Are you prepared? How one internal audit department identified problems and provided recommendations to strengthen the company's response to business disruptions.

Author:Getz, Ben

RLI Corp. is a specialty insurance company that operates from more than 35 locations across the United States. Headquartered in Peoria, Ill., RLI is a publicly traded company that reported net earnings of US $126 million in 2013. There are approximately 900 employees, and the internal audit department comprises seven individuals, including the chief audit executive (CAE).

One of the internal audit department's most significant consulting activities has been in the area of business continuity planning. Initially, the department reviewed business continuity as a business unit risk during each audit. But with the need to improve the company's overall business continuity governance and coordination, especially because of increased inquiries from regulators regarding our plans, we realized it was ineffective to continue to raise these types of concerns individually.

There were four main issues of concern internal audit communicated to management: 1) While business units had varying degrees of business continuity preparation, there was not a well-coordinated corporate plan or understanding of interdependencies among departments; 2) the link between the business continuity plan and IT systems recovery plan was weak; 3) there was no clear plan on where employees would go following a disaster; and 4) there was no formal testing by members of business units.

We met with the vice president of the Administrative Services department, the owner of business continuity, to discuss the opportunities identified to improve our business continuity maturity across these four areas. Because of internal audit's unique understanding of processes and interdependencies across business units, and the need for business continuity improvement, the vice president requested our assistance to enhance corporate business continuity planning.


While much of our initial focus was on large-scale disasters, short-term disruptions--such as a water main break, downed network, or winter storm--proved much more common and important to address. These events require day-to-day communications about branch closures, as it often is not clear when the location may be available. We have now moved our business continuity efforts to a much more repeatable and sustainable process that includes:

* A governance committee to help define risk appetite and prioritize.

* Annual affirmation by business units of their business impact analysis and alternative procedures.

* Annual update and distribution of our short- and long-term business continuity plans.

* Annual business continuity plan testing.

Discussions with the audit...

To continue reading