The devastating effect of Typhoon Haiyan in the Philippines, as well as the damage caused by storms in the US, have once again brought weather-related risks to the fore.
For the past decade at least, adverse weather risks – floods, heavy snow, drought and hurricanes – have risen up the risk agenda of most large UK organisations, as the financial impact of any down-time becomes increasingly apparent. In a survey by the Chartered Management Institute released in early 2013, managers estimated that “freak” heavy snowfalls in 2012 cost them an average £52,000 through disrupted business. In some cases, however, the average loss was closer to £1m.
But even relatively routine weather conditions can bring calamitous consequences. On 14 August 2003 large portions of the midwest and north-east US and Ontario, Canada, experienced an electric power blackout when a power line hit trees that lasted for up to four days in some areas.
The blackout’s primary cause was a software bug in the alarm system in energy company FirstEnergy Corporation’s control room, which made operators unaware of the need to redistribute power. But the problem was exacerbated by high temperatures. The hot weather (31°C) led to increased energy demand as people across the region turned on fans and air-conditioning. This caused the power lines to sag as higher currents heated the lines.
The US Department of Energy put the total economic cost of the event at US$6bn – most of it from business losses. And as a direct result of the blackout, Canada’s GDP fell by 0.7 per cent in August 2003, with a net estimated loss of 18.9 million work hours.
Manufacturing was particularly hard-hit. Car manufacturer Daimler Chrysler lost production at 14 of its 31 plants and had to scrap 10,000 vehicles because there was no power to dry the cars going through the paint shops. At Ford Motor Company’s casting plant in Brook Park, Ohio, the outage caused molten metal to cool and solidify inside one of the plant’s furnaces, which delayed production by a week.
Meanwhile, the UK government is hammering home the need for organisations to have better weather-preparedness and business continuity plans. In the Cabinet Office’s National Risk Register of Civil Emergencies for 2013, three of the five highest priority risks are weather-related: coastal flooding, severe effusive (gas-rich) volcanic eruptions abroad and severe wildfires. (The other two risks are pandemic flu and catastrophic terrorist attacks.)
Flood risk’s position at the top of the list is unsurprising. More than 2.5 million properties in England are at risk of flooding from rivers or the sea, of which almost 500,000 are at significant risk, according to the Environment Agency’s national assessment of flood risk (updated in August 2013). One million of the total are also vulnerable to surface water flooding, and a further 2.8 million are susceptible to surface water flooding alone.
To help it cope with flooding and other crises, the UK has had business continuity plans and emergency response protocols in place for almost a decade. The Civil Contingencies Act (CCA) 2004 establishes a clear set of roles and responsibilities for those involved in emergency preparation and response at a local level.
The legislation divides local responders into two categories. Category 1 responders are organisations at the core of the response to most emergencies – such as the emergency services, local authorities and NHS bodies. They are required to assess the risk of emergencies occurring and to use this to inform contingency planning.
Category 2 organisations – including the Health and Safety Executive, transport
and utility companies – are “co-operating bodies”. They are less likely to be involved at the heart of planning work, but will be heavily involved in incidents that affect their own sector. Both categories come together to form “local resilience forums”, based on police areas, which will help coordination and cooperation between responders at the local level and produce a public community risk register.
Internal auditors are at the heart of disaster-recovery plans. The internal audit function should be providing assurance over the adequacy of the frameworks that support the organisation’s response to adverse weather risks, says Russell Heppleston CMIIA, audit manager at the Mid-Kent Audit (MKA) Partnership, which provides a shared internal audit service for Ashford, Maidstone, Swale and Tunbridge Wells Borough Councils. For MKA, as a category 1 responder, this role culminates in three strands of audit and risk work: emergency planning, business continuity planning and disaster recovery.
Internal audit monitors the organisation’s planned response to weather-related incidents and checks that it complies with its duties under the CCA, says Heppleston.The function also plays a key role during any scenario testing of the plan, to give an objective view on the organisation’s preparedness – including lessons learned – and effectiveness of the tests, providing assurances that the organisation has the necessary facilities and equipment in place to cope with the level of risk.
Business continuity planning is considered within each audit project, particularly with regard to financial and IT systems, he says. Internal audit teams work alongside IT technicians to carry out testing on the adequacy of back-up recall and rebuild routines if the system should fail, while also checking the security and protocols of
the organisation’s disaster-recovery facilities and data – on- and off-site.
Internal audit has a dual role as an assurance provider and as a participant, Heppleston believes. “Internal auditors are called on just like any other officer in the event of an emergency. Therefore, auditors take an active role during business continuity planning, disaster recovery and emergency planning scenarios and test exercises to advise on the effectiveness of controls, efficiency of procedures and the management of risks. This is reported back to the organisation at the end of the event to ensure that lessons are learned and new processes and better safeguards don’t get lost or missed,” he says.
Whatever the weather
The Met Office is the UK’s official weather service and has an essential role in warning the public and emergency responders of severe or hazardous conditions. So it
is imperative that the organisation itself remains operational, even if floods, high winds or snowfall affect its systems, staff or premises.
The organisation uses internal risk information, the Cabinet Office’s national risk register for civil emergencies and local resilience forums to inform “horizon scanning” and scenario planning, which help to produce a better controls environment and determine the chance of a “black swan” event, says Jonathan Kidd, the Met Office’s head of internal audit.
Horizon scanning involves looking at current and emerging risk information to assess the probability of high-impact risks occurring in the future and ensuring the controls framework can cope. Black swans are unforeseen risk events that the organisation hopes to mitigate through better controls, risk reporting and information sharing, so the impact is reduced and recovery/continuity plans can kick in quickly.
“Looking at these different risk registers gives us a better sense of the risks that organisations are prioritising, as well as an idea of how they are being assessed, identified and controlled,” says Kidd.
“We can therefore see whether the basis for assessing these risks is correct, and check whether the measures to mitigate them are sufficient
and practicable,” he explains.
The Met Office also has regular meetings with key people from across the business to help identify new risks, he adds. These meetings are used to indicate to internal audit whether the existing procedures and controls would provide appropriate assurance.
“We had a meeting in the summer and discovered that some of the contingencies we had in place might not be sufficient if certain events happened in a particular order, so we have now adapted these to be better prepared,” he says. “It’s a useful exercise, and it shows people in the room what internal audit and risk management does and how we can help.”
Other experts agree that internal audit has a key role in ensuring that organisations can function if they or their suppliers and customers are affected by weather-related events.
Greg Markham, technical director at facilities management provider EMCOR Group (UK), says that internal audit should review the organisation’s core staff requirement and check that management has calculated the minimum staff and roles it needs to keep the business operating in the short and long term. He also advises that organisations reserve local hotels or set aside ready-to-use emergency on-site accommodation for key staff.
Stephen Keenan, UK and Ireland vice-president at telecoms company Verizon, believes that internal auditors are central to developing, testing and updating the disaster recovery response plan and to ensuring that it is understood and communicated throughout the organisation. The function should also check that the organisation can cope with staff working off-site, he believes.
“Internal auditors should ensure that employees have the training and tools needed to do their jobs – in the office, on the road or at home – by checking the organisation performs skill-set assessments to understand staff requirements to support business continuity in the event of a disaster,” Keenan says.
He advises that “internal auditors should ensure they have a host of business partners whose resources are available for rapid deployment to assist in recovery and continuity efforts”.
Adverse weather conditions will remain a challenge for organisations, but better planning and testing can alleviate some of the worst disruption – and internal audit has a central role to play.
For more information
The Department for Environment, Food and Rural Affairs (DEFRA) has published The National Flood Emergency Framework for England, which aims to provide a forward-looking policy framework for flood emergency planning and response.