How do you respond when a crisis hits?
Businesses face an ever-growing list of threats to their ability to operate, grow, and remain profitable. Serious threats over the past decade have included a global pandemic, natural disasters, significant demographic changes and shifts in consumer behaviour, disruptive technologies, a massive rise in cyber attacks, and generationally high inflation.
The next 10 years will bring even more challenges, not the least of which are the increased impacts of climate change and global pressure to transition from fossil fuels and the rapid advancement of AI.
Given the growing number and magnitude of potentially existential crises — and the shrinking timespan from one challenge to the next — it’s clear that preparation is key. Leaders need to be ready to respond quickly and make decisive decisions when faced with a sudden and serious threat to the business. They also need to be confident that their vendors will be ready to respond swiftly with the right expertise at the right time.
Nobody can predict when the next pandemic or natural disaster will strike. Still, organizations can learn a lot from the outcomes and impacts of past crises on their own business and those of peer organizations. Coupled with frequent risk assessments, these lessons can inform scenario planning, tabletop exercises, and emergency response plans that cover the highest priority threats.
Ideally, these exercises will include participation from relevant third-party vendors such as cyber-managed service providers, cloud vendors, co-sourced or outsourced internal auditors, business advisors, and others. The goal here isn’t necessarily to successfully navigate the crisis. Rather, it is to identify critical weaknesses in existing emergency response plans, such as difficulty mobilizing resources, potential safety issues, and areas where the business is most likely to lose customers and/or money.
Related risks
- Business and IT/OT disruption
- Inability to coordinate a timely response and organized communication
- In times of need, critical resources are not available or do not understand their roles
- Excessive costs required to react to needs
Key questions to ask
- Does your organization maintain a list of probable risk scenarios it should be prepared for, including plans on how it will respond to those scenarios?
- Has your leadership ever conducted mock tabletop scenarios to discuss how you would manage a crisis? If yes, do you involve an expert in this discussion?
- Has your organization experienced a real crisis or at least a material unexpected disruption? If yes, did you conduct a post-analysis of this situation to discuss what worked well, what did not, and what you must be better prepared for?
- Do you keep track of crises that have impacted peer companies and assess whether you are prepared to respond? Usually, if it can happen to a similar organization, it could also happen to you.
Red Flags
- Insufficient preparation (training, discussions, policy, or plans)
- Third parties not aware of role in business resilience
- Business not prepared for past business disruption situations
- Competitors negatively impacted by disruption not expected by the industry
Internal Audit Project Opportunities
- Business Continuity Planning Audit
- This audit assesses the organization's business continuity plans, ensuring they are comprehensive, up-to-date, and aligned with its critical functions and priorities.
- Disaster Recovery Audit
- This audit reviews the organization's disaster recovery plans and measures, including data backup and restoration processes, to ensure the organization can quickly recover from IT-related disruptions.
- Crisis Management Audit
- This audit evaluates the organization's crisis management strategies, protocols, and decision-making processes to ensure effective responses to emergencies and unexpected events.
- Risk Assessment and Management Audit
- This audit assesses the organization's risk assessment practices, including the identification and evaluation of potential risks and the implementation of risk mitigation strategies.
- Supply Chain Resilience Audit
- This audit examines the organization's supply chain resilience, identifying vulnerabilities and ensuring contingency plans are in place to address disruptions in the supply chain.
- IT Resilience Audit
- This audit reviews the organization's IT infrastructure, systems, and processes to ensure they are resilient to cyber threats, data breaches, and other IT-related risks.
- Employee Continuity Audit
- This audit assesses the organization's plans and measures to ensure the safety and well-being of employees during disruptions, including remote work capabilities and employee support programs.
- Financial Resilience Audit
- This audit evaluates the organization's financial preparedness to withstand adverse economic conditions, including stress testing, liquidity management, and contingency funding plans.
- Vendor and Outsourcing Resilience Audit
- This audit examines the organization's relationships with vendors and outsourced service providers to ensure they have robust business continuity and disaster recovery plans.
- Communication and Stakeholder Management Audit
- This audit assesses the organization's communication strategies and stakeholder management during crises to maintain trust and transparency.
- Regulatory Compliance Audit
- This audit ensures the organization complies with relevant regulations and standards related to business resilience and continuity planning.
- Incident Response Audit
- This audit reviews the organization's incident response procedures to ensure they are well-defined, understood, and regularly tested.
- Physical Security Audit
- This audit evaluates the organization's physical security measures to protect assets and facilities from potential threats.
- Training and Awareness Audit
- This audit assesses the organization's training and awareness programs related to business resilience, ensuring employees are adequately prepared to respond to disruptions.
- Testing and Simulation Audit
- This audit examines the organization's testing and simulation exercises for business resilience plans, ensuring they are conducted regularly and effectively to identify areas for improvement.