Audit and Assurance

Expand all | Collapse all

Business Continuity Plans & Pandemics

Jump to Best Answer
  • 1.  Business Continuity Plans & Pandemics

    Posted 16 Mar, 2020 15:02
    With coronavirus being in the news and how fluid the situation is, has any of you come across or gave recommendations to clients to have BCPs that account for pandemics like the likes of what we are seeing? I am yet to across one that specifically accounts for global pandemics, but I think it's a good idea for us as auditors to seriously think about when reviewing those BCPs. What are your thoughts?
    Initially posted in SheLeadsTech, which was the wrong group to post the above topic on.


    ------------------------------
    Aishabou Hydara
    Senior Consultant
    ------------------------------


  • 2.  RE: Business Continuity Plans & Pandemics
    Best Answer

    Posted 17 Mar, 2020 04:16
    Hello Aishabou,

    Good point, Aishabou! COVID-19 also known as Novel coronavirus is a global threat affecting the lives of people, businesses and economies. Our level of preparedness for such a Pandemic is very low. We can all see the dreadful impacts emerging. From the organizational point of view, it is important to have a good level of preparedness and developing Pandemic Plans come under Business Continuity Management. Pandemic Plan is a subset of the BCP and it has to be 'fit-for-purpose' and not something downloaded from the internet. Now, organizations are rushing to get their Pandemic Plans in place. As an auditor looking at business resilience and governance it is important to review the organisations Pandemic Plan. It has to cover all relevant aspects such as backup and succession plans, supply chain resilience, communication strategies, and staff awareness, testing and exercising the plans, etc. It is the right time now to impress the organisations to develop and test their Pandemic Plan.

    Nalin


    ------------------------------
    Nalin Wijetilleke MBA, CISA, CGEIT, FBCI, PMP, CMC
    2019 Online Forum Topic Leader
    Managing Director, ContinuityNZ Ltd.
    ------------------------------



  • 3.  RE: Business Continuity Plans & Pandemics

    Posted 17 Mar, 2020 12:18
    @Nalin Wijetilleke, that was a great response! Thank you. ​

    ------------------------------
    Aishabou Hydara
    Senior Consultant
    ------------------------------



  • 4.  RE: Business Continuity Plans & Pandemics

    Posted 01 Apr, 2020 06:44
    @Nalin Wijetileke


    Scenario: For an organization that has more than 3 subsidiaries dealing in different businesses​, who is responsible for developing the Pandemic Plan?

    ------------------------------
    Veronica Rose, CISA
    Information Systems Auditor
    ------------------------------



  • 5.  RE: Business Continuity Plans & Pandemics

    Posted 01 Apr, 2020 16:18
    Hi Veronica,

    Thanks for the question. The Pandemic Plan has to be 'fit for purpose'. If the type of business of the three subsidiaries is different, each one will have a slightly different Pandemic Plan.  To answer your question, who is responsible for the Pandemic Planning, of course, it depends very much on the size and nature of the business. Ideally, it should come under the Business Continuity Manager, if they have one. If there is nobody like that, it can be under the Group Risk Manager. You may ask why Pandemic Planning should not be under Health and Safety. Because Pandemic Planning also needs coordination with other areas such as logistics,  IT, supply chain, customers, facilities, operations etc.
    I hope it makes sense?
    Cheers!
    Nalin

    ------------------------------
    Nalin Wijetilleke MBA, CISA, CGEIT, FBCI, PMP, CMC
    2019 Online Forum Topic Leader
    Managing Director, ContinuityNZ Ltd.
    ------------------------------



  • 6.  RE: Business Continuity Plans & Pandemics

    Posted 02 Apr, 2020 11:37
    @Nalin Wijetilleke

    Thank you so much for your response. ​

    ------------------------------
    Veronica Rose, CISA
    Information Systems Auditor
    ------------------------------



  • 7.  RE: Business Continuity Plans & Pandemics

    Posted 17 Mar, 2020 06:07
    As with the current pandemic, H1N1 was also declared a Nationally Emergency. One need only to look back in time, 2009, to guidance and BCP's written to address H1N1 to find great examples for plans in 2020.  Details, such as social distancing, gatherings, etc., will need to be updated to reflect Executive mandates and those can be found on the CDC website.  Check ISACA Journal issues from 2009 as well, we all scrambled back then so the trail should be there. There is nothing new under the sun.

    ------------------------------
    Eric Phifer
    IT Compliance & Risk Analyst
    ------------------------------



  • 8.  RE: Business Continuity Plans & Pandemics

    Posted 17 Mar, 2020 12:17
    @Eric Phifer, thanks for the great insight for the resources you've pointed out to me. I'll take a look at a few of those. ​​

    ------------------------------
    Aishabou Hydara
    Senior Consultant
    ------------------------------



  • 9.  RE: Business Continuity Plans & Pandemics

    Posted 02 Apr, 2020 15:23

    Hi @Aishabou Hydara,

    Some thoughts ;)

    At this time, we are discussing BCP for Pandemics, but wouldn't it be more wise to discuss a worst case "BCP"?
    Today it's a pandemic, maybe tomorrow, it will be a war?

    In the end, it all comes down to the business. And for some, putting the business into hibernation is the best solution (for the business, but it may not be the best solution for the workforce that suddenly becomes unemployed). Even though people are the most valuable assets of an organization, at times we need to make harsh decisions (such as putting people on temporary unemployment).
    It may be best for the business, and yet still also provide income for those that are on furlough, but it also forms a risk.
    Some may not like these decision, but cope with them during the pandemic, while deciding that they will switch jobs once everything starts to turn back to normal.

    At first glance, this may not seem to be an issue as everyone is replaceable.... but, the loss of knowedge may provide harm that can have a detrimental effect on the "restart" of business.
    What if workers get sick? Or worse.....
    Do we need to take that into account in our BCP/DR?

    What is left of the business during such hazardous times. Is it time to cut costs, by downscaling our environment? Is it time to invest in the well being of your workforce? Will this pay off later? Can we still gain income, by changing our business model? If so, how will this, in time impact our business and our competitors? is your business still viable? Will it bounce back, after things get back to normal? How can we cut costs without putting the future at risk? That is, how much damage can we sustain?

    I do believe that at this time, the true nature of the corporate leaders as well as the nature of your workforce will reveal itself. Everyone needs to contribute to the survival of the organization. Some maybe by being partially exposed to additional risk, while others doing their best to protect the future.
    Personally, I think that we can prepare for worst case scenarios, but in the end, it all comes down to the "Fight or Flight" of the leaders and the workforce.

    In terms of BCP/DR, I think that we can "theoretically" prepare for the worst case scenarios, but in the end ... a large part of it will boil down on creativity & flexibility. 

    You can have a great  BCP/DR, but if there is nobody to put it to work....

    Or you can have a basic BCP/DR, have a great workforce that is willing to make things happen.

    As a final thought:
    We are speaking about BCP/DR, which is perfectly ok. And most larger companies have it in some form. But what about the Small corporations? The grocery store, the butcher, the newspaper shop,.... the gardener ... the guys in construction work... airliners ... and many many more. Some may not even have a BCP/DR.

    Maybe this pandemic, will make us all realize that we all need each other, and that we can only survive if we all work together. Wouldn't that be the best BCP/DR ever ?


    All the best. 

    Stay safe & healthy !



    ------------------------------
    Sven De Preter

    Sr. Network & Systems Administrator
    Corporate DPO Team Member

    Certs:
    - CompTIA CSCP (Stackable)
    - CompTIA CCAP (Stackable)
    - CompTIA Cloud+ ce
    - CompTIA Security+ ce
    - CompTIA Network+ ce

    Feel free to connect with me on LinkedIn: https://www.linkedin.com/in/svendepreter/
    ------------------------------



  • 10.  RE: Business Continuity Plans & Pandemics

    Posted 03 Apr, 2020 09:17
    @Sven De Preter, thank you so much for such a detailed breakdown of some of the "what ifs", and "what could go wrong". What resonated most with me is a company can have a fantastic BCP but without the workforce (due to sickness, closures) etc., the BCP will not be a success in practice. It's reveals why it's always good to think of the worst case scenarios when drafting these BCPs.

    Stay safe, and many thanks for your insight. ​

    ------------------------------
    Aishabou Hydara
    Senior Consultant
    ------------------------------



  • 11.  RE: Business Continuity Plans & Pandemics

    Posted 03 Apr, 2020 21:28
    Sven, I am in total agreement with you. Very nice analysis. In the worst situations, only people realise the value of interdependency. That has to be factored in the business continuity planning.

    ------------------------------
    Nalin Wijetilleke MBA, CISA, CGEIT, FBCI, PMP, CMC
    2019 Online Forum Topic Leader
    Managing Director, ContinuityNZ Ltd.
    ------------------------------



  • 12.  RE: Business Continuity Plans & Pandemics

    Posted 03 Apr, 2020 08:34
    Hello Aishabou,

    It's a good thing to account for a generally rare and broadly disruptive event in a business continuity plan.  It could be a disease outbreak, a wide spread severe natural disaster, a war, a solar flare, pick your horrible but hopefully rare scenario of choice.  A company should have some idea of how to build in resiliency for severe events including items like:
    1. Understanding balance sheet and cash flow risk
    2. Understanding their legal structure to protect their productive assets from creditors to the greatest degree possible
    3. Managing vendor risk to get in front of receivable, supply chain, and credit risks

    After all of that, its' still a good idea to make the board and senior management understand that events of a sufficient severity and/or duration will eventually break down your companies resiliency.  There is a limit to what you can prepare for and manage.  Sometimes a very rare event that management decides to accept the risk of will occur and overwhelm a company.  That doesn't mean it wasn't a reasonable decision to make when it was made.  Sometimes an event with a low probability of occurrence and high impact is very costly to protect against and you just happen to be the generation of management that it bites.

    ------------------------------
    Craig Beebe, CISA, PMP, CFE
    Internal Audit Manager
    ------------------------------



  • 13.  RE: Business Continuity Plans & Pandemics

    Posted 03 Apr, 2020 09:25

    @Craig Beebe, thank you for your contribution. I think this coronavirus outbreak is one that majority of us did not anticipate the global disruption and impact to the day to day business operations. This is more so for companies who don't have a big global reach, but they have all been affected one way or another by the pandemic. I'm very interested in seeing how the lessons learned are used to update current BCPs. 

    Stay safe.



    ------------------------------
    Aishabou Hydara
    Senior Consultant
    ------------------------------



  • 14.  RE: Business Continuity Plans & Pandemics

    Posted 09 Apr, 2020 19:30
    Hello Aishabou,

    You are totally correct, the world was not prepared at all for the Pandemic. We cannot say that there were no warnings. Eminent entrepreneurs, scientists, etc, had predicted such a scenario. I have been talking to several organisations. Some of the larger organizations, government departments, universities, fortunately, had their Pandemic Plans. Over 90% of the SME's I spoke to, none of them had no Pandemic plans.
    That is the first lesson. Many had plans but not properly calibrated. They had not considered the risks and mitigants on supply chain disruptions. The extreme staff absenteeism had not been thought of! And so many.......!
    I think, once this period is over, we can together do a nice compilation of all the learning.

    Cheers!

    Nalin

    ------------------------------
    Nalin Wijetilleke MBA, CISA, CGEIT, FBCI, PMP, CMC
    2019 Online Forum Topic Leader
    Managing Director, ContinuityNZ Ltd.
    ------------------------------



  • 15.  RE: Business Continuity Plans & Pandemics

    Posted 10 Apr, 2020 07:59
    Hello Nalin,

    I support your observation that preparation for the pandemic was less than optimal. Risk management is extremely difficult and with limited resources the cost to prepare for every possible incident is impossible.  The COVID-19 pandemic will be fuel for years to come so people can proffer solutions on what should have been. The ability of the supply chain and the governments to react (although we know reaction is not the best technique) to the shortfall has been impressive.  I hope your family is staying healthy!

    Best wishes,
    Brian

    ------------------------------
    Brian Moore
    President, EWA - Government Systems, Inc.
    ------------------------------



  • 16.  RE: Business Continuity Plans & Pandemics

    Posted 11 Apr, 2020 03:59
      |   view attached
    Thanks, Brian, we are keeping well, though in total lockdown. We feel the New Zealand government under the leadership of Jacinda Arden is doing a good job. I am not sure whether you saw the 'Risk-based Alert Level dashboard' published by the NZ government, which is an excellent way to communicate with the public. I am attaching it.
    Everyone has to co-operate to get out of it, as soon as possible. Let's hope and pray for everyone's safety and better times ahead!
    Stay safe!
    Best regards
    Nalin

    ------------------------------
    Nalin Wijetilleke MBA, CISA, CGEIT, FBCI, PMP, CMC
    2019 Online Forum Topic Leader
    Managing Director, ContinuityNZ Ltd.
    ------------------------------