A Conversation with Internal Audit & Business Continuity
Featuring Jennifer Parker, Senior Internal Auditor & Angie Mackley, Senior Business Resilience and Corporate Risk Specialist
Across the industry, business continuity and resilience is an ever-evolving and increasingly important function. More than ever before, businesses are seeking out ways to make their operations safer, more secure, and less vulnerable to emerging risks. And Donegal is no exception.
Here at Donegal, “We’re reworking our current Business Continuity structure to ensure proper alignment of roles, risks, and trends,” said Jennifer Parker, Senior Internal Auditor. “Instead of putting everything into the ‘Business Continuity’ bucket, we are working on creating a ‘Resilience’ structure and defining lanes of concentration.”
From emergency planning to workplace safety, and the continuation of operations during a disruption or event, business continuity and resilience can be all-encompassing, and frankly, overwhelming.
We sat down with Jenn and Angie Mackley, Senior Business Resilience and Corporate Risk Specialist, to learn how agents and other business owners can rise to meet the challenges of a shifting risk landscape.
Hi, Jenn & Angie – tell us a little about yourselves!
Parker: “I was introduced to the world of auditing in my early 20s, when I became an auditor for the state. I was fortunate enough to land at Donegal’s Internal Audit Department at the end of 2018. Two years ago, I assumed the business continuity role in addition to my audit role – an evolving area here at Donegal! I’ve really enjoyed digging in and learning all things Business Continuity (BC).”
Mackley: “My background lies with occupational safety. I pivoted from a direct patient care role in the 90s to the safety field, because I wanted to prevent injury. That journey started in woodworking and evolved into working in healthcare, and then eventually for an insurance broker, where I did Loss Control. As a former director of Safety & Emergency Management, I’ve been exposed to emergency preparedness and business continuity for a long time. I later joined Donegal’s Loss Control team, which evolved into my current role in business resiliency and corporate risk.”
How is the landscape of evolving risks shifting across our industry?
Mackley: “We are one connected world! So, it’s definitely no surprise that Artificial Intelligence is an evolving threat. Companies aren’t quite able to keep up with the pace of AI as it’s being rolled out. We’re all familiar with cyber breaches in our industry, and AI isn’t an isolated item that you can stick into a tech bucket. It touches everything from marketing to how people model their business, and whether employees are using it appropriately – just to name a few. In addition, we hear a lot about climate change, so severe weather trending is something we’re looking at here internally. It impacts businesses in so many ways. On top of that, there are emerging litigation risks – particularly from recent wildfires. It’s definitely evolving, and historical data is limited, so it’s hard to predict.”
What do you wish employees knew about business continuity and resilience?
Parker: “Employees should understand their part in it. There are higher-level decisions that are made, but employees should know how they impact business resiliency on an individual level. It could be anything from helping with expense management, to knowing what to do in an emergency such as a fire or medical event, and following proper communication channels when you see something that doesn’t appear to be quite right – like notifying a manager if you observe a suspicious person ‘casing’ your business or office.”
Mackley: “It could be something as simple as adhering to badge policies for building access – something that has the potential to create vulnerabilities within a business.”
How can businesses make sure they’re prepared?
Mackley: “Step back and ask yourself, what’s your most likely situation? Have you had any near-misses? What have you experienced near-miss-wise, where you’ve stepped back and said, ‘That could’ve been really bad!’ Learn from that and build on it – whether it’s doing some training, or writing up a new procedure based on the lessons learned and the experience. Those are things that don’t require a big investment.”
What should one focus on when building a resiliency plan?
Parker: “Identify your critical processes, critical vendors and critical obligations.”
Mackley: “What are the emerging risks that would be threats to your company? Identify them – and then once you’ve done that exercise, decide ‘what am I going to tackle first?’ Think about who your spokesperson or public information officer would be in a crisis. If you have the resources, or an accessible subject matter expert, get the training and information. There are many resources out there that are cost-effective, including county and state resources – even in neighboring states. Tap into your neighbors. FEMA and Ready.gov (a website of the U.S. Department of Homeland Security) both offer resources on certain preparedness topics, as does the Occupational Safety and Health Administration (OSHA). There are so many free resources out there!”
Parker: Speaking of emerging risks, Third-Party (the use of vendors) is a hot topic. Regulators and auditors are asking more questions about our Third-Party Risk Management program. The more a company relies on vendors, the higher risk it has for data breach attempts and operational disruptions. When you’re building a resiliency plan, make sure you are identifying vendors that are critical to your operations. Procedures should be in place to monitor those critical vendors.”
Mackley: “With Third-Party, we assess them for criticality based on the potential impact to ‘conduct business as usual.’ Where do they fall in the risk lineup? How much does that increase our risk or our exposure by using a certain vendor? While a business might have transferred risk by engaging a contractor, it might also open the door to other vulnerabilities if they’re not being monitored or properly vetted.”
What are some small ways that businesses can get started?
Mackley: “Getting started is truly the hardest part. Assess what your vulnerabilities are. Maybe nail down your top 3 or 5 risks to work on, and decide how you can address the other ones in the future. It’s a continuous improvement process. There are free tools that businesses can look up to do a hazard vulnerability analysis that will assist in identifying their top risks to prioritize their planning, mitigation, response, and recovery activities.”
Parker: “From the business continuity side, look at your critical functions. What are your main functions? Here at Donegal, our core business functions are Claims and Underwriting. We need to be able to continue to pay claims to our policyholders and underwrite new business. If we had a disruption that caused our systems to go down, we’d need to prioritize the restoration of the systems that support our Claims and Underwriting functions. Manual workarounds need to be in place so that our business doesn’t stop just because our systems are down. So on the agent side, you could think through, ‘How would we continue to write policies or comminate with our potential clients if we were down?’ Then, walk through those steps and document what you would do manually. Talk through this plan with your employees and seek their input. Depending on the size of your organization, consider forming a committee or workgroup dedicated to thinking through manual workarounds, evacuation plans, compiling a phone list or looking into an alerting software so you can communicate with your employees during a disruption.”
Mackley: “Take it one step at a time. It doesn’t have to be tackled all at once. You have to prioritize. Speaking from experience, you can’t fix it all at one time – and you don’t always see the results of your work, meaning that you don’t know how many incidents or how many breaches or citations by a regulator that you’ve prevented. You can’t always quantify that.”