6th chief audit executive conference - iiauae.org chief audit executive conference internal audit...
TRANSCRIPT
6th
Chief Audit Executive Conference
Internal Audit – Business Continuity Management (BCM) and Disaster Recovery (DR)
Operational and Risk Management Perspective
10th November 2016 – Track 2
MOORE STEPHENS
BCM and DR in the UAE
BUSINESS CONTINUITY MANAGEMENT – BCM: is a management process that
identifies risk, threats and vulnerabilities that could impact an entity's continued
operations and provides a framework for building organizational resilience and
the capability for an effective response. Source - Disaster Recovery Institute International (DRII)
DISASTER RECOVERY – DR: The strategies and plans for recovering and
restoring the organizations operations, infra-structure and information
technology capabilities after a serious interruption. DR is often considered in the
context of an organisation’s IT and telecommunications recovery. Source -
Business Continuity Institute (BCI)
INTERNATIONAL STANDARD- ISO 22301 specifies the requirements for a
management system to protect against, the impact of disruptive incidents.
MOORE STEPHENS
UAE – Business Continuity Management Standard AE/SCNS/NCEMA
7001:2015 – Supreme Council for National Security. Also, FED RES SCA
No. 7 of 2016 –Corporate Discipline and Governance Standards of Public
Joint-Stock Companies (Article 49 Duties of the Audit Committee)
Do You Support Your Business In Identifying BCM and DR Risks at an Operational Level?
The IIA International Standards for Professional Practice do not specifically state that CAEs should involve their Internal Audit units in BCM and DR work. However, Standard 2100 and 2110 do apply.
Standard 2100: Nature of Work
• The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach.
Standard 2110: Governance
• The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:
• Promoting appropriate ethics and values within the organization;
• Ensuring effective organizational performance management and accountability;
• Communicating risk and control information to appropriate areas of the organization; and
• Coordinating the activities of and communicating information among the board, external and internal auditors, and management.
MOORE STEPHENS
Context of BCM and DR at an Operational
Level in the UAE
Over the course of the last 10 years we have witnessed a global recession. The nature and scale of the downturn has never been seen before. Companies such as Lehman Brothers were felled and Iceland was generally considered to be bankrupt. Stock market and international volatility has seen the price of oil drop from over $140 a barrel in 2008, to less than $30 at it’s lowest point. Emergencies, crisis and disasters on this scale create ripples around the world which last for many years and have massive collateral impact on all business sectors. More than ever before operations and risk managers need to be flexible, adaptable and agile in order to stay ahead of the next impending disaster or crisis. Being able to map opportunities based on informed predictions may be a game changer for business. To understand the opportunities Internal Audit needs to know the full extent of your risks in order to enhance and protect your business.
Being ready for anything (e.g. Brexit) is pivotal to success. Incidents such as Samsung’s new phones catching fire can strike at any time.
MOORE STEPHENS
Is Internal Audit Involvement in Reviewing BCM
and DR Risk Really Necessary and Value Adding?
When the Unexpected Happens Will Your Business Be Prepared? How Much of a Role Should Internal Audit Take in Helping The Business Succeed Before and After Disaster Strikes? – Adding Value to Operations and Risk Management is a Fundamental Requirement
Whilst Internal Audit cannot and should not own or directly manage BCM and DR activities, the function is ideally placed to take the lead in providing insight and risk expertise. With that in mind – Do you have plans for contributing to BCM and DR within the Internal Audit Strategy? MOORE STEPHENS
Do Your Senior Managers Understand the
Scale and Potential for Disaster and Crisis?
The increasing scale and frequency of disaster and crisis present a
massive economic consequence for those businesses and people
affected. The rate of climate change and geopolitical upheaval is now
unprecedented.
Scale of the Risk: The Evaluation Report undertaken by the UNDP regarding
‘disaster prevention and recovery’ highlights that in the first 6 months of 2010
160 natural disasters were reported, killing almost 230,000 people and affecting
the lives of 107 million others with a cost of $55 billion in damage.
The above data demonstrates that natural disasters alone create considerable
disruption and economic damage. This coupled with number of manmade
disasters or geopolitical events provides an insight into the level of risk every
operation and risk manager should be considering when assessing the
requirement for the risk management of BCM and Disaster Recovery Planning,
Budgets and Resources.
MOORE STEPHENS
The BCM and DR Jigsaw – Putting the Pieces
Together for a Complete Assurance Picture
A Critical Question for CAEs is: Do Operations and the Risk Management Functions Fully Appreciate the Value of Being Prepared?
A major risk challenge for Internal Audit to overcome is the perception that BCM and Disaster Recovery activities may be viewed by Operations as a financial and resource COST with very little return. IA has a vital role in helping shift that paradigm.
MOORE STEPHENS
What Senior Stakeholders Need to Know
1. If the business suffers a major incident or is impacted by a disaster
how prepared would all operational departments be to cope with the
situation? Has the risk function focused on the right areas?
2. How resilient would the operation be in the face of a major incident and
would the response to the crisis and subsequent recovery activities be
effective?
MOORE STEPHENS
Where to Start?
Do all operational managers know the full extent of the regulatory
requirements and risk tolerance in your enterprise and how much work and
resource they should direct toward BCM/DR planning and development? (This
should include testing and analysis of scenarios and drills).
Internal Audit’s Role in Assisting Operations - Getting the balance right is
crucial.
• Have IA confirmed Executive Management and Board risk appetite?
• Have IA confirmed the organisations BCM and Disaster Recovery
Strategies and Plans have been developed and are in place –
Remembering that ‘Bias for Optimism’ is not a Strategy;
• A fundamental question for CAEs to ask is, when did the business last
have a CHECK-UP? Having machinery serviced even when everything is
running well is normal. This also applies to BCM;
• Have IA Independently assessed Business Continuity risk exposure?
• Have IA confirmed whether management’s risk assessment is
comprehensive and complete i.e. encompasses ‘Black Swan’ events?
MOORE STEPHENS
Where to Start?
• Have the weakest links been identified in your
BCM and DR chain? Do IA know where the
‘pinch-points’ and bottle-necks are within your
systems and sure they are addressed, to
ensure preparedness is not compromised and
resilience maintained;
• Do IA know your companies suppliers and
their vulnerabilities or disaster resilience.
Make a point of confirming that management
know who provides them with their factors of
production or service delivery throughout the
tiers of supply; and
• Have IA confirmed the ‘Dilbert’ approach to
BCM and DR isn’t the only option for the
business. Up to 40% of businesses affected by
a natural or human-caused disaster never
reopen. (Source: USA Federal Emergency
Management Agency (FEMA) & Insurance Information
Institute)
MOORE STEPHENS
The Global Risks Landscape 2016 – Helping
Operations Navigate the Unpredictable
Top 10 Risks in Terms of Likelihood Top 10 Risks in Terms of Impact
1. Large Scale Involuntary Migration 1. Failure of Climate Change Mitigation Adaptation
2. Extreme Weather Events 2. Weapons of Mass Destruction
3. Failure of Climate Change Mitigation Adaptation
3. Water Crisis
4. Interstate Conflict 4. Large Scale Involuntary Migration
5. Natural Catastrophes 5. Energy Price Shock
6. Failure of National Governance 6. Biodiversity Loss and Ecosystem Collapse
7. Unemployment or Underemployment 7. Fiscal Crises
8. Data Fraud or Theft 8. Spread of Infectious Diseases
9. Water Crisis 9. Asset Bubble
10. Illicit Trade 10. Profound Social Instability
Source: World Economic Forum: Global Risks Perception Survey 2015.
MOORE STEPHENS
BCM and DR – Understanding the Risk Interdependencies
MOORE STEPHENS
Source: World Economic Forum: Global Risks Report 2016.
You’re Only As Strong As Your Weakest Link
Uncertainty around risk in the mid to long term can make it
hard for operational managers to predict which threats to plan
for. New risks emerge continually. Therefore, dynamic risk
management systems need to be in place in order for
businesses to remain prepared and maintain resilience.
“There are known knowns; there are things that we know that
we know. We also know there are known unknowns; that is to
say we know there are some things we do not know. But there
are also unknown unknowns, the ones we don’t know we don’t
know.” Donald Rumsfeld, US Defence Secretary, 2002
By Undertaking independent assessment
and analysis CAEs are in a prime
position to be able to help operational
management in identifying the ‘Unknown
Unknowns’ and critical risks areas.
MOORE STEPHENS
Case Study 1
Business Continuity Management &
Disaster Recovery Success Johnson and Johnson (J&J) -Tylenol Sabotage Crisis Tylenol packages were tampered with and the contents replaced with Cyanide pills
MOORE STEPHENS
Communication; Communication; Communication =
A Recipe for a Winning BCM Strategy
• In the 1980s Cyanide-laced Tylenol
capsules, were placed in a number of
packages and resealed. The perpetrator
then deposited them on the shelves of a
several sales outlets in the Chicago area. A
number of customers who took the
poisoned pills subsequently died;
• Prior to the crisis Tylenol was the most
successful over-the-counter pain relief
product of it’s kind in the United States with
reportedly over one hundred million
users;
MOORE STEPHENS
Communication; Communication ; Communication =
A Recipe for a Winning BCM Strategy
• J&J’s immediate reaction and response was to alert consumers across
the nation, via various media, not to consume any type of Tylenol
product.
• J&J stopped production and advertising of Tylenol and ordered a
publically communicated national withdraw of every capsule. J&J
demonstrated that they were not prepared to take risks with public
safety despite the multi-million dollar cost.
MOORE STEPHENS
Case Study 2
Business Continuity Management and
Disaster Recovery Failure
TEPCO (Tokyo Electric Power), Owner
and Operator of the failed Fukushima
Nuclear Power Plant.
MOORE STEPHENS
What Can We Learn About BCM Planning and Operational
Effectiveness From the Failures at Fukushima
In 2007, TEPCO was forced to shut the Kashiwazaki-Kariwa Nuclear Power Plant
after the Niigata Earthquake. Therefore, the company was familiar with the
impacts and consequences of natural disasters which affect Japan and the
region.
It is reported that between 2008 and 2011 TEPCO made a prediction that
an earthquake and associated tsunami could occur at the Fukushima
Daiichi nuclear plant site. This was based on knowledge of a similar but
earlier event in the region which took place in 1896 and caused massive
destruction.
In March 2011, following the Tōhoku Earthquake and Tsunami, TEPCO’s
power plant at Fukushima Daiichi was the site of one of the world's most
serious nuclear disasters.
MOORE STEPHENS
Cause of the Fukushima BCM and DR Failure
The Fukushima Nuclear Accident Independent Investigation
Commission (NAIIC) report is damning and found that:
• The causes of the accident had been foreseeable i.e. robust
BCM and DR could have prevented the devastation;
• The plant operator, TEPCO, had failed to meet basic safety
requirements;
• The accident was the result of collusion between the
government, the regulators and TEPCO; and
• There was a lack of governance by said parties. Therefore,
the accident was clearly “manmade.”.
The government, the regulators, and TEPCO management,
lacked the preparation and the mind-set to efficiently operate
an emergency response to an accident of this scope. None,
therefore, were effective in preventing or limiting the
consequential damage.
Lessons for Operations and Risk Managers form
Fukushima
Despite management knowing the potential impact of a major
earthquake and associated tsunami on Fukushima’s Nuclear Plant
insufficient was done to protect the site.
Key Lessons:
• Management and the regulator’s failure to learn, respect and apply the
experiences of Three Mile Island and Chernobyl;
• Poor ‘Corporate Culture’ and respect for safety;
• Secrecy, poor communications, a lack of transparency resulted in
suspicion of a cover-up regarding the amount of contamination and
continued levels of radioactive pollution post event;
• Ignoring known safety threats;
• An ineffective regulator not willing to challenge or force compliance;
• Acceptance that it was customary to cover-up small scale accidents;
(CULTURE) and
• Deficiencies in the processes and procedures to react to major
incidents.
MOORE STEPHENS
MOORE STEPHENS
Utilising BCM and DR Operational Assurance To
Prevent Your Business Becoming a Dinosaur
PREVENTION IS BETTER THAN THE CURE
Risk Assess & Analyse
Provide Recs to Resolve
Issues in line with Risk Appetite
Confirm Improvements Implemented
Test and Confirm
Resilience
Follow-up to ensure Upkeep
Do you apply this type of cycle?
MOORE STEPHENS
Harnessing The Power of Predictive Analytics to Support
Operations in Delivering Robust BCM and DR Risk Management
Operational risk assessment and planning assumptions based on speculation or
current/topical threats can be useful. However, given globalisation, the rapid pace of
change in international markets and technology, Moore Stephen’s believe it is
necessary for Internal Audit to be flexible and place more emphasis on ‘Predictive
Analytics’. Utilise data from sources such as EM-DAT (International Disaster Database),
the Global Risk Data Platform, and DesInventar to supplement ‘in-house’ or cross
organisational knowledge.
• Utilise statistical techniques from predictive modelling to assess the
probability or likelihood of future disaster or crisis events to help the
business target BCM and DR resources and plans;
• Seek to exploit patterns found in your companies or sector’s transactional or
historic data to identify risks and seek ways to mitigate likelihood and impact
of potential emergency events;
• Develop predictive scores based on assumptions and scenarios which can
help inform or influence operations visualise BCM and DR events holistically;
• Leverage actuarial know-how to add real value and methodical analysis to the
BCM and DR process; and
• Work with operations and risk specialists to optimise the effectiveness and
credibility of predictive analytics – Collaborative approach.
MOORE STEPHENS
BCM/DR and Internal Audit’s Position
Three Lines of Defence Model – Making it Work to Improve Operational and Risk Management Preparedness for a Crisis or Emergency Event
MOORE STEPHENS
Support Management to Enhance and Protect the
Business: Effective Governance and Risk Management
Utilise the five COSO Categories to help management balance cost and
benefit when undertaking Business Continuity and Disaster Recovery
planning. Support operations by independently assessing risk and
developing BCM/DR Risk Assurance Matrix. Look to ‘Predictive Analytics’ to
assess the category, potential and possible severity of future emergencies
and disasters. CAEs are uniquely placed to provide advice and
support to help develop the risk picture of the
enterprise. By producing a BCM and DR Risk
Assurance Matrix, Internal Audit can make sure they
are aligned to the right issues. A BCM/DR assurance
matrix can then be used to prioritise assurance
resources and activities. Knowing those events which
will have a critical impact on the business provides a
head start in a crisis or disaster. Thinking forward and
understanding interdependencies can be vital in
maintaining value, brand image and reputation when
the unexpected happens.
MOORE STEPHENS
Business Continuity Management – Maintaining Brand
Equity CAEs Advocating the ‘Right Thing To Do’
The build quality of
our all-in-one
computers has been
compromised and
the newly launched
Sonic range are
catching fire after
they have been
running for over 5
hours.
What should we do?
Do what is right.
Stop production, recall
all affected sonic lines
and publish an
emergency message
to all users to stop
using their computers.
Speak to the PR team
before getting Legal
counsel involved.
MANAGEMENT INTERNAL AUDIT
MOORE STEPHENS
Where can CAEs Add Value?
Helping operations and risk managers succeed by
advising on - Targets and Performance Indicators
for each phase of the Business Continuity and
Disaster Risk Cycle:
• Avoidance and Deterrence – IA can look at ways
the business can avoid certain risks;
• Mitigation – IA can contribute to Risk
Management by applying insight and cumulative
knowledge to the development of preventative
measures;
• Reaction – IA can assist by confirming that
emergency response and crisis management
plans are in place, tested and work;
• Remedy and Recovery – IA can assess the
feasibility and reliance which can be placed on
Disaster Recovery Plans;
• Business as Usual – IA can help by confirming
that restoration and normalisation of business
activities and services have been effectively
assessed, resourced and planned.
MOORE STEPHENS
Managing the Ripples from a Disaster or Crisis Incident.
The Importance of Internal Audit Involvement
Ensuring Internal Audit involvement and insight is applied to BCM and DR
to enhance and protect at an operational level can help:
• Lessen or minimise the effect of an incident on operations;
• Evaluate disaster preparedness, as well as provide an objective base for
vulnerability assessment and contribute to operational priority setting.
• Operations are facilitated to recover from a disaster or crisis more
rapidly than if no IA BCM assurance or advice were in place;
• Operations potentially gain a competitive advantage;
• Reduce reputational impacts and damage to brand image through the
application of IA advice and experience;
• Obtain a better understanding of the operation. Also, the extent of
interdependent risks which can culminate during an incident;
• Reduce the cost of the insurance burden by being able to demonstrate
sound systems of BCM and DR through independent IA assurance;
• Apply informed risk management principles to lessen your
organisation’s end to end vulnerability to certain disaster or crisis
related risks – Risk Assurance Matrix;
• Periodic independent resilience assessments confirm the state of
preparedness and ability to continue operations in the face of a
disaster;
MOORE STEPHENS
Managing the Ripples from a Disaster or Crisis Incident
The Importance of Internal Audit Involvement
Ensuring Internal Audit involvement and insight is applied to BCM and DR
at an operational level can help:
• Dispel the myth that insurance will protect operations. In respect of risk
management, insurance can cushion a blow but is not a substitute for
well thought out BCM and Disaster Recovery Planning;
• Make sure managers and operational staff really do know what to do in
an emergency or crisis. Also, raise general awareness and tackle
complacency;
• Ensure that management understand that Business Continuity is much
more that Disaster Recovery – Keeping the business going during a
disaster is vital if you want to be in a position to undertake recovery
action once the threat or emergency has passed;
• Establish and maintain a focus on the Clarification of Management
Roles;
• Establish a reasoned allocation of the portfolio of critical risks across
the business to spread dependency and ensure responsibility does not
rest with a limited nucleus of mangers; and
• Ensure that a Crisis/Disaster approach is in place that identifies inter-
dependencies between risks, systems, different parts of the business,
regions, suppliers etc. and is sufficiently flexible to adapt to changing
risks.
MOORE STEPHENS
Are you applying an AGILE Approach to Respond to Operational
and Management Requirements for BCM and Disaster Recovery
Insights?
Assurance Make sure the Board, Audit and Risk Committee and Stakeholders requirement for BCM and DR ASSURANCE is understood and addressed within the IA Strategy and Annual Plan. Highlight any gaps or areas that will not be covered. Use Outsourcing and Co-sourcing to obtain the right mix of assurance skills or to supplement internal resources.
Good Governance
Apply the COSO model to the business in order to ensure that BCM and DR governance and transparency issues are addressed within the operational and risk management BCM and DR Strategy and Plans. Develop a BCM/DR Risk Assurance Matrix to support managements analysis and help protect against future adverse events.
Independence Apply the three lines of defence model and work with the business on an BCM and DR Assurance Map. Making sure that the Internal Audit function maintains Independence. Undertake Independent Horizon scanning to make sure the business has sufficient coping capacity and can be adaptive.
Looking Forward Tap into Predictive Analytics and Actuarial Professional capabilities. Utilise the human capital of the business (Utilise secondment of BCM and DR Specialists into Internal Audit) Innovate to help enhance and protect business capacity and resilience to protect the business.
Educate
Seek to be part of the BCM and DR testing and check-up process and promulgate lessons learned. Utilise Internal Audit’s advisory capability to highlight the Upside of being prepared. Make sure the business budgets for disaster and tackle complacency . The cost of failure can mean the end of the business.
MOORE STEPHENS
Perceptions of Significant Risk
The next slide is duplicated in the hand-outs already on your tables. Please highlight the top 3 threats you consider most likely to affect the UAE or your operations in the short to medium term (i.e. 18 months to 3 years). Please feel free to add any additional risks you consider relevant which may not be captured on the hand-out.
MOORE STEPHENS
MOORE STEPHENS
Discussion and Questions?
Points to Ponder
1. Do your operational managers actively maintain a BCM
Plan and DR Plan? Are BCM and DR risks on their radar
and the Board’s agenda?
2. How much involvement does your Internal Audit function
have within the organisations BCM processes and DR
activities? Is it sufficient to meet the Professional
Standards or regional regulatory requirements?
3. How do you measure resilience within your business?
4. Could you develop and use a BCM/DR Risk Matrix and
Predictive Analytics with your risk teams or operational
managers?
MOORE STEPHENS
Contact Us
Robert Noye-Allen Partner – Governance, risk and assurance
(GRA)
T +44 (0)20 7334 9191
www.moorestephens.co.uk
Anthony Blenkey Director for UAE and Qatar
(GRA)
T +44 (0)20 7334 9191
www.moorestephens.co.uk
Amin Musa Associate Director – Middle East Sales
T +44 (0) 2076511161
M +44 (0) 7741248072
www.moorestephens.co.uk
Scott Garnett Senior Manager – Governance, risk and assurance
(GRA)
T +44 (0)20 7334 9191
www.moorestephens.co.uk
MOORE STEPHENS
Key References
• International Institute of Internal Audit – (www.theiia.com)
• Chartered Institute of Internal Audit (UK) – (iia.org.uk )
• Institute of Risk Management - (www.theirm.org)
• Business Continuity Institute (BCI) – (www.thebci.org)
• Disaster Recovery Institute (www.drii.org)
• USA Federal Emergency Management Agency (FEMA) – (www.fema.gov)
• Insurance Information Institute – (www.iii.org)
• The World Economic Forum – (www.weforum.org)
• The Organisation for Economic Cooperation and Development (OECD) – (www.oecd.org)
• Evaluation Report - UNDP (United Nations Development Programme – (www.undp.org)
• COSO – Committee of Sponsoring Organisations of Treadway Commission – (www.coso.org)