Insurance Audits on Business Continuity Are Intensifying. Not All of Them Are Getting It Right.

Something has shifted.

Over the past three months, we've observed a noticeable change in how insurers are engaging with our clients across Australia and New Zealand. Random audits, the kind historically reserved for organisations with $500 million or more in annual revenue are becoming more frequent, more thorough, and increasingly conducted on-site.

Auditors are no longer just reviewing documentation remotely. They're walking through facilities, interviewing operational teams, and scrutinising business continuity plans, business impact analyses, and emergency procedures in detail. And this trend isn't limited to the largest enterprises. Smaller organisations are also being asked to produce more evidence of their resilience posture than ever before.

This matters because what happens in these audits can directly affect your premiums, your coverage terms, and your ability to recover when something goes wrong.

The Problem We're Seeing

Let's be direct: some of the auditors conducting these on-site reviews are not trained to similar business continuity frameworks professional advisors might be a custom to.

We've had multiple instances where our team has had to guide insurance auditors through best-practice methodologies, explaining the purpose of a business impact analysis, clarifying recovery time objectives, or correcting misunderstandings about what a continuity plan should contain.

This creates real risk.

First, your organisation may receive feedback that contradicts established best practice. If you act on that advice without questioning it, you could inadvertently weaken processes that were already fit for purpose.

Second, incorrect assessments may go unchallenged and affect your premium or coverage. If you don't know the auditor has misunderstood something, you won't know to push back.

Third, the audit itself consumes significant internal resources. Teams are being stretched thin managing their day-to-day responsibilities alongside detailed audit requests. We're absorbing much of this additional advisory time for our clients currently, but the strain on operational teams is real and growing.

Vanessa Thwaits, Advisor and Manager at Fixinc, has been directly involved in supporting clients through recent audits. She notes, 

"it’s important to understand what evidence is being asked for and why before handing over any documentation and ensure the auditor comes back to you with any clarifying questions. From there, ensure the draft report is shared with you in advance to give you an opportunity to challenge anything that is not accurate or has been mis-interpreted. These steps will save time by trying to get the finalised report corrected as often this is not possible. Further evidence will then be required to justify".

Why This Is Happening Now

Insurers are under pressure. After years of rising claims — $107 billion in natural disaster claims globally in 2025 alone, plus escalating cyber and business interruption losses — underwriters are tightening their risk assessment processes.

The Allianz Risk Barometer 2026 found that cyber incidents remain the number one global business risk for the fifth consecutive year, with business interruption close behind at number three. Only 3% of respondents rated their supply chains as "very resilient."

The message from the market is clear: insurers want proof that you can withstand disruption, not just promises.

For organisations in high-risk, high-stakeholder sectors (universities, ports, critical infrastructure, supply chain operators) this scrutiny is intensifying fastest. But the trend affects everyone. If your insurer hasn't asked pointed questions about your resilience documentation yet, they likely will soon.

What You Should Do: Before, During, and After an Audit

Strong resilience should directly reduce your premiums. If it doesn't, you need to understand why. The following steps will help you prepare for — and manage — increased insurer scrutiny.

Before the Audit:

1. Review your documentation now. Don't wait to be asked.

Start with the fundamentals: your Business Impact Analysis, Business Continuity Plan, and Policy and Framework documentation. Are they current? Have they been tested in the past 12 months? Can you demonstrate that they're operational, not just theoretical?

Insurers are increasingly looking for evidence that plans have been validated through exercises or real incidents, not just evidence that they exist.

2. Understand what auditors typically review.

Expect questions about:

• Recovery time objectives and how you arrived at them
• Critical dependencies (systems, suppliers, people)
• Incident response and escalation procedures
• Cyber resilience posture (backups, access controls, response plans)
• Governance and accountability for resilience
• Recovery strategies for loss of key dependencies: what is the back-up process and are these documented and tested?

If you can't answer these confidently, that's your signal to act before the auditor arrives. (They may also require evidence of the standards and systems you are following to arrive at these benchmarks).

3. Calculate your resource requirements.

Audits take time. Factor this into your team's capacity planning. If you don't have internal bandwidth, consider external advisory support to manage the process without derailing daily operations.

During the Audit

4. Request feedback throughout, not just at the end.

Don't wait for the final report. Ask auditors what they're finding as they go. This lets you address misunderstandings in real time and ensures you're not blindsided by findings that affect your premium.

5. Challenge findings that don't align with best practice.

If an auditor provides feedback that contradicts your existing framework or established standards, question it. Ask what methodology they're using. Ask for the rationale.

Brad Law, Co-Founder and Head of Consulting at Fixinc, puts it simply, 

"It would make sense that auditors are referencing good practice, for instance measuring against ISO 22301:2019 Societal security – Business Continuity Management Systems – Requirements. However, we would challenge that if your organisation is not currently formally accredited through this standard then how can you be measured against it."

"It's also important to recognise that even during an ISO22301 audit, the auditor will assess whether you orgainsation has completed a Business Impact analysis (BIA) and as part of that an assessment of your likely threats based on disruption risk. But they won’t tell you what is a critical function in your business or what are the major threats to disruption. This of course can vary depending on the standard they are measuring you against."

For many organisations and industry, the complexity of the standards and regulations in place can be difficult for any auditor to truly understand. Brad clarifies,

"For instance Prudential Standard CPS 230 Operational Risk Management (targeted at Australian Financial institutions) does require you to classify the following business operations as critical operations, unless it can justify otherwise:  (a) for an ADI: payments, deposit-taking and management, custody, settlements and clearing; (b) for an insurer (general, life, private health): claims processing; (c) for an RSE licensee: investment management and fund administration; and (d) for all APRA-regulated entities: customer enquiries and the systems and infrastructure needed to support critical operations."

Auditors checking risk management processes may not be trained to the same standard as a senior resilience professional. That's not a criticism, it's a reality. Your job is to ensure that reality doesn't disadvantage your organisation.

6. Document everything.

Keep records of what was reviewed, what was discussed, and any feedback provided. If disputes arise later, you'll need this trail.

After the Audit

7. Connect the audit to your premium outcome.

If your renewal reflects increased premiums despite robust documentation and demonstrated resilience, ask your insurer to explain why. The link between resilience investment and insurance outcomes should be transparent. If it isn't, push for clarity.

Many underwriters are using the broader risk landscape as reasons to justify raising premiums on certain industries and locations. While there are justifable reasons for this, your extensive validation and business continuity should make you a notable exception.

8. Use the audit as a trigger for improvement.

Even if the auditor missed things or got things wrong, the process is still useful. It exposes gaps in documentation, in understanding, in communication. Use those insights to strengthen your program for next time.

9. Build ongoing evidence, not just annual snapshots.

The direction of travel is toward continuous compliance. Regulators and insurers increasingly expect real-time visibility into controls, not point-in-time validation. Start thinking about how you demonstrate resilience as an ongoing capability, not a once-a-year exercise.

What Fixinc Is Doing

We've covered this topic in depth on Unbreakable Ventures, our threat intelligence publication, as part of a recent fortnightly update. That piece provides broader context on the insurance and regulatory trends driving this shift.

Here, we've focused on the practical steps like what you can actually do if you're facing an audit or preparing for one.

If your organisation needs support, whether that's a rapid review of your Business Continuity documentation, help preparing for an upcoming audit, or a full program reset, we're available.

"The fact that insurers are starting to take a closer look at organisational resilience after a disruption is a good thing and in our opinion. It's a long time coming."

says Brad Law.

"That said, this shouldn't be an excuse to copy another organisation's plan or get AI to write one in five minutes. Follow a structured approach: analyse your business and identify critical functions and likely threats, develop plans that are direct, adaptable, and relevant, then validate those plans, and the people who'll need to activate them."

Ready to assess your audit readiness?

Contact us to schedule a consultation. We'll review your current state and provide clear recommendations typically within 24 hours of our initial conversation.