RETAIL AUDIT FORUM - AUDITING BUSINESS CONTINUITY

RETAIL AUDIT FORUM - AUDITING BUSINESS CONTINUITY Alan Hodgson MSc CMIIA MBCI

2 My Background 15 years within Internal Audit CMIIA MSc Audit Management and Consultancy 10 years in Retail 10 years in Business Continuity Management MBCI Established Continuous Solutions Ltd. seven years ago Set-up and managed the Retail Business Continuity Association for four years Approved by BSI to advise and audit to BS25999 Business Continuity Management Systems

3 Positioning Who has recently conducted a business continuity audit? What was the scope of the audit? How was the scope determined? What benchmark did you base your audit on / what did you audit to? How many audit days are committed to BCM / year? What is the experience of the auditors in the subject?

4 THE BIG QUESTION? Have you ever wondered if auditing business continuity plans was worthwhile, and whether they addressed the real continuity and disaster recovery risks that your organisation faces?

5 Initial Thoughts! Why are we doing Business Continuity in Retail? What should we be looking to include in the audit plan? How should we be auditing Business Continuity?

6 WHY ARE WE DOING BUSINESS CONTINUITY IN RETAIL?

7 A Few Good Reasons? Retailers continue to develop leaner structures to drive efficiencies but this in turn can also create vulnerabilities Corporate governance requirements continue to expand Stakeholders expect a reasonable degree of protection of there investment Insurers continue to put pressure on retailers to limit there own exposure There are sizeable risks inherent in some retail activities (e.g. distribution/call centres) There are risks inherent in Global sourcing and Supply Chains We have to do it because other Retailers are doing it? Numerous retail related major incidents experienced over recent years. It s flavour of the month with the Board..we just experienced a major incident? We have worked to hard to get the business to where it is, and we aren t prepared to lose it!!

8 WHAT SHOULD WE BE LOOKING TO INCLUDE IN THE AUDIT PLAN?

9 Systems / Risk Based Auditing The Basics Identify the risk Evaluate the controls Assess their effectiveness Make recommendations Offer an opinion of assurance

10 Business Continuity It should be Structured as any system of management Its purpose is to protect against risk It is designed to support controls which should include: Preventative measures Detective alerts Corrective actions and capabilities

11 The Business Continuity Management System (BCMS) Like any system the BCMS is auditable There are benefits to having such a system in place: It underpins the application, management, and commitment to maintaining effective business continuity arrangements It establishes common principles for managing the risk and supports consistency of approach It ensures a continual review and re-alignment in the application of controls It can result in ISO 22301 certification

12 What Do We Want From The Audit? What does the Risk Owner want from the Audit? What does the Business need from the audit? What does the Audit Committee need from the audit?

13 Defining the Audit Plan What is the stage of evolution of the subject in the business? How complex is the organisation? What are the real risks and how have they been identified? What do we already know about the controls in place?

14 Evolution of BCM 9 8 7 6 5 4 3 2 1 0 Why audit to best practice? What is right for your organisation? Just Considered Some Activity Significant Focus Fully Embeded

15 A Typical Retail Model 100 s of Stores 1000 s of Products Employees Customers Retail Ops Distribution Multiple Warehouses / DC s Regional Hubs Suppliers 3 rd party logistics Employees Employees Customers 3 rd party logistics Web hosting ICT infrastructure E-comm. s Head Office Main Office Buildings ICT People SO WHERE DO YOU START TO AUDIT?

16 The Business Continuity Project Life Cycle (BCI 2006)

The Business Continuity Programme 17

18 Auditing Vertically (By Life Cycle) Embedding Review Implement Strategy Understanding Prog. Mang. Head Office Warehousing Call Centres Suppliers

19 Auditing Horizontally (By Life Cycle) Embedding Distribution Centres Review Implementing Strategy Understanding Prog. Mang. DC1 DC2 DC3 DC4 DC5

20 Business Continuity Controls STRATEGIC TACTICAL OPERATIONAL Corporate Risk Register Risk Management Policy Audit Committee Business Continuity Management Policy ICT Infrastructure Resilience ICT Disaster Recovery Arrangements Work Area Recovery Arrangements (Office, DC, Call Ctr.) ICT Security Site Risk / Control Assessments Work Area Recovery Testing Site ERP s Site Security Audit Review Divisional IMP s Site Health and Safety Allocation of ownership IMT Training and Exercising ERT Training and Exercising Business Continuity Steering group Business Change Management Protocols Contractor Management Project Risk Management Site / Operation BIA s Supplier Business Continuity Assessment Crisis Management Plan Supply Chain Management Fire Prevention Activities

21 HOW SHOULD WE BE AUDITING BUSINESS CONTINUITY?

22 It s Simple Then...or is it? Do you have business continuity plans in place? Do you have ICT disaster recovery arrangements in place? Have these arrangements been tested? Alignment with Retail Best Practice Benchmark ISO 22301 Certification IS IT ANY GOOD???

23 The Risks Manchester City Centre bombing 1996 M&S House of Fraser Buncefield Fuel Depot explosion 2006 Dixon s Retail Group Warehouse Fires B&Q (Branstone) Primark (Lutterworth) 2005 Central Milton Keynes Crane Collapse 2006 Co-Op Leicester 2008 Army Careers Office Bomb, - St. Marys Butt Reading 11 Feb 2014

24 The Risk Register What is Captured? A Single Business Continuity Risk? Multiple Business Continuity Risks? Are they captured by Division / Brands? Do we know who owns the risk? How do we show how well is it managed?

25 Who Owns The Risk? Managing Director Distribution Director Property Director ICT Director Distribution Centre Managers Head Office Facilities Manager Head of ICT Infrastructure

26 The Challenges in Scoping The BCM Audits The entire or just single elements of the BCMS? To what breadth: a Single Site or Facility; a Division or Brand; or the Group as a whole? To what depth: Head Offices; ICT infrastructure; Call Centres; Supply Chain (Warehousing, Distribution, logistics); Stores; Suppliers? Controls: Strategic Tactical Operational How should it interlink with other Audits: Security (logical or physical); Health and Safety; Project Management: Fire Prevention; Supplier; Contractor Management; etc.

27 The Fundamentals Understanding Business Exposure? Has a Business Impact Analysis (BIA) been conducted? What are the risks? Is the Executive aware of the size of the risk? What are the control structures in place e.g. the BCM: Policy; Strategy; Scope; Programme (time line); Responsibilities? Are these appropriate for our business.today?

28 The Auditors Assigned What is their level of knowledge of the business? How well do they understand the subject of BCM? What specific training have they been given? Remember. The Devil can often be in the detail. Do they have the skills to find it.. A lot may be riding on it!!!

29 Challenge 1 Lets assume that we have a single Distribution Centre, stocking a key range of internationally sourced products. Can its recovery capability really be assured and tested? Audit Considerations: How comprehensive is the BIA and who was involved in its analysis? What site controls are deployed: security; fire prevention; location; nature of product? Who has been involved in determining the recovery strategy? Are they in a position to know if it is achievable? Who signed it off? Is the Supply Chain efficient enough to support the anticipated recovery demands? Has the business engaged with the 3 rd parties likely to play a critical role in the recovery process, what evidence supports this? What level of detail is in the recovery plan? Does it include clear actions, owners, timelines? Can components of the recovery strategy be tested independently?

30 Challenge 2 If the ICT Director says that there is an adequate recovery capability for the businesses critical ICT infrastructure, then how can we be certain of this? Audit Considerations: Has a comprehensive BIA been conducted across whole business mapping the impact over time on each critical business process (retail, supply chain, e-comm. s, head office etc.), following the loss of supporting systems? Has the gap of this, against the stated systems recovery capability, been determined? ICT: How comprehensive is the ICT recovery testing programme? Who has been involved in the testing? What are the results from ICT recovery testing? How do these results compare with the stated recovery capability? What is the level of resilience deployed over the ICT infrastructure? Has the residual exposure escalated to Board? What improvement action plans are in place?

31 What the Audit Should Challenge? You should Challenge: The comprehensiveness of the risk and impact assessment The communication and visibility of the exposure to risk at Board level The ownership of the risks The process by which the recovery strategy, procedures, arrangements have been determined The skills and knowledge of those involved in this process The assessment of the control environment from which you operate from The extent, frequency, and scope of testing and exercising The process and management of implementing improvement actions Don t. question the level of recovery testing and exercising unless you have confidence that the risks and impacts have been fully assessed Be Positive. about what has been achieved, where good practice has clearly been adopted, and where a commitment to address business continuity risks has been made

32 Remember There s no quick fix in Business Continuity Management you either do it right. or don t bother! Its not about how big the plans are its about the approach, commitment, and effort that goes into developing a solid capability. To cover a large retail organisation committed to BCM then the BCM audit programme should be planned over several years. Consider using discrete specialist support where suitably skilled internal resources are lacking. As an auditor, don t just ask questions, role your sleeves up and have a look.you may be surprised at what you find!!

THANK YOU 33