Although the details change on a case-by-case basis, a large number of organizations in some parts of the world have begun to reinstate pre-pandemic business operations in some form or another. The sense of urgency with which organizations are loosening restrictions or otherwise altering their COVID-19 protocols varies broadly based on a wide variety of factors, but, generally speaking, in the US, states have lifted stay-at-home orders, reopened businesses and relaxed social distancing measures.
When business is interrupted, a return to normal is not always possible or desirable due to changing conditions in the marketplace. In the same vein, as organizations return to normal (at least partially) as the COVID-19 pandemic eventually subsides, it will be very important for IT leadership and the audit function to take a critical look at the processes and procedures that were changed out of necessity during COVID-19 and consider whether something they did during that time was actually working better than the existing method. The restrictions brought on by COVID-19 forced organizations to fix things that were not necessarily broken, creating an opportunity to discover more effective or more efficient processes that otherwise would not have been explored. If this happened, then that learning needs to be captured so that it can be leveraged toward business process improvement (BPI) efforts for the organization as a whole.
The Project Management Institute defined a 5-stage process for gaining value from lessons learned throughout a project:.
- Identify
- Document
- Analyze
- Store
- Retrieve
Based on this model, the first two stages (identification and documentation) are where IT auditors really have a chance to shine. There are a number of possible approaches to doing this but one of the most natural ways is to integrate questions into each audit that ask whether any processes that were altered in response to COVID-19 have the potential for permanent or long-term BPI. In short, auditors should find a place in each engagement to ask stakeholders, “In the process of adapting to the COVID-19 pandemic, did we stumble onto a better way of doing things?” Their responses can be leveraged to create recommendations, either to recommend permanent implementation or adoption of the new methods or to recommend studying the potential opportunities and risk of making such a long-term shift.
However, this is not an exercise that should be limited to reflection on pandemic response. Capturing lessons learned should be a stated goal of any business continuity plan (BCP) or disaster recovery plan. Business continuity planning by definition involves resuming normal operations; however, any time it is used, there should be a mechanism in place to determine if there are improvements to normal operations that can be made based on lessons learned during an emergency or contingency that required BCP implementation. Whether this step is included in existing BCP documentation is another good question for auditors to explore.
Editor’s note: For further insights on this topic, read Kevin Alveros’s recent Journal article, “The Global Pandemic’s Affect on Business Continuity Planning,” ISACA Journal, volume 3, 2021.
Don't forget—Members can earn free CPE from ISACA Journal quizzes!