Business Continuity Management and Crisis Management

As the global pandemic showed, possibility of a crisis severely disrupting an organization’s ability to operate looms today like never before.

Given the pace with which global threats evolve, incidents such as cybercrime, volatile weather patterns, terrorism attacks, and epidemics are increasingly likely.

These events all impact the ability to continue operations and meet stakeholders’ objectives and may even threaten the very existence of the business. Being able to better recognize potential crises, effectively handle such interruptions, and return to normal operations is extremely difficult. Gaining the capacity to do this quickly and efficiently with the minimum amount of impact — to be crisis resilient — is that much harder, and the ultimate goal.

• BENCHMARK your IA function against worldwide best practice
• MAKE the transition from a good function to a great one
• BUILD a world-class team
• MANAGE the audit process more efficiently
• ENGAGE more positively with senior management
• ENSURE the IA in risk management is fully understood
• TACKLE the more complex audit topics with confidence

After completing this course you will be able to

• Understand how to become a more crisis resilient organization
• Ensure that BCM and the crisis management plans are regularly updated to meet the ever changing risk environment
• Develop BCM plans that cover all business functions
• Implement an effective approach for communicating to all stakeholders through each stage of a crisis
• Deal with extreme risk events in a more managed way
• Build and oversee an effective BCM team
• Complete regular crisis management audits

Who should attend

• Managers and Directors responsible for crisis management
• Risk managers
• Senior Internal Auditors and audit managers
• Other assurance professionals such as those in Compliance and QA functions who are being asked to review the business resilience process

Course Level

• This is an intermediary level course and delegates should ideally have 18 months experience in a supervisory, management or assurance role
• Delegates should have a good educational standard (Bachelors degree or above) and/or a professional qualification or be in the process of studying for such a qualification
• No advance preparation is required
• Delivery method – On-line interactive (with exercises and case studies to provide practical application of the tools and techniques)

CPE credits

Participants will earn 9 CPE credits (in the Management Advisory Services field of study)

Day 1: Business Continuity Planning

The key objectives of BCM

• To provide critical services during times of disruption
• The need for management leadership
• Linking the BCM plan with strategic objectives
• Ensuring the resources for BCM are available
• Communicating the importance of the process
• Ensuring the intended outcomes are achieved
• Directing and supporting the personnel involved
• Determining the BCM owners across the business
• Exercise 1 – Assessing the effectiveness of BCP key objectives

Evaluating the BCM model

• Understanding the business impact of major events
• Determining strategies to deal with these events
• Ensuring that ISO 22301 is adopted
• Reviewing and conducting a gap analysis of the current BC policies
• Improving understanding of the risk profile of such incidents
• Preparing for each different emergency situation
• Development of procedures to recover from a disaster
• Preparing the actions to take during the recovery phase
• Testing the business recovery process
• Keeping the plan up to date
• Establishing a BCM culture across the organisation
• Identifying gaps
• Exercise 2 – The BCP model

Reviewing the resilience of critical business processes

• Identifying the critical processes and their relative importance
  • Explosions
  • Fire
  • Sabotage and terrorist attacks
  • Epidemics
  • Supply chain failure
  • Flooding
  • Earthquake
  • Significant political risk
  • Loss of IT
  • Loss of critical data
  • Loss of Telecoms network
  • Major Electricity outage
  • Vehicle incidents
  • Plant closure
• Inability to access offices
• Assessing the internal and external risks impacting continuity of these processes
• Evaluate what plans are currently in place to deal with the risks
• Which processes need further attention
• Which can be further developed as a cross business process
• Which events currently have no plan
• Allocating responsibility for actions
• Exercise 3 – The process to deal with loss of critical business activities

Ensuring specific plans for each type of incident

• An incident resulting in the death or serious injury
• Kidnap of staff
• An incident resulting in the complete suspension of business activities
• An incident resulting in the complete suspension of a key project
• Act involving gross mismanagement of funds
• Event that may have legal repercussions
• Incident that lead to public or other retaliation
• Incident resulting in negative coverage in the media
• Outbreak of conflict in a community served by the business
• Natural disaster
• Exercise 4 – Reviewing the specific plans

The BCP testing process

• The need for all aspects of the plan to be tested
• BCM Test plan
• Desk check
• Communication testing
• Physical tests
• Completing the tests
• Testing Feedback
• Overall Test Evaluation
• Exercise 5 – Assessing the BCP testing plan

Day 2: The BCM Process in practice

The Crisis management (CM) plan

• Has the plan been developed in conjunction with the strategic planning
• process?
• Crisis Risk owners – how these personnel are chosen and how
• ownership is enforced
• Are annual statements required by these risk owners?
• Assessing the risk tracking process
• Using the risk register as a crisis management decision skeleton
• The steps taken to coordinate and link the output
• Flagging interdependencies – if one risk treatment is changed the other
• party or parties impacted are notified
• Has the CM process been used to break down the barriers
• Assessing reports for senior management
• Auditing the process
• Exercise 6 – Reviewing the crisis management plan

Reviewing emergency preparation

• Establishing an Emergency Operations Centre
• Emergency authority procedures
• Determining time bands to cover
  • The emergency period (minutes to hours)
  • The crisis period (hours to days)
  • The recovery period (days to weeks)
• The key documents and where held + the owners
• Key Systems
• Key system suppliers
• ICT and Communications back-up strategy
• Information back-up strategy
• Key partners emergency contact information
• Back-up power
• Off-site storage
• Alternative locations
• Media Liaison
• Insurance cover
• Exercise 7 – Assessing emergency preparedness

The incident management process

• Initial assessment
  • What are the known facts of the incident and what is/is not confirmed
  • What action has already been taken and by whom?
  • Is there anything that needs to be done immediately to protect against further harm / damage?
• Immediate actions
• Assignment of roles
• Emergency Operations set up
• Communications schedule agreed
• incident support personnel
• External expertise (legal, negotiators etc,) required?
• Security networks activated
• Recovery
• Assessment
• Exercise 8 – The incident management process

The BCM communication process

• Assessing the CM business structure
• What information do we have about the situation / what else do we need?
• Who else needs to be briefed and by whom
• Media and communications plan
• Pre-prepared media statements covering all major crises
• Contacting insurers
• Back up CM team members identified (in the event it is a long running crisis
• Exercise 9 – Reviewing the communication process

Assessing Recovery planning

• The elements of an effective plan
• Recovery of property
• Recovery of hardware
• Keeping people informed
• Personnel contacts
• Business recovery reports
• Monitoring the recovery process
• Exercise 10 – Assessing the effectiveness of the recovery plan

Evaluating the effectiveness of post event reviews

• Post crisis review – collection and analysis of data and actions taken
• Developing a plan with key learning points and actions
• Allocating clear responsibility for actions
• External reporting
• Organising risk awareness sessions for staff
• Sharing output with partners
• Evaluating risks within these relationships
• Identifying BCP Risk indicators (KRI’s)
• Coordinating the whole process
• Managing stakeholder expectations
• Exercise 11 – Evaluating the post event review process

Phil Griffiths, FCA

Phil Griffiths is founder and Managing Director of Business Risk Management Ltd.

A Chartered Accountant, he has over 30 years experience in risk management, Corporate Governance, internal audit and fraud prevention as practitioner, professional adviser, facilitator and trainer.

His areas of specialism are:

• Assisting Senior Management to identify, manage and then exploit the risks within their business via facilitated business risk management programmes
• Helping Internal Audit functions to implement world class standards.
• Developing fraud prevention, detection and investigation programmes
• Training both private and public sector organisations in all the above disciplines.

He has extensive experience of the European, Asian, Middle Eastern, and African markets having trained professionals from over 1000 organisations in these regions during the past 15 years

He has extensive experience of managing and auditing major International projects. He has also direct experience of negotiating major contracts (including the largest mobile telecommunications contract in the world at the time)

Phil has developed strategic alliances with professional bodies and world renowned training companies, to deliver training and consultancy services across Europe, Asia, the Middle East and Africa.

He has developed over 300 training courses on all aspects of internal audit, risk management and fraud and delivered them across the globe.

He has led risk management programmes for more than 120 private and public sector clients tailored specifically to include facilitated workshops, development of risk strategies and assistance with implementation

He is an accomplished author. His book ‘Risk Based Auditing’ is an international best seller and his new book ‘Enterprise Risk Management – the key to business success’ is receiving much acclaim

Phil has published research into many aspects of internal audit and risk management best practice, including “Strategic Risk management” “The Need to Co-ordinate Assurance Providers” and “The Expectations of Chief Executives towards Internal Audit and its future”

He is recognised as an accomplished and charismatic facilitator, trainer and lecturer and is in continual demand to speak at the most prestigious events on risk management, internal audit and fraud.

Course Fee and Timings

The fee for the 2-day course is GBP 450 (US$ 600) which includes comprehensive course materials. The course will consist of three 1.5 hour sessions each day.

The course will consist of three 1.5 hour sessions with the following UK timings

• 9.00 – 10.30 Session 1
• 10.30 – 10.45 Break
• 10.45 – 12.15 Session 2
• 12.15 – 13.00 Break
• 13.00 – 14.30 Session 3