CAE Briefing E44: 2020-03-29

The Chief Audit Executive (CAE) Briefing is now a FREE course for all CAEs. If you are the CAE in your organization, or you report to a CAE in a large organization, you may register for this course at: 

https://jasonmefford.mykajabi.com/offers/ezsxLzjQ

If you are NOT a CAE, this course is not for you.

In this weeks’s video https://youtu.be/8zVX-5Yw0B8 I talk about business continuity planning (BCP) which is always a relevant topic anytime our organizations experience crisis events like the one we are going through now with COVID-19.

It amazes me each time we go through an event, how unprepared most organizations are. This give us the opportunity to help our organizations learn and improve from these events (in fact, if you are like I was many of you may be a part of your BCP team and are literally helping execute the plan now). After each event there is an opportunity to refine our plans, and this is one area where we can help provide value as we come through the initial challenges.

I know many IIA, ACFE, ISACA, etc… local meetings, conferences and trainings have been cancelled, leaving some of you and your teams without your normal monthly CPE hour options.

cRisk Academy has hundreds of courses available on-demand where you can earn CPE virtually, at about the same investment you would normally spend going to a local chapter meeting, but the on-demand courses you can take any time, any where, and on any device.

You and your team can join the thousands of professionals each month getting on-demand, webinar and certification training.

Perfect for these times when many are working from home and in-person is just not an option.

Perfect also in the future when things go back to normal.

Why spend 3-4 hours out of your work day for 1 hour of CPE when you can do it online without the travel time?

Sign up for a free account at: https://ondemand.criskacademy.com/?affcode=105582_jpp6czlf

cRisk Academy also offers two free webinars each month.

Stay safe my friends.

Transcript

1
00:00:00.900 –> 00:00:10.380
Jason Mefford: Welcome to another episode of The chief audit executive briefing. Hey at this week. I wanted to talk a little bit about business continuity planning.

2
00:00:11.099 –> 00:00:20.160
Jason Mefford: Now I know with a lot of the things that have been going on a lot of your organizations have turned back to their BCP plan and you’re probably implementing it.

3
00:00:20.970 –> 00:00:29.340
Jason Mefford: But what we find is, each time one of these things happens most organizations aren’t ready for it. So even when they have a plan.

4
00:00:29.730 –> 00:00:37.140
Jason Mefford: Or sometimes their plan is actually not as effective as it could be. And that’s because there’s really six different things.

5
00:00:37.620 –> 00:00:43.470
Jason Mefford: That you need to be thinking about from an impact perspective that I want to talk to you about today.

6
00:00:44.160 –> 00:00:51.420
Jason Mefford: Okay. But to start with. I just want to, you know, share with you and experience from my career in this is, you know, was a different event.

7
00:00:52.170 –> 00:00:58.860
Jason Mefford: But it was a time when we had to access our business continuity plan and we learned some things

8
00:00:59.310 –> 00:01:06.570
Jason Mefford: You know, by going through these events and I’m guessing that this is kind of similar to what’s going on in your organization as well.

9
00:01:07.170 –> 00:01:16.350
Jason Mefford: So I’m here in California and some of the things that we have to deal with our Earthquakes, fires and then usually the resulting mudslides

10
00:01:16.800 –> 00:01:29.040
Jason Mefford: When we get heavy rain after a fire. And so what happened is the company that I was working for. We had a couple of different incidents that actually happened within a very short period of time.

11
00:01:29.850 –> 00:01:40.560
Jason Mefford: And one of them that happened was we had. It was a larger earthquake, it wasn’t, it wasn’t really very big, but it, it happened during business hours.

12
00:01:41.160 –> 00:01:47.910
Jason Mefford: And it wasn’t very far from our headquarters, where the epicenter was, I think it was only about a three and a half on the Richter scale.

13
00:01:48.330 –> 00:01:54.030
Jason Mefford: But it was enough that it shook the office and it shook up our employees. Okay.

14
00:01:54.630 –> 00:02:07.680
Jason Mefford: Now, at that point, you know, we had a BCP plan in place. In fact, our admin manager in our headquarters was the one who was kind of designated as the point person.

15
00:02:08.370 –> 00:02:22.860
Jason Mefford: And so when the earthquake happened, I was expecting the admin manager to pick up the phone decide what we’re going to do, because everybody started asking do we evacuate the building. Do we go home. What are we supposed to do.

16
00:02:23.790 –> 00:02:35.220
Jason Mefford: So, you know, again, our admin manager was the one who had the primary responsibility for that. Now, the issue was our admin manager had just retired.

17
00:02:35.820 –> 00:02:44.400
Jason Mefford: And so it was a man that had been with us for a long time and I didn’t even think about that in the transition of him retiring.

18
00:02:44.820 –> 00:02:58.950
Jason Mefford: And a new admin manager coming in that she did not realize she was the one with the responsibility for it. So she was looking to me and I was looking to her and then we finally realized what actually happened.

19
00:02:59.640 –> 00:03:10.080
Jason Mefford: Now, again, we had, we had a plan in place. In fact, we actually had extra food in the headquarters in case, for example, our employees could not go home.

20
00:03:10.650 –> 00:03:15.210
Jason Mefford: The problem was, you know, that again when that event happened when the earthquake happened.

21
00:03:15.840 –> 00:03:28.650
Jason Mefford: And we started going through our BCP plan, we realized, for example, that the food that we had had actually expired. So we’d purchased it before it was already, but it was actually expired.

22
00:03:29.190 –> 00:03:40.500
Jason Mefford: So there’s little things like that that you start to learn as you go through these kind of events. And again, I’m guessing that most of your organizations are experiencing some of this now.

23
00:03:41.160 –> 00:03:49.260
Jason Mefford: Where maybe they had a plan, but they’ve never had to actually implement it. And so there were some things that you can learn or some lessons learned.

24
00:03:49.830 –> 00:04:01.410
Jason Mefford: To kind of move forward. At that point, this is a good opportunity for you to get involved, usually in that process and to be able to help out. So first, you know, to be able to help

25
00:04:01.920 –> 00:04:10.650
Jason Mefford: But also to be able to understand maybe where there are some areas for improvement. Now that brings me to the next point that I want to talk about, which is

26
00:04:11.520 –> 00:04:30.270
Jason Mefford: The plans themselves plans themselves should not be based on particular events. Okay. And so, so what I mean by that is no organization should have had a coronavirus response plan because the problem is we didn’t know that coronavirus or co VI de

27
00:04:31.680 –> 00:04:40.950
Jason Mefford: Was going to be the event, we didn’t. We couldn’t anticipate that that was the event because this particular virus strain didn’t exist, a while ago. Right.

28
00:04:41.340 –> 00:04:54.570
Jason Mefford: And so we can’t anticipate the actual event, but we can anticipate those six different impact areas. And so as you’re developing business continuity plans.

29
00:04:54.930 –> 00:05:04.620
Jason Mefford: They should be focused on how do we deal with the impacts of these six areas, regardless of what the event happens to be

30
00:05:05.250 –> 00:05:19.020
Jason Mefford: Okay, because it doesn’t matter what the event is almost every single crisis issue has the same six impacts and here they are. The first one you lose access to your facility.

31
00:05:19.530 –> 00:05:25.890
Jason Mefford: So in this particular one that we’re going through now all of you are probably experiencing that

32
00:05:26.310 –> 00:05:35.400
Jason Mefford: With things like the quarantines and requiring people to work at home you have lost access to the most part to your facilities.

33
00:05:35.790 –> 00:05:44.250
Jason Mefford: So as a result, if there are things that are physically at your facilities that you need access to. You may have limited access to it now.

34
00:05:44.640 –> 00:05:53.130
Jason Mefford: So that’s one of the areas that you want to be focusing on in your plan area. The second one is a loss of communication.

35
00:05:53.790 –> 00:06:07.800
Jason Mefford: Now in this particular event that probably did not impact you, because the power wasn’t out and we could still communicate via phone, email, things like that right video chats. So that probably wasn’t a big deal for you.

36
00:06:08.610 –> 00:06:18.660
Jason Mefford: The third one is the loss of power and again in this instance that the event didn’t normally have an impact on your power.

37
00:06:19.380 –> 00:06:28.200
Jason Mefford: But again, you’ve got to see where some of those correlations are if you lose power, you probably lose communications. You probably also lose the fourth one which is data.

38
00:06:28.800 –> 00:06:43.260
Jason Mefford: Because everything is tied or is usually electronic now so that if we don’t have power. We can’t access our communications and we can’t access our data. Okay.

39
00:06:44.220 –> 00:06:55.980
Jason Mefford: In fact, we can’t access our facility usually either because we can’t see there, you know, we can’t get in because the security systems and we can’t actually see because there’s no power in the building.

40
00:06:56.490 –> 00:07:04.710
Jason Mefford: So those are kind of the first four that normally end up happening now. The fifth one relates to supply chain disruptions.

41
00:07:05.130 –> 00:07:13.800
Jason Mefford: And so again, in this particular event that we’re going through now you can see where the supply chain has been impacted

42
00:07:14.310 –> 00:07:23.430
Jason Mefford: So companies that rely, for example, on a lot of imports from China have been impacted because obviously a lot of that has slowed down.

43
00:07:24.150 –> 00:07:36.870
Jason Mefford: Because of you know some of the impacts to these businesses around the country as well the supply chain has been impacted a lot more people are purchasing online putting a lot more

44
00:07:37.800 –> 00:07:51.600
Jason Mefford: Demand on kind of the, the transportation and that ends up having some supply chain impacts or if any of the companies that you’re partnering with have an issue with this again that can impact your supply chain.

45
00:07:52.890 –> 00:08:05.730
Jason Mefford: Now the last one. The sixth one is employee casualty or absenteeism and so those kind of go together because either you know in some crisis’s you may actually have some of your employees die.

46
00:08:06.210 –> 00:08:17.940
Jason Mefford: Which would be employee casualties, or they could just be absent from work because either they’re sick or for some reason, like, you know, we have here in California quarantine.

47
00:08:18.300 –> 00:08:28.260
Jason Mefford: They’re not able to come into work. So they have to be able to work from home. Now again, these are the six areas that your plan should be should be dealing with

48
00:08:28.710 –> 00:08:40.140
Jason Mefford: And that’s why this issue, even though. Again, a lot of people have to work from home. Now, a lot of companies, for example, have options for employees to be able to work from home.

49
00:08:40.500 –> 00:08:49.500
Jason Mefford: So because of that, the impact from employee absenteeism is decreased again, regardless of what the event happens to be

50
00:08:50.280 –> 00:09:00.720
Jason Mefford: So again, just wanted to kind of go through that with you a little bit today, take this as an opportunity to be able to help your organization, improve its business continuity planning going forward.

51
00:09:01.320 –> 00:09:10.020
Jason Mefford: If you have any questions, if you’re not really sure where to start just reach out to me. I’ve dealt with this a lot and I actually have some

52
00:09:10.650 –> 00:09:22.710
Jason Mefford: Industry experts that I turn to as well so that if you’re needing a little bit more help on this, just let me know and we’ll see what we can do to help. So with that. Have a great rest of your week, my friends, and I’ll talk to you next week.