25: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

PwC

Implementation

Executes the agreed strategies

and tactics through the process of

developing the Business Continuity Plan

(BCP)

5

• Response Structure

• Business Continuity

Plan

The purpose of establishing a

response structure is to ensure that

the organization has a clearly

documented and well understood

mechanism for responding to an

incident, regardless of its cause.

The response structure establishes

command, control, and

communication systems to help the

organization manage the incident

and minimise the impact of the

disruption.

Primary objectives

Outside of emergency management

organizations, people are not used to

operating in a direct command and

control type of environment, and

under duress will resort to what they

know. It’s best to align the response

structure with existing reporting lines

as much as possible.

Key considerations

Response structure outlining

● Number and capabilities of the

resources required

● Relationships between individuals

● Roles and responsibilities

● Communication methods.

Outputs

Implementation (PP5)Response Structure

25

Page 26: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

PwC 26

Implementation (PP5)Business Continuity Plan (BCP)

To document procedures that guide organizations to

respond, recover, resume, and restore to a pre-defined

level of operation following disruption. The BCP can

accommodate any level of procedural detail and scope,

and can be structured by products, services, locations,

divisions or even scenarios.

Primary objectives

● BCPs should be direct, adaptable, concise, and

relevant

● Plans need to be flexible to adapt to specific

incidents that might occur

● Specific incident plans are appropriate in some

situations (e.g., evacuation, pandemic, or product

recall plan)

● Where activities are outsourced, a third party’s

BCM Program (or lack of) can affect the

organization’s overall resilience

● Varying degrees of plans are developing,

depending on the size and culture of the

organization, to meet strategic, tactical, and / or

operational needs

Key considerations

Implementation

Executes the agreed strategies

and tactics through the process of

developing the Business Continuity Plan

(BCP)

5

• Response Structure

• Business Continuity

Plan

Page 27: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

PwC 27

Implementation

Executes the agreed strategies

and tactics through the process of

developing the Business Continuity Plan

(BCP)

5

• Response Structure

• Business Continuity

Plan

Business Continuity Plan(s) that includes:

● Purpose, scope, objectives, and assumptions

● Incident management structure (for the organization as a whole)

● Response team responsibilities and assigned roles, including individual responsibilities

● Team mobilisation instructions

● Plan Activation (procedures and authorization)

● Plan Escalation (of recovery strategies)

● Contact details (usually held as appendices)

● Communications (covering employees, contractors, media, meeting locations, command centre)

● Action lists and steps

● Procedures for standing down the team and organization once the disruptive incident has been resolved

Outputs

Implementation (PP5)Business Continuity Plan (BCP)

Page 28: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

PwC

Validation (PP6)

Validation is the lifecycle that confirms the BCM Program

meets the objectives set in the BC Policy and that the

organization’s BCP is fit for purpose. The purpose of

Validation is to ensure that the BC capability reflects the

nature, scale and complexity of the organization it supports

and that it is current, accurate, and complete, and that

actions are taken to continually improve organizational

resilience.

Embedding

Policy and program management

Key deliverables:

• Exercise Program

• Maintenance and Review Program

28

Page 29: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

PwC 29

Validation

Confirms the BCM Program meets the

objectives set in the BC Policy and that

the organization’s BCP is fit for purpose

6

• Exercise Program

• Maintenance Program

• Review Program

To ensure all aspects of incident

response have been exercised and

can be carried out. The frequency of

exercising is dependent on the

nature, scale and complexity of the

organization, but it is recommended

that every member of associated

response teams should be involved

in an exercise every 12 months at

minimum.

Primary objectives

● Organizations should develop an

exercise program to validate

selected recovery strategies and

continuously improve BCM

capabilities

● Five types of exercises can be

conducted to test program

readiness: discussion-based,

tabletop scenarios, command

post simulations, live simulation,

and pass/fail tests

Key considerations

● Exercise and test materials

including mock scenarios, event

injects, facilitator and participant

guides

Outputs

Validation (PP6)Exercise program

Page 30: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

PwC

Validation

Confirms the BCM Program meets the

objectives set in the BC Policy and that

the organization’s BCP is fit for purpose

6

• Exercise Program

• Maintenance Program

• Review Program

To ensure, at planned intervals, that

the organization’s BCM program is

up to date. Maintenance and

periodic review of the business

continuity program ensures that the

organization remains ready to

respond to incident, despite

organizational change over time.

Primary objectives

● Since most of the maintenance

● needed will result from internal changes

in the organization, maintenance should

be embedded within the organization's

normal management processes

● Regularly review the BC policy and

program for continuity suitability,

adequacy and effectiveness

● Five types of review can be conducted

to ensure the program is current: audit

(internal and external), self assessment,

quality assurance, individual

performance appraisal, supplier

performance review against SLAs

Key considerations

● Updated policies and procedures

● Documented maintenance

schedule

Outputs

Validation (PP6)Maintain and review

30

Page 31: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

BCM

Auditing

Page 32: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

PwC

Key activities ● Ensure that your audit involves senior level staff.

● Senior staff are often busy, so make sure you give yourself

enough lead time to complete the audit.

32Ministry of Finance

The purpose of the planning

phase is to allow the Audit team

to establish the objectives and

outcome of the audit.

Planning

Key activities: Governance● Ensure a governance framework is in place to build and

manage the BCM program, defining required standardization

and providing accountability for effective preparedness,

response, and recovery.

● Ensure that ongoing management and governance

processes are in place, supported by top management, and

appropriately resourced to implement and maintain BCM.

● Governance processes should cover:

○ Policies and strategy: must be properly implemented

and processes correctly followed.

○ Roles, Responsibilities and Accountabilities: must

be defined and assigned at an appropriate level of

authority to carry out activities required for BCM.

ExecutionThere are five key areas of focus

when auditing a BCM program:

1. Governance

2. Business Impact Analysis

3. Documentation, including a

Business Continuity Plan,

Disaster Recovery Plan

and Crisis Management

Plan

4. Exercise Program

5. Continual Improvement

Page 33: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

PwC 33

IMPORTANT TO CONSIDER:

Executive involvement in the BCM program is critical.

Not only does this encourage organizational commitment, it also introduces a filter to the

information that is collected and documented for the BIA. Business units or departments

can sometimes get stuck in the weeds or exaggerate the criticality of their own functions;

Senior staff often have a more holistic view of criticality across the organization and can

help lead the process by filtering out unnecessary information and offer a more realistic

assessment of the impacts following a disruption.

Page 34: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

PwC 34Ministry of Finance

Key activities: Business Impact Analysis● Scope: Identify how much of the organization is considered in

the BIA.

○ Confirm that all critical functions are identified.

○ Evaluate each department’s BIA to ensure that adequate

and appropriate information has been collected for each

critical function.

● Reasonability: Review the Maximum Allowable Outages

identified by each department/unit to ensure that they are

reasonable.

● Alignment: Check if the BIA is aligned with a risk

management framework or impact thresholds.

There are five key areas of

focus when auditing a BCM

program:

1. Governance

2. Business Impact

Analysis

3. Documentation, including

a Business Continuity

Plan, Disaster Recovery

Plan and Crisis

Management Plan

4. Exercise Program

5. Continual Improvement

Key activities: Documentation● Verify if an assessment has been conducted on the current

capability of recovery times for systems, as per the BIA.

● Make sure gaps have been identified and documented.

● Evaluate the adaptability and usefulness of the business

continuity plan by ensuring that it is written as a consequence-

based document, rather than scenario-based.

● There is such a thing as too much information. Make sure all

plans are clear, concise and contain only information that is

essential during a response effort.

Execution

Page 35: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

PwC 35Ministry of Finance

Key activities: Exercise program● Confirm the BCM Program meets the objectives set in the BC

Policy and that the organization’s BCP is fit for purpose

● Ensure processes are in place to periodically evaluate tasks,

teams and procedures through training, testing, and/or

exercising documented plans and capabilities

○ Check that a structured approach to training exists and is

conducted on a regular basis with relevant stakeholders.

○ Verify there is a documented exercise schedule and

exercises or drills are regularly conducted.

○ Confirm that a debrief to discuss lessons learned occurs

after each exercise or real event.

There are five key areas of

focus when auditing a BCM

program:

1. Governance

2. Business Impact Analysis

3. Documentation, including

a Business Continuity

Plan, Disaster Recovery

Plan and Crisis

Management Plan

4. Exercise Program

5. Continual Improvement

Key activities: Continual improvement● Verify BCM capabilities and documentation are maintained to

ensure continued effectiveness and alignment with business

priorities.

● Check if all identified gaps or improvements resulting from

debrief sessions are documented.

● Identify whether key performance indicators (KPIs) and / or

other metrics have been defined to measure and track

program and plan improvement at regular intervals.

Execution

Page 36: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

PwC 36

IMPORTANT TO CONSIDER:

Internal audit reports on corrective action plans.

Learnings and action items that result from an exercise or real event must be integrated

into the BCM program and managed through to completion to ensure the continual

improvement of the program.

It is essential to test these improvements in subsequent exercises.

Page 37: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

PwC 37Ministry of Finance

Key activities● Validate observations with key stakeholders to avoid any

surprises.

● Develop pragmatic and actionable recommendations for

management review.

● Present recommendations to management for discussion.

Reporting

Throughout the audit process,

it is imperative that the Audit

Team remain cognizant of the

audience for the report - in

most cases, it is top

management who seeks to

gain critical insights from the

outcomes of the report.

Page 38: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

in BCM

of IA

Role

Page 39: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

PwC

Roles of IA

IA as Advisor

IA is involved in an

organization’s BCM effort as

an advisor or counsellor,

reviewing the program in

light of the internal policy

and regulatory requirements.

IA as Compliance

Officer

IA drives compliance with the

existing documented policy

and identified regulatory

requirements.

IA can bring value to BCM programs in a variety of ways...

The role of Internal Audit

IA as BCM Driver

IA is positioned to drive

execution of a BCM program

and assist in aligning and

coordinating independent

BCM efforts across

emergency response, crisis

management, business

continuity, and/or disaster

recovery.

Lower BCM maturity Higher BCM maturity

39

Page 40: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

PwC 40

Roles of IA

In a less mature environment, IA can help by:

Other Potential Roles for Internal Audit

● Conducting exercises

● Facilitating exercise and real event

debriefs to capture lessons observed

● Reporting progress on corrective action

plans

Page 41: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

on IA

COVID-19

Impact of

Page 42: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

PwC 42

Roles of IA

The following lifecycle serves as a guide for response to COVID-19:

COVID-19 response lifecycle

Page 43: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

PwC 43

Roles of IA

In many circumstances, the design and operation of internal audit may be impacted

by COVID-19.

Impact:● An entity’s response to COVID-19 is likely to have impacted

and added complexity to its ability to sustain planned updates

or maintenance to the BCM program and related materials

Outcome: ● BCM program targets identified for prior years may no longer

be appropriate or may need to be paused for a period of time

● It is important to consider whether results from a review

reflect a one-time event or ongoing economic conditions that

prevent the entity from meeting BCM targets or KPIs in the

future

ExecutionQ: Does the impact of COVID-19

change how IA should review the

BCM program?

Impact of COVID-19 on IA

Page 44: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

PwC 44

Roles of IAImpact of COVID-19 on IA

Impact: ● An entity may not have met its targets or followed its previously

identified plan / schedule for BCM program development,

maintenance or updates while responding to COVID-19

● It is important to impart a consistent approach to BCM IA year on

year in order to monitor and track progress against defined

targets

Outcome: ● While reporting should acknowledge potential strain from

COVID-19 and address operational impact, the audit should

cover the same controls as previous years, noting exceptions to

BCM program development, maintenance or updates in the

affected year

ReportingQ: Should IA findings be reported

differently given the potential impacts

from COVID-19?

Impact of COVID-19 on IA

In many circumstances, the design and operation of internal audit may be impacted

by COVID-19.

Page 45: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

and resources

Guides

Page 46: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

PwC

Guides and resources

The following are available for IIA / ISACA members:

● FFIEC booklet and work program● IIA GTAG (available to IIA members) ● ISACA IT Continuity Planning

The following are paid resources:

● BCI Good Practice Guidelines● DRI Professional Practices● ISO Standards (e.g., 22301, 22313,

22316, etc.)● CSA Z1600 & NFPA 1600● NIST Standards (e.g., SP 800-34)

46

Page 47: Institute of Internal Auditors...Analysis (PP3) Analysis is the professional practice within the BCI BCM Lifecycle that reviews and assesses an organization in terms of what its objectives

pwc.com

This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisers.

© 2020 PricewaterhouseCoopers LLP, an Ontario limited liability partnership. All rights reserved.

PwC refers to the Canadian firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see

www.pwc.com/structure for further details.

Thank you