Real-time auditing of a Business Continuity Program

Photo by Martin Damboldt from Pexels

Photo by Martin Damboldt from Pexels

A black swan, through the ages, has been the descriptor for an improbability or an impossibility. The April 2007 book by author Nassim Nicholas Taleb, The Black Swan: The Impact of the Highly Improbable defines a Black Swan event as “a highly improbable event with three principal characteristics: It is unpredictable; it carries a massive impact; and, after the fact, we concoct an explanation that makes it appear less random, and more predictable, than it was.” The first quarter of 2020 presented the world with a Black Swan of epic proportions: The COVID-19 pandemic.

COVID-19 quickly evolved into a global macroeconomic crisis. Governments are requiring citizens to shelter in place, non-essential businesses are closed, and layoffs and furloughs are spiking unemployment. In the midst of these events, companies are experiencing stress on their supply chains. Small and large businesses, alike, are pulling their Business Continuity Program off the shelf (providing they have one), dusting it off, and executing upon it. What are they finding? – most programs do not cover an event like this. There are gaps in the plan and management is having to decide and execute on the fly.

Internal Audit is well-positioned to play a key support role during a crisis like COVID-19. Internal Audit, while supporting the business, can also play the role of an objective assessor over the proper execution and overall effectiveness of the business continuity program while it is being executed.

While not exhaustive, in the following section, we provide some suggestions for Internal Audit functions to consider during a real-time assessment of the Business Continuity Program.

Business Continuity Program Assessment.

  • Does the Business Continuity Program take a tiered approach to recovery: Critical IT Infrastructure (network, servers, connectivity, etc.), Mission Critical business functions (client-facing, revenue-producing), Business Critical functions (key back-office functions), Important business functions (administrative and back-office functions), Deferrable functions (budgeting, training, etc.)?

  • Are monitoring mechanisms in place?

  • Are financial and treasury impacts monitored?

  • Are policies and procedures up-to-date and applicable (remote work, absenteeism, bereavement, succession planning, expatriates, visitors and vendors, critical skill shortages, etc.)?

  • Is a communications plan up-to-date and in place?

  • Are business and IT operations assessed and monitored actively?

  • Have critical roles and staffing by business unit/region been considered?

  • Are third-party service providers on retainer?

  • Are data and assets appropriately secured?

  • How are closed business operations maintained?

  • What restrictions have been placed on employee travel?

  • Are reputational and legal risks monitored?

Supply Chain Risk Management practices.

  • Is the supply chain geographically diversified?

  • Have key commodities been multi-sourced and geographically disbursed?

  • Are inventory levels adequate to buffer against short-term disruptions?

Supplier Relationships.

  • Are Tier 1 supplier relationships strong?

  • Is there visibility into the supplier network?

  • Is there visibility beyond Tier 1 suppliers?

  • Is there an approach in place to early-predict supply chain issues?

  • Is there agility built into supplier relationships to quickly respond to supply chain issues?

  • Are suppliers addressing employee and product environmental, health, and safety to the levels contractually agreed upon?

  • Do cultures align?

  • Do suppliers share their Business Continuity Programs or crisis response plans and are those vetted for appropriateness?

Supplier Viability.

  • Are Tier 1 and key suppliers in a viable position to “ride the storm”?

  • Will post-crisis start-up demand impact the suppliers' ability to deliver timely?

  • Will financial viability create integration within the marketplace, thus consolidating suppliers?

  • Are substitute suppliers identified and connected?

Compliance.

  • Will suppliers be able to meet stringent compliance requirements?

  • Will suppliers meet environmental, health, and safety requirements when impacted by limited workforce or increased demand?

  • Are considerations made for port-of-entry restrictions on goods?

Technology Infrastructure.

  • With remote work and flexible work arrangements, are IT systems and infrastructure capable of handling the non-traditional load?

  • Is the organization prepared for remote work?

  • Is the organization/supplier providing a secure means for remote workers and business partners to connect to protect data?

  • Are plans in place to keep private data private in a remote work environment?

Inventory Management.

  • Are connections between company systems and supplier systems being monitored?

  • Are replenishment and demand forecasts being monitored and updated accordingly?

  • Are inventory metrics being monitored to reduce excessive costs of holding, spoilage, obsolescence, theft?

  • Are inventory buffers too lean?

  • Are demand fluctuations being monitored closely?

  • Are contingent, in-port, and other inventories-in-transit being monitored and safeguarded?

Transportation.

  • Is transportation infrastructure being monitored for impact to incoming or outgoing goods? Are roads, border crossings, ports-of-entry closed or too congested?

  • Are air freight and truck capacities being limited?

  • Are transporters being impacted by a limited or restricted workforce?

  • Are international ports being monitored for impacts to the incoming flow of goods?

  • Are lead times taken into consideration if transportation modes must be switched?

Collaboration.

  • Do internal departments collaborate on identified risks and mitigation plans?

  • Are employees trained on risk identification, risk management, and business continuity programs?

  • Are departments experienced through testing of Business Continuity Programs?

  • Does the Business Continuity Program include a tone from the top?

Customers.

  • Are short term demand-supply strategies in sync?

  • Does management have the indicators to identify potential channel shifts, e.g., online grocery ordering?

  • Is management closely connected with customers?

  • Does management understand the impact to customers businesses?

  • Are demand plans being reviewed and updated?

  • Are inventories maintained at a level to quickly supply existing customers to retain confidence?

While not exhaustive, the suggestions highlighted above provide some insight into how Internal Audit functions can add value and actively support executive management through real-time monitoring and assessment of the execution of, compliance with, and the overall effectiveness of the Business Continuity Program.



Internal Audit InsightsJim CulbrethInternal Audit, Emerging Risks, Risk Management, Business ContinuityComment