What do the retail cyberattacks of the 2013 holiday season, Hurricane Sandy and a 2010 volcanic eruption in Iceland have in common? All three created business crises. The cyberattacks caused a mad scramble to protect personal credit information, Sandy created widespread flooding, and ash spewed into the atmosphere by the eruption led to global delays in airline travel.
Increasingly, business continuity management is viewed as an integral part of any successful company. Whether preparing for an act of nature or an act of cyberterrorism, a well-designed crisis management plan can mean the difference between a business bouncing back quickly or shutting its doors forever.
The Institute of Internal Auditors (IIA) has released a new practice guide that shows how internal audit can provide significant assistance in business continuity management.
Internal audit functions typically have the skills, qualifications, and in-depth knowledge of the organization to help develop, implement and evaluate the effectiveness of such plans.
“Demands on internal audit are expanding as terrorism, cyberattacks and other factors influence risk and good governance in business,” said IIA President and CEO Richard F. Chambers, CIA, QIAL, CGAP, CCSA, CRMA. “This new guidance, ‘Business Continuity Management,’ outlines how internal audit can help before, during, and after a major crisis.”
The goal of business continuity management is to restore critical operations, manage communications, and minimize financial and other effects of disaster.
According to the new practice guide, a good crisis management plan is like a company insurance policy — it helps to ensure that the organization remains viable and meets stakeholder expectations.
The guide provides a breakdown of how internal audit can help set the ground rules for its participation, provide input and evaluate key elements of the plan, participate in implementing tactics of the plan, and evaluate its results.
Additionally, the guide provides an appendix with a sample work program for business continuity management assurance or advisory engagements.