November 2015
Focus on Assurance
We’re not on a flight path! This is one of many great excuses that organisations use for not having a Business Continuity Plan. Internal auditors’ have heard many excuses and whilst there is sympathy for stretched management resources, all too often Business Continuity is a task which gets pushed to the back burner of an organisation’s priorities. It will never happen to us, a waste of time and effort, we’re not on a flight path, we’re not a target represent regular reasoning but you might just upset someone enough that they decide to drive a car loaded with gas canisters into the front of your building! That it seems is exactly what happened to South Oxfordshire District Council in January 2015; resulting in a criminal case with Andrew Main charged with three counts of Arson effecting the Council, a Funeral Directors and a residential cottage. It is doubtful anyone at the Council foresaw upsetting someone to this extent but clearly there are irrational people in the world and their actions are not always proportionate to the cause; disgruntled over a planning application, a rise in Council Tax or closure of local libraries are thankfully rarely likely to prompt such a response. As for the Funeral Directors, it seems a case of mistaken identity.
As auditors it has given us a ‘real life - could happen to any organisation example of risk’which cannot be played down and is not at the extremity of the scale as acts of terrorism such as 9/11 in New York or 7/7 in London have impacted on organisations. Business Continuity is not just another worthless task or desk top exercise, you may never need to invoke your plans but if you do then at least you are prepared and well placed to respond. A student may be disappointed over their grades, a social housing resident upset by the bedroom tax, a sickness benefit claimant disgruntled by their claim being refused, a patient upset by their hospital treatment; these are not far-fetched examples and anyone can walk into your reception with a can of petrol! Copyright © Gateway Assure 2015 registered in England and Wales - MCH House, Bailey Drive, Gillingham, ME8 0PZ - Company number: 08232033
In April 2015, we experienced another example with the disruption caused by underground fires on the Kingsway in the Holborn area of Central London; this resulted in the evacuation of some 5,000 people and caused disruption to many more. The cause unknown; probably not deliberate but the effects wide felt. Maybe you are not situated on a flight path but most of us are on planet Earth and risks surround us all; organisations need to be prepared and have robust rehearsed plans in place to react should unplanned events such as these impact upon their business. Importantly Business Continuity needs to be kept live in organisations; it is not just for the big impact events, a well thought out and structured framework for response will mean you are better placed to respond to a myriad of different situations. Do not let your Business Continuity Plan become a stale document reviewed every five years, gathering dust on a shelf or hidden within the filing structure of an unprotected server; as your organisation and the external environment change then so does the risk environment in which you operate, Business Continuity Planning is part of good risk management. Be sure to involve your senior management and team representatives from across the organisation to gain buy-in to the process, assess controls in place to manage inherent risk, identify whether any single points of failure exist and consider whether residual risk is within your risk appetite. Failure to respond could ultimately lead to your clients looking elsewhere; never to return and then you will need quite a different plan! As any good Scout would say “Be Prepared” and hopefully you will never need it.
Topical Key Risks The following are some of the key topical risks our clients are seeking assurance and advice on from internal audit:
Cyber Security Hardly a day goes by without an instance of hacking hitting the news; increasingly sophisticated techniques and well-funded hackers are attempting to identify and exploit security vulnerabilities in information systems. However, it remains important to ensure that team members are well briefed on security risks to ensure that risks surrounding simple techniques such as phishing attempts do not succeed.
Performance Management
Third Party Relationships Whether it is to boost efficiency or plug gaps in knowledge or experience increasingly organisations are looking to third party solutions to deliver business critical functions. These relationships change the risk environment for the client organisation; ensure you have good due diligence, strong contract arrangements including right to audit, performance monitoring is robust and strong contract governance in place.
Board, Executive and management require robust performance data which enables them to monitor achievement against organisational goals and make informed decisions; independent assurance over the capture, analysis and presentation of performance data can provide assurance and confidence within that data or recommendations for improvement within a business critical area.
Business Continuity As discussed in our core feature complacency has existed for too long and recent ‘real life’ examples have pushed the topic up the risk agenda for many clients.
For more information on Gateway Assure internal audit services please contact: Lee Glover, Director of Assurance Services - lee.glover@gatewayassure.com
Copyright © Gateway Assure 2015 registered in England and Wales - MCH House, Bailey Drive, Gillingham, ME8 0PZ - Company number: 08232033