Business Continuity Management

editor: Ms. Vivian Chan - Risk Consultant


Business continuity management (BCM) prepares organizations for future incidents or crises that could interfere with the achievement of business objectives. The main goals of BCM are to restore critical operations, manage communications and minimize financial or other effects of a disaster. Types of business interruptions may include internal and external threats such as natural disasters, terrorism, system failures and production failures. Increasingly, BCM is viewed as an integral part of any successful company in mitigating risks and establishing good governance. The key components of BCM include the support from management, risk assessment and mitigation, business recovery and continuity plan, training and maintenance.


The Institute of Internal Auditors has released a new practice guide in August 2014 that shows how internal audit can facilitate BCM. In this newsletter, we will discuss the role of internal audit in developing the BCM before, during and after a major crisis.


Internal Audit’s Role in Developing the BCM

a) Program Governance

  • Determine whether key leadership positions have been documented for the ownership and accountability of the organization’s BCM programs, since leadership is critical to identifying plan interdependencies, promoting continuous improvement and learning from post-crisis activities.


  • Recommend the development of a well-defined BCM charter to establish program sponsorship and support within the highest levels of the organization. In addition, a charter establishes a BCM governance structure and guidance regarding periodic evaluations of the charter.


  • Evaluate the effectiveness of the BCM governance structure to ensure whether it is adequately funded and appropriate to serve the needs of the Board, audit committee or executive management.


  • Communicate with the Board on the current best practices for business continuity and crisis management, and risks the organization is associated with.


b) Risk Management

An organization must consider the prioritized risks incurred by the event of a crisis in order to make BCM to be effective. Internal audit often has a comprehensive understanding of core business risks, which helps to strengthen the development of the proposed internal audit plan. Being exposed to the organization’s BCM activities helps the internal auditor identify organizational tone, operational control activities and potential system or vendor dependencies. Weakness and failures in such areas may prompt the internal audit function to focus resources on providing targeted advisory engagements to address these issues.


c) Business Impact Analysis

Internal auditor may provide guidance on how to perform a business impact analysis.  The objectives of the business impact analysis are to help indentify key business assets, functions, partners, vendors and resources and to evaluate potential loss to an organization in the event of crisis. The results of the business impact analysis will outline critical operations, resources and processes which will most likely drive investment priorities for a business continuity plan.


d) Business Continuity and Recovery Planning

Business continuity and recovery planning provides a proactive method for organizations to identify measures to mitigate risks triggered by a crisis. Internal audit may provide related advisory or assurance services on these aspects.


Internal Activities Before, During and After a Crisis

Continuous evaluation of BCM ensures that the business continuity plan (BCP) remains relevant to organizational priorities in the event of a crisis. Before a crisis, internal audit may be engaged to share knowledge of leading developments for BCM with key management and audit committee, advise management in its performance of BCM risk assessments and perform assurance engagements related to the BCP such as evaluation of plan components, communication protocols and operation aspects.


During the crisis, internal auditor may serve on a crisis management committee to ensure that risks are understood and message has been well-delivered to relevant stakeholders, and to provide alternative recommendations to management as appropriate.


After the crisis, internal audit continues to play an important function in evaluating the organization’s recovery efforts, identifying improvements to the BCP and providing guidance to enhance business operations, with the goal of mitigating risks.



In conclusion, management should not neglect the importance of BCM for protecting the business interests when exposed to both internal and external threats.


[Source: Practice Guide - Business Continuity Management (August 2014) by The Institute Internal Auditors]

If there are any aspects which we may assist, please do not hesitate to contact our partner in charge Mr. Roy Lo at 3583 8048 ( or our Risk Manager Ms. Gloria So at 3583 8517 (



SHINEWING Risk Services Limited