control, and governance
Are You Prepared?
How one internal audit department identified problems and provided recommendations to strengthen the company’s response to business disruptions.
RLI Corp. is a specialty insurance company that operates from more than 35 locations across the United States. Headquartered in Peoria, Ill., RLI is a publicly traded company that reported net earnings of US $126 million in 2013. There are approximately 900 employees, and the internal audit department comprises seven individuals, including the chief audit executive (CAE).
One of the internal audit department’s most significant consulting activities has been in the area of business continuity planning. Initially, the department reviewed business continuity as a business unit risk during each audit. But with the need to improve the company’s overall business continuity governance and coordination, especially because of increased inquiries from regulators regarding our plans, we realized it was ineffective to continue to raise these types of concerns individually.
There were four main issues of concern internal audit communicated to management: 1) While business units had varying degrees of business continuity preparation, there was not a well-coordinated corporate plan or understanding of interdependencies among departments; 2) the link between the business continuity plan and IT systems recovery plan was weak; 3) there was no clear plan on where employees would go following a disaster; and 4) there was no formal testing by members of business units.
We met with the vice president of the Administrative Services department, the owner of business continuity, to discuss the opportunities identified to improve our business continuity maturity across these four areas. Because of internal audit’s unique understanding of processes and interdependencies across business units, and the need for business continuity improvement, the vice president requested our assistance to enhance corporate business continuity planning.
1. COORDINATE A CORPORATE PLAN
To help address any concerns internal audit had with independence or objectivity, we reviewed IIA Practice Advisory 1130-1: Impairment of Independence or Objectivity, Practice Advisory 1130.A2-1: Internal Audit’s Responsibility for Other Non-Audit Functions, and IIA Position Paper, The Role of Internal Auditing in Enterprise-wide Risk Management. This led to the establishment of a governance committee — comprising the chief operating officer, chief financial officer, and vice presidents of enterprise risk management, IT, and administrative services — to ensure that internal audit was not making key business continuity decisions. Our job was to play a coordination role, provide information to this group to help prioritize activities, and give updates on progress. To ensure the audit committee was aware of internal audit’s role, we supplied an overview in our board materials and quarterly updates in our audit committee materials.
Once a governance structure was in place and our role communicated, we set out to improve the company’s business continuity maturity. We leveraged several resources, including The IIA’s Global Technology Audit Guide (GTAG) 10: Business Continuity Planning. GTAG 10 emphasizes key aspects of planning, including the importance of a business impact analysis to:
We also took advantage of our organization’s U.S. Sarbanes-Oxley Act of 2002 infrastructure, which had established process owners in each business unit, to create a business impact analysis template for each process owner to identify his or her business unit’s key processes and each process’:
We also set up a workflow in which department heads would sign off on the content of the business impact analysis for completeness and accuracy, and the results were escalated to the business continuity executive committee. The business impact analysis creation and approval process allowed us to standardize the plans of each business unit and formalize business continuity planning.
At a corporate level, internal audit helped establish which executives have the authority to declare a disaster and the key departments that need to be notified. These include the facilities department to address building damage and locate alternative permanent sites to operate, communications to deal with media, human resources to deal with personnel and payroll needs, and IT to assist with systems and telecommunications. In addition, core individuals in each business unit were identified to execute department-level plans. In our branch offices, key personnel were identified at each location who could declare a branch closure.
Given the interdependencies across the organization, we wanted to enhance communication in the event of a short- or long-term disaster. Our initial plans relied on a traditional call-tree approach to notify employees, but this raised several concerns. Individuals could be missing from the chain of communication, inaccurate communication could move down the call tree, and it took too long to notify each employee. To improve communication, the communications department contracted with a firm to push out automated alerts to employees via text, email, and robocalling. In addition, the department retained the services of a crisis communication firm to assist with media management in the event of a disaster or other corporate crises.
2. LINKING THE BUSINESS CONTINUITY & IT SYSTEMS RECOVERY PLANS
To better align business units and IT, we compared the recovery times indicated by process owners in each business unit’s business impact analysis to those outlined by the IT department in its systems recovery plan. In cases where the business unit indicated it needed a solution faster than IT intended to recover it, there was a discussion to determine the cost/benefit of expediting the system recovery, or the business unit would accept the risk and develop alternative procedures until the system could be recovered.
Most business units could function without access to systems for a short time, with the exception of communications. Email and telephone were noted as critical to communicate with key customers as well as interact with other employees. This led IT to provide a hot-site solution for the real-time recovery of email, as well as Voice Over Internet Protocol phones. This approach of focusing our recovery on only critical systems helped to minimize the cost of our business continuity efforts.
3. IDENTIFYING RECOVERY SITES
RLI Corp. has branch offices throughout the United States, most of which are in major metropolitan areas with no more than 30 employees at any one location. The exception is our corporate headquarters, where about one-third of our employees and our data center are located. We found that we would need to address the recovery efforts separately for branch offices and headquarters.
For branches, we developed a plan based on two scenarios. The first was a disaster that was local to the branch, such as a fire in the building. The second was a disaster at headquarters that would impact the data center and, therefore, systems used by branch personnel. We developed alternative procedures to address recovery efforts for both of these scenarios, which included communications to key customers when systems were down. We determined that we did not need to enter into an arrangement with a provider to guarantee space for a recovery site because branch office work could be rerouted to other branches temporarily, and each branch had relatively few employees. If the office building was unavailable, the plan was for branch personnel to temporarily work from home, leverage public Wi-Fi hotspots using a secure connection to corporate systems, or operate from another branch until the office became habitable.
Establishing recovery site plans for headquarters proved more challenging because of the large number of employees and location. While we might be able to quickly rent an alternative location, bandwidth was a critical concern, as we learned that oftentimes it could take up to 30 days for vacant space to have the necessary network connection speeds. This is much longer than the recovery time objectives identified by business units. Therefore, we needed to identify an alternative site with adequate Internet speeds until a vacant space could be identified and adapted to meet our needs.
We worked with business units to determine the core group of employees they could get by with until a more permanent location was established to control costs. We compared several vendors and selected a firm providing a turnkey operation 150 miles from our headquarters that enabled us to be up and running in just over a day following a disaster. The advantage is that local weather disasters are unlikely to impact our recovery site. However, the distance means employees may be unable or unwilling to leave their homes for an extended time to work at a site nearly three hours away. We continue to explore other alternative recovery sites that may be closer to our headquarters.
4. IMPLEMENTING BUSINESS CONTINUITY TESTING
The first year of testing, our plan was limited to a tabletop exercise with executives to help identify broad concerns with design and communications. Once we arranged for the headquarters recovery site, we began business continuity testing by taking core employees from at least two business units with interconnected processes to the site. Employees were able to experience working remotely and helped identify improvement opportunities in the department plans, such as any unforeseen dependencies on other departments, systems, or equipment. This testing has been done in coordination with IT’s systems recovery testing. For branch employees, the plan is to have them work from home or an Internet café until an alternative location is established. We test the ability of branch employees to work remotely by securing meeting space at local hotels, bringing in laptops, and having branch employees test their alternative procedures.
While much of our initial focus was on large-scale disasters, short-term disruptions — such as a water main break, downed network, or winter storm — proved much more common and important to address. These events require day-to-day communications about branch closures, as it often is not clear when the location may be available. We have now moved our business continuity efforts to a much more repeatable and sustainable process that includes:
Discussions with the audit committee and management continue about providing assurance over business continuity planning, which includes transitioning the process to another department for coordination or retaining a third-party firm to independently assess it. Moving forward, internal audit will continue to look for areas to improve the organization’s business continuity efforts.
Ben Getz, CPA, is a senior internal auditor at RLI Corp. in Peoria, Ill.
Seth Davis, CIA, CPA, CISA, is vice president of internal audit services at RLI Corp.