6th Chief Audit Executive Conference - iiauae.org Chief Audit Executive Conference Internal Audit...

Post on 17-Mar-2018

214 views 1 download

Transcript of 6th Chief Audit Executive Conference - iiauae.org Chief Audit Executive Conference Internal Audit...


Chief Audit Executive Conference

Internal Audit – Business Continuity Management (BCM) and Disaster Recovery (DR)

Operational and Risk Management Perspective

10th November 2016 – Track 2


BCM and DR in the UAE

BUSINESS CONTINUITY MANAGEMENT – BCM: is a management process that

identifies risk, threats and vulnerabilities that could impact an entity's continued

operations and provides a framework for building organizational resilience and

the capability for an effective response. Source - Disaster Recovery Institute International (DRII)

DISASTER RECOVERY – DR: The strategies and plans for recovering and

restoring the organizations operations, infra-structure and information

technology capabilities after a serious interruption. DR is often considered in the

context of an organisation’s IT and telecommunications recovery. Source -

Business Continuity Institute (BCI)

INTERNATIONAL STANDARD- ISO 22301 specifies the requirements for a

management system to protect against, the impact of disruptive incidents.


UAE – Business Continuity Management Standard AE/SCNS/NCEMA

7001:2015 – Supreme Council for National Security. Also, FED RES SCA

No. 7 of 2016 –Corporate Discipline and Governance Standards of Public

Joint-Stock Companies (Article 49 Duties of the Audit Committee)

Do You Support Your Business In Identifying BCM and DR Risks at an Operational Level?

The IIA International Standards for Professional Practice do not specifically state that CAEs should involve their Internal Audit units in BCM and DR work. However, Standard 2100 and 2110 do apply.

Standard 2100: Nature of Work

• The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach.

Standard 2110: Governance

• The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:

• Promoting appropriate ethics and values within the organization;

• Ensuring effective organizational performance management and accountability;

• Communicating risk and control information to appropriate areas of the organization; and

• Coordinating the activities of and communicating information among the board, external and internal auditors, and management.


Context of BCM and DR at an Operational

Level in the UAE

Over the course of the last 10 years we have witnessed a global recession. The nature and scale of the downturn has never been seen before. Companies such as Lehman Brothers were felled and Iceland was generally considered to be bankrupt. Stock market and international volatility has seen the price of oil drop from over $140 a barrel in 2008, to less than $30 at it’s lowest point. Emergencies, crisis and disasters on this scale create ripples around the world which last for many years and have massive collateral impact on all business sectors. More than ever before operations and risk managers need to be flexible, adaptable and agile in order to stay ahead of the next impending disaster or crisis. Being able to map opportunities based on informed predictions may be a game changer for business. To understand the opportunities Internal Audit needs to know the full extent of your risks in order to enhance and protect your business.

Being ready for anything (e.g. Brexit) is pivotal to success. Incidents such as Samsung’s new phones catching fire can strike at any time.


Is Internal Audit Involvement in Reviewing BCM

and DR Risk Really Necessary and Value Adding?

When the Unexpected Happens Will Your Business Be Prepared? How Much of a Role Should Internal Audit Take in Helping The Business Succeed Before and After Disaster Strikes? – Adding Value to Operations and Risk Management is a Fundamental Requirement

Whilst Internal Audit cannot and should not own or directly manage BCM and DR activities, the function is ideally placed to take the lead in providing insight and risk expertise. With that in mind – Do you have plans for contributing to BCM and DR within the Internal Audit Strategy? MOORE STEPHENS

Do Your Senior Managers Understand the

Scale and Potential for Disaster and Crisis?

The increasing scale and frequency of disaster and crisis present a

massive economic consequence for those businesses and people

affected. The rate of climate change and geopolitical upheaval is now


Scale of the Risk: The Evaluation Report undertaken by the UNDP regarding

‘disaster prevention and recovery’ highlights that in the first 6 months of 2010

160 natural disasters were reported, killing almost 230,000 people and affecting

the lives of 107 million others with a cost of $55 billion in damage.

The above data demonstrates that natural disasters alone create considerable

disruption and economic damage. This coupled with number of manmade

disasters or geopolitical events provides an insight into the level of risk every

operation and risk manager should be considering when assessing the

requirement for the risk management of BCM and Disaster Recovery Planning,

Budgets and Resources.


The BCM and DR Jigsaw – Putting the Pieces

Together for a Complete Assurance Picture

A Critical Question for CAEs is: Do Operations and the Risk Management Functions Fully Appreciate the Value of Being Prepared?

A major risk challenge for Internal Audit to overcome is the perception that BCM and Disaster Recovery activities may be viewed by Operations as a financial and resource COST with very little return. IA has a vital role in helping shift that paradigm.


What Senior Stakeholders Need to Know

1. If the business suffers a major incident or is impacted by a disaster

how prepared would all operational departments be to cope with the

situation? Has the risk function focused on the right areas?

2. How resilient would the operation be in the face of a major incident and

would the response to the crisis and subsequent recovery activities be



Where to Start?

Do all operational managers know the full extent of the regulatory

requirements and risk tolerance in your enterprise and how much work and

resource they should direct toward BCM/DR planning and development? (This

should include testing and analysis of scenarios and drills).

Internal Audit’s Role in Assisting Operations - Getting the balance right is


• Have IA confirmed Executive Management and Board risk appetite?

• Have IA confirmed the organisations BCM and Disaster Recovery

Strategies and Plans have been developed and are in place –

Remembering that ‘Bias for Optimism’ is not a Strategy;

• A fundamental question for CAEs to ask is, when did the business last

have a CHECK-UP? Having machinery serviced even when everything is

running well is normal. This also applies to BCM;

• Have IA Independently assessed Business Continuity risk exposure?

• Have IA confirmed whether management’s risk assessment is

comprehensive and complete i.e. encompasses ‘Black Swan’ events?


Where to Start?

• Have the weakest links been identified in your

BCM and DR chain? Do IA know where the

‘pinch-points’ and bottle-necks are within your

systems and sure they are addressed, to

ensure preparedness is not compromised and

resilience maintained;

• Do IA know your companies suppliers and

their vulnerabilities or disaster resilience.

Make a point of confirming that management

know who provides them with their factors of

production or service delivery throughout the

tiers of supply; and

• Have IA confirmed the ‘Dilbert’ approach to

BCM and DR isn’t the only option for the

business. Up to 40% of businesses affected by

a natural or human-caused disaster never

reopen. (Source: USA Federal Emergency

Management Agency (FEMA) & Insurance Information



The Global Risks Landscape 2016 – Helping

Operations Navigate the Unpredictable

Top 10 Risks in Terms of Likelihood Top 10 Risks in Terms of Impact

1. Large Scale Involuntary Migration 1. Failure of Climate Change Mitigation Adaptation

2. Extreme Weather Events 2. Weapons of Mass Destruction

3. Failure of Climate Change Mitigation Adaptation

3. Water Crisis

4. Interstate Conflict 4. Large Scale Involuntary Migration

5. Natural Catastrophes 5. Energy Price Shock

6. Failure of National Governance 6. Biodiversity Loss and Ecosystem Collapse

7. Unemployment or Underemployment 7. Fiscal Crises

8. Data Fraud or Theft 8. Spread of Infectious Diseases

9. Water Crisis 9. Asset Bubble

10. Illicit Trade 10. Profound Social Instability

Source: World Economic Forum: Global Risks Perception Survey 2015.


BCM and DR – Understanding the Risk Interdependencies


Source: World Economic Forum: Global Risks Report 2016.

You’re Only As Strong As Your Weakest Link

Uncertainty around risk in the mid to long term can make it

hard for operational managers to predict which threats to plan

for. New risks emerge continually. Therefore, dynamic risk

management systems need to be in place in order for

businesses to remain prepared and maintain resilience.

“There are known knowns; there are things that we know that

we know. We also know there are known unknowns; that is to

say we know there are some things we do not know. But there

are also unknown unknowns, the ones we don’t know we don’t

know.” Donald Rumsfeld, US Defence Secretary, 2002

By Undertaking independent assessment

and analysis CAEs are in a prime

position to be able to help operational

management in identifying the ‘Unknown

Unknowns’ and critical risks areas.


Case Study 1

Business Continuity Management &

Disaster Recovery Success Johnson and Johnson (J&J) -Tylenol Sabotage Crisis Tylenol packages were tampered with and the contents replaced with Cyanide pills


Communication; Communication; Communication =

A Recipe for a Winning BCM Strategy

• In the 1980s Cyanide-laced Tylenol

capsules, were placed in a number of

packages and resealed. The perpetrator

then deposited them on the shelves of a

several sales outlets in the Chicago area. A

number of customers who took the

poisoned pills subsequently died;

• Prior to the crisis Tylenol was the most

successful over-the-counter pain relief

product of it’s kind in the United States with

reportedly over one hundred million



Communication; Communication ; Communication =

A Recipe for a Winning BCM Strategy

• J&J’s immediate reaction and response was to alert consumers across

the nation, via various media, not to consume any type of Tylenol


• J&J stopped production and advertising of Tylenol and ordered a

publically communicated national withdraw of every capsule. J&J

demonstrated that they were not prepared to take risks with public

safety despite the multi-million dollar cost.


Case Study 2

Business Continuity Management and

Disaster Recovery Failure

TEPCO (Tokyo Electric Power), Owner

and Operator of the failed Fukushima

Nuclear Power Plant.


What Can We Learn About BCM Planning and Operational

Effectiveness From the Failures at Fukushima

In 2007, TEPCO was forced to shut the Kashiwazaki-Kariwa Nuclear Power Plant

after the Niigata Earthquake. Therefore, the company was familiar with the

impacts and consequences of natural disasters which affect Japan and the


It is reported that between 2008 and 2011 TEPCO made a prediction that

an earthquake and associated tsunami could occur at the Fukushima

Daiichi nuclear plant site. This was based on knowledge of a similar but

earlier event in the region which took place in 1896 and caused massive


In March 2011, following the Tōhoku Earthquake and Tsunami, TEPCO’s

power plant at Fukushima Daiichi was the site of one of the world's most

serious nuclear disasters.


Cause of the Fukushima BCM and DR Failure

The Fukushima Nuclear Accident Independent Investigation

Commission (NAIIC) report is damning and found that:

• The causes of the accident had been foreseeable i.e. robust

BCM and DR could have prevented the devastation;

• The plant operator, TEPCO, had failed to meet basic safety


• The accident was the result of collusion between the

government, the regulators and TEPCO; and

• There was a lack of governance by said parties. Therefore,

the accident was clearly “manmade.”.

The government, the regulators, and TEPCO management,

lacked the preparation and the mind-set to efficiently operate

an emergency response to an accident of this scope. None,

therefore, were effective in preventing or limiting the

consequential damage.

Lessons for Operations and Risk Managers form


Despite management knowing the potential impact of a major

earthquake and associated tsunami on Fukushima’s Nuclear Plant

insufficient was done to protect the site.

Key Lessons:

• Management and the regulator’s failure to learn, respect and apply the

experiences of Three Mile Island and Chernobyl;

• Poor ‘Corporate Culture’ and respect for safety;

• Secrecy, poor communications, a lack of transparency resulted in

suspicion of a cover-up regarding the amount of contamination and

continued levels of radioactive pollution post event;

• Ignoring known safety threats;

• An ineffective regulator not willing to challenge or force compliance;

• Acceptance that it was customary to cover-up small scale accidents;


• Deficiencies in the processes and procedures to react to major




Utilising BCM and DR Operational Assurance To

Prevent Your Business Becoming a Dinosaur


Risk Assess & Analyse

Provide Recs to Resolve

Issues in line with Risk Appetite

Confirm Improvements Implemented

Test and Confirm


Follow-up to ensure Upkeep

Do you apply this type of cycle?


Harnessing The Power of Predictive Analytics to Support

Operations in Delivering Robust BCM and DR Risk Management

Operational risk assessment and planning assumptions based on speculation or

current/topical threats can be useful. However, given globalisation, the rapid pace of

change in international markets and technology, Moore Stephen’s believe it is

necessary for Internal Audit to be flexible and place more emphasis on ‘Predictive

Analytics’. Utilise data from sources such as EM-DAT (International Disaster Database),

the Global Risk Data Platform, and DesInventar to supplement ‘in-house’ or cross

organisational knowledge.

• Utilise statistical techniques from predictive modelling to assess the

probability or likelihood of future disaster or crisis events to help the

business target BCM and DR resources and plans;

• Seek to exploit patterns found in your companies or sector’s transactional or

historic data to identify risks and seek ways to mitigate likelihood and impact

of potential emergency events;

• Develop predictive scores based on assumptions and scenarios which can

help inform or influence operations visualise BCM and DR events holistically;

• Leverage actuarial know-how to add real value and methodical analysis to the

BCM and DR process; and

• Work with operations and risk specialists to optimise the effectiveness and

credibility of predictive analytics – Collaborative approach.


BCM/DR and Internal Audit’s Position

Three Lines of Defence Model – Making it Work to Improve Operational and Risk Management Preparedness for a Crisis or Emergency Event


Support Management to Enhance and Protect the

Business: Effective Governance and Risk Management

Utilise the five COSO Categories to help management balance cost and

benefit when undertaking Business Continuity and Disaster Recovery

planning. Support operations by independently assessing risk and

developing BCM/DR Risk Assurance Matrix. Look to ‘Predictive Analytics’ to

assess the category, potential and possible severity of future emergencies

and disasters. CAEs are uniquely placed to provide advice and

support to help develop the risk picture of the

enterprise. By producing a BCM and DR Risk

Assurance Matrix, Internal Audit can make sure they

are aligned to the right issues. A BCM/DR assurance

matrix can then be used to prioritise assurance

resources and activities. Knowing those events which

will have a critical impact on the business provides a

head start in a crisis or disaster. Thinking forward and

understanding interdependencies can be vital in

maintaining value, brand image and reputation when

the unexpected happens.


Business Continuity Management – Maintaining Brand

Equity CAEs Advocating the ‘Right Thing To Do’

The build quality of

our all-in-one

computers has been

compromised and

the newly launched

Sonic range are

catching fire after

they have been

running for over 5


What should we do?

Do what is right.

Stop production, recall

all affected sonic lines

and publish an

emergency message

to all users to stop

using their computers.

Speak to the PR team

before getting Legal

counsel involved.



Where can CAEs Add Value?

Helping operations and risk managers succeed by

advising on - Targets and Performance Indicators

for each phase of the Business Continuity and

Disaster Risk Cycle:

• Avoidance and Deterrence – IA can look at ways

the business can avoid certain risks;

• Mitigation – IA can contribute to Risk

Management by applying insight and cumulative

knowledge to the development of preventative


• Reaction – IA can assist by confirming that

emergency response and crisis management

plans are in place, tested and work;

• Remedy and Recovery – IA can assess the

feasibility and reliance which can be placed on

Disaster Recovery Plans;

• Business as Usual – IA can help by confirming

that restoration and normalisation of business

activities and services have been effectively

assessed, resourced and planned.


Managing the Ripples from a Disaster or Crisis Incident.

The Importance of Internal Audit Involvement

Ensuring Internal Audit involvement and insight is applied to BCM and DR

to enhance and protect at an operational level can help:

• Lessen or minimise the effect of an incident on operations;

• Evaluate disaster preparedness, as well as provide an objective base for

vulnerability assessment and contribute to operational priority setting.

• Operations are facilitated to recover from a disaster or crisis more

rapidly than if no IA BCM assurance or advice were in place;

• Operations potentially gain a competitive advantage;

• Reduce reputational impacts and damage to brand image through the

application of IA advice and experience;

• Obtain a better understanding of the operation. Also, the extent of

interdependent risks which can culminate during an incident;

• Reduce the cost of the insurance burden by being able to demonstrate

sound systems of BCM and DR through independent IA assurance;

• Apply informed risk management principles to lessen your

organisation’s end to end vulnerability to certain disaster or crisis

related risks – Risk Assurance Matrix;

• Periodic independent resilience assessments confirm the state of

preparedness and ability to continue operations in the face of a



Managing the Ripples from a Disaster or Crisis Incident

The Importance of Internal Audit Involvement

Ensuring Internal Audit involvement and insight is applied to BCM and DR

at an operational level can help:

• Dispel the myth that insurance will protect operations. In respect of risk

management, insurance can cushion a blow but is not a substitute for

well thought out BCM and Disaster Recovery Planning;

• Make sure managers and operational staff really do know what to do in

an emergency or crisis. Also, raise general awareness and tackle


• Ensure that management understand that Business Continuity is much

more that Disaster Recovery – Keeping the business going during a

disaster is vital if you want to be in a position to undertake recovery

action once the threat or emergency has passed;

• Establish and maintain a focus on the Clarification of Management


• Establish a reasoned allocation of the portfolio of critical risks across

the business to spread dependency and ensure responsibility does not

rest with a limited nucleus of mangers; and

• Ensure that a Crisis/Disaster approach is in place that identifies inter-

dependencies between risks, systems, different parts of the business,

regions, suppliers etc. and is sufficiently flexible to adapt to changing



Are you applying an AGILE Approach to Respond to Operational

and Management Requirements for BCM and Disaster Recovery


Assurance Make sure the Board, Audit and Risk Committee and Stakeholders requirement for BCM and DR ASSURANCE is understood and addressed within the IA Strategy and Annual Plan. Highlight any gaps or areas that will not be covered. Use Outsourcing and Co-sourcing to obtain the right mix of assurance skills or to supplement internal resources.

Good Governance

Apply the COSO model to the business in order to ensure that BCM and DR governance and transparency issues are addressed within the operational and risk management BCM and DR Strategy and Plans. Develop a BCM/DR Risk Assurance Matrix to support managements analysis and help protect against future adverse events.

Independence Apply the three lines of defence model and work with the business on an BCM and DR Assurance Map. Making sure that the Internal Audit function maintains Independence. Undertake Independent Horizon scanning to make sure the business has sufficient coping capacity and can be adaptive.

Looking Forward Tap into Predictive Analytics and Actuarial Professional capabilities. Utilise the human capital of the business (Utilise secondment of BCM and DR Specialists into Internal Audit) Innovate to help enhance and protect business capacity and resilience to protect the business.


Seek to be part of the BCM and DR testing and check-up process and promulgate lessons learned. Utilise Internal Audit’s advisory capability to highlight the Upside of being prepared. Make sure the business budgets for disaster and tackle complacency . The cost of failure can mean the end of the business.


Perceptions of Significant Risk

The next slide is duplicated in the hand-outs already on your tables. Please highlight the top 3 threats you consider most likely to affect the UAE or your operations in the short to medium term (i.e. 18 months to 3 years). Please feel free to add any additional risks you consider relevant which may not be captured on the hand-out.



Discussion and Questions?

Points to Ponder

1. Do your operational managers actively maintain a BCM

Plan and DR Plan? Are BCM and DR risks on their radar

and the Board’s agenda?

2. How much involvement does your Internal Audit function

have within the organisations BCM processes and DR

activities? Is it sufficient to meet the Professional

Standards or regional regulatory requirements?

3. How do you measure resilience within your business?

4. Could you develop and use a BCM/DR Risk Matrix and

Predictive Analytics with your risk teams or operational



Contact Us

Robert Noye-Allen Partner – Governance, risk and assurance


E robert.noye-allen@moorestephens.com

T +44 (0)20 7334 9191


Anthony Blenkey Director for UAE and Qatar


E anthony.blenkey@moorestephens.com

T +44 (0)20 7334 9191


Amin Musa Associate Director – Middle East Sales

E amin.musa@moorestephens.com

T +44 (0) 2076511161

M +44 (0) 7741248072


Scott Garnett Senior Manager – Governance, risk and assurance


E anthony.blenkey@moorestephens.com

T +44 (0)20 7334 9191



Key References

• International Institute of Internal Audit – (www.theiia.com)

• Chartered Institute of Internal Audit (UK) – (iia.org.uk )

• Institute of Risk Management - (www.theirm.org)

• Business Continuity Institute (BCI) – (www.thebci.org)

• Disaster Recovery Institute (www.drii.org)

• USA Federal Emergency Management Agency (FEMA) – (www.fema.gov)

• Insurance Information Institute – (www.iii.org)

• The World Economic Forum – (www.weforum.org)

• The Organisation for Economic Cooperation and Development (OECD) – (www.oecd.org)

• Evaluation Report - UNDP (United Nations Development Programme – (www.undp.org)

• COSO – Committee of Sponsoring Organisations of Treadway Commission – (www.coso.org)