Disaster recovery assurance used to be a staple on the audit plan. Now the buzz is all about business resilience. But is this just consultant speak … and if so what happened to business continuity?
This paper looks at the evolution of managing significant disruptive events and asks whether internal audit is providing the assurance that matters to the board.
A changing world
Nothing is certain. Often the difference between organisational survival and failure can be their response when things go wrong. Organisations have a symbiotic relationship with their environment; impacted by natural disasters such as flood (Texas/Japan), drought (California/Australia/UK) or volcanic activity (Iceland) and those made by man from supply chain failures (CO2) to cyberattacks (NHS), terrorism and Brexit.
VUCA is a term often used to describe the world today; Volatile, Uncertain, Complex and Ambiguous. With so much disruption and the increasing potential for catastrophic events it’s no surprise that business continuity has evolved to match the world in which it operates.
Source: Harvard Business Review January-February 2014 Issue
Initially organisations focused on prevention together with planning and documenting their approach to major disaster events such as losing a head office facility, a call centre or a major trade route such as the Suez Canal being closed; all high impact but relatively low likelihood events. Internal audit provided assurance that plans were relevant, updated and stored off-site but thankfully such plans were rarely tested.
Alongside this proactive organisations also set up crisis management structures and extended disaster recovery to detail business continuity plans for all functions. The creation, maintenance and co-ordination of so many disparate plans became an industry of itself.
The industry is business continuity management (BCM). According to the Business Continuity Institute it is a process (diagram opposite) that guides organisations in identifying threats, designing responses,…