Perhaps no disaster in recent history has done more to show the need for strong business continuity and disaster recovery planning than the Japan earthquake and tsunami of 2011. This massive 9.0 Richter scale earthquake, which occurred off the Pacific coast of Japan, caused tsunami waves that reached more than six miles inland in spots. More than one million buildings were damaged or destroyed, and nearly 20,000 people died or went missing. Tsunami damage was estimated at more than $300 billion.
Living in Japan, we are accustomed to earthquakes and have been trained on what to do since kindergarten and grade school. (Go under a table, turn off stoves, go to the designated safety area, etc.) Japan also has the nationwide Earthquake Early Warning (EEW) (Kinkyū Jishin Sokuhō) system. A warning is issued just after an earthquake in Japan is detected with the first P-waves before the S-waves that cause the shake are manifested. Even though the EEW occurs just minutes prior to the earthquake shake, people may find time to protect themselves at home or at the office as it slows down trains and factory stop assembly lines. One minute before the earthquake was felt in Tokyo on March 11, 2011, the EEW system sent warnings to millions of impending strong shaking via broadcasting stations and mobile phone companies. It is believed that the early warning saved many lives in the cities and factories.
Despite all preparation and investment for the earthquake, the country was unprepared for a tsunami of that magnitude, which caused most of the damage. The Fukushima nuclear plant was severely compromised by the tsunami, resulting in releases of radiation. Communication systems and business supply chains in tsunami-struck areas were severely disrupted.
All around the world, disasters are occurring that can cost lives; destroy buildings; and shut down electrical power, communications, transportation and other services. Since Japan had the earthquake and tsunami in March 2011, a major flood in Thailand in the fall of 2011 affected many Japanese and other international companies. In 2012, Superstorm Sandy hit the northeastern United States and flooded New York, shutting down the entire city and New York Stock Exchange. Considering all the things that have happened in recent years, the probability of business being affected by a natural disaster seems high and potential impacts also are increasing.
WHO’S AT RISK?
According to the Natural Hazards Risk Atlas 2011 (NRHA), released by risk analysis and mapping firm Maplecroft, the United States, China, Japan and Taiwan face extreme disaster risks. Nations at high-risk include Mexico, India, the Philippines, Turkey, Indonesia, Italy and Canada. Maplecroft’s analysis states that “while the large developed economies of the U.S. and Japan have the greatest economic output exposed to major natural hazards, they also have the socioeconomic resilience to withstand their impacts” due to “economic strength, strong governance, well-established infrastructures, disaster preparedness and tight building regulations designed to minimize the effects of natural hazards on people.” Despite the U.S. and Japan having the highest economic exposure to natural hazards, emerging economies like China, India, the Philippines and Indonesia seem to pose more risk to investors and international business due to a lack of capacity to respond to the impacts of a major disaster.
Because so many supply chains are global, multitiered and multilayered, a disaster in one country or region of a country can have a severe impact in other regions or countries. With almost 9% of the world’s economic output coming from Japan, the Japan earthquake and tsunami had a direct impact on many companies that rely on the country for manufacturing parts. They have caused countless disruptions across the global supply chain. Because of such a large-scale disaster, Japanese business communities drove nationwide initiatives to recover the factories in the area. The Japanese government reported that about 60% of manufacturing facilities resumed production within 50 days and an additional 30% came back by the end of 2011, which was three to five months earlier than the rest of the world expected.
The NRHA report concludes: “Companies, which are dependent upon a global network of suppliers, are inevitably likely to be exposed to disruption and financial losses following the occurrence of a natural disaster…Organizations need to monitor risks and build their own organizational resilience. Just as the strength of a country’s resilience will determine their economic recovery, the strength of business resilience will be reflected in their management of business continuity and recovery.”
BUSINESS CONTINUITY AND INTERNAL AUDIT
Protiviti’s Business Continuity FAQ document states that “a business continuity plan is a road map for continuing operations under adverse conditions such as a storm or a crime.” Any event that could impact operations is included, such as supply chain interruption or loss of or damage to critical infrastructure. As such, risk management must be incorporated as part of the business continuity plan.
There are many regulatory and industry frameworks and guidelines for business continuity management, some of them nation-based and others international. In May 2012, the International Organization for Standardization (ISO) published the new 22301 standard ("ISO 22301:2012 Societal security — Business Continuity Management Systems — Requirements"). As the world’s first international standard for business continuity management, ISO 22301 specifies requirements to “plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to prepare for, respond to and recover from disruptive events when they arise.”
As the ISO standard is developed by a global group of domain experts, it typically has more credibility for the global use and is expected to be translatable and applicable for implementation in every country, as well as auditable. ISO 22301 expects top management to demonstrate an ongoing commitment to the BCM. It also requires more careful planning for and preparing the resources needed for ensuring business continuity. Once the BCMS is implemented, ISO 22301 requires permanent monitoring of the system as well as periodic reviews to improve its operation.
Business continuity must go well beyond IT recovery. It is an organizationwide effort that should involve all divisions and departments. The following two distinct teams are needed:
- The network recovery or telecommunications team requires technologists: key members of the IT department and any vendors serving the company.
- The business resumption team must thoroughly study the enterprise’s processes and set priorities for what needs to be restored first and which customers to help first.
Because of the risks, internal audit departments have an important role to play when auditing the business continuity and disaster recovery processes and when helping organizations recover from a natural disaster. There must be strategies, plans and actions that protect or provide alternative modes of operation for activities or business processes which, if interrupted, might seriously damage or ruin the enterprise.
KEEPING UP TO DATE
Auditors should evaluate business continuity readiness. This means regular business continuity assessments with summary reports to senior management. Consider the organization’s internal and external environments; understand the individual functions and interdependent business relationships; and review proposed business continuity and disaster recovery plans for design, completeness and overall adequacy.
Internal audit should ask the following questions during this audit:
- Are all plans up to date?
- Are all critical business functions and systems covered?
- Are the plans based on the risks and potential consequences of business interruptions?
- Are the plans fully documented?
- Have functional responsibilities been assigned?
- Is the organization capable of and prepared to implement the plans?
- Are the plans tested and revised based on the results?
- Are the locations of alternate facilities (backup sites) known to employees?
Periodic audits of the organization’s business continuity and disaster recovery plans should evaluate if they will ensure the timely resumption of operations and processes after a disaster. Be sure that the plans reflect the current business operating environment, as that can change over time.
If the plans must be put into action, internal audit should monitor the effectiveness of the recovery and control of operations, recommend improvements to the BCP, provide support during the recovery activities, and identify lessons to be learned from the disaster and the recovery operations.Disaster Recovery Audit Work Program
Business Continuity Management Capability Maturity Model (CMM)
Business Continuity Management Guide