The financial services industry has long relied on internal audit functions to assess and challenge the effectiveness of various programmes designed to protect and build organisational value. These programmes have included disaster recovery, business continuity, risk management, cybersecurity, and many others designed to help institutions recover from an event.
The pressure comes amid fears that operational disruptions to the products and services organisations provide have the potential to harm consumers and market participants, threaten the viability of these entities, and create instability in the financial markets.
However, with rapid technology development and globalisation, internal audit functions are having to evolve and adapt to emerging business risks and regulatory expectations. Regulators expect and, in many cases, are demanding that firms and financial market infrastructures (FMIs) demonstrate greater resilience, while organisations, management and boards are under increased pressure to build out more robust resilience-focused programmes. The pressure comes amid fears that operational disruptions to the products and services organisations provide have the potential to harm consumers and market participants, threaten the viability of these entities, and create instability in the financial markets. A string of large-scale technology outages and cybersecurity attacks in recent years has exposed systemic vulnerabilities and intensified regulators’ concerns.
Consequently, financial institutions (FIs) are seeking assurance strategies that can evaluate all the various crisis and disaster management disciplines holistically and align them with their overall resilience objectives. Indeed, FIs recognise the need to develop formalised processes and capabilities that would enable them to continue to provide services when faced with extreme but plausible events.
Given the emerging nature and complexity of operational resilience, there is growing urgency for internal audit to play a bigger role in providing assurance that the governance, risk management and controls that are being created to enhance resilience capabilities are adequate. This changing dynamic also provides an opportunity for internal audit to develop a flexible and comprehensive approach that not only targets all aspects of a resilience programme but can be incorporated into existing business and IT audits.
DEFINING OPERATIONAL RESILIENCE
Not a new concept, but one that is receiving scrutiny from regulators and leaders alike, operational resilience is defined as an organisation’s ability to detect, prevent, respond, recover and learn from operational and technological failures that may impact delivery of critical business and economic functions or underlying business services. The concept of operational resilience is evolving as firms expand programmes and capabilities to address a broad range of threats that could cause business failures, systemic risk, and economic impacts.
Building the resiliency of the financial industry is a collective responsibility of FIs, regulators, key sector utilities, and industry associations. Within each organisation, operational resilience calls for stakeholders to promote a culture of resiliency through oversight, training and awareness, communications and board reporting. The key components of operational resilience, which include defining and understanding critical business services, impact tolerance and economic impact, are essential guideposts on the road to resiliency. And, vitally important is the role internal audit plays in assessing these various components, providing assurance that stakeholders are addressing the key risks identified.
Working in concert with leading financial industry groups and individual institutions, Protiviti’s internal audit experts are expanding existing programmes to incorporate a more comprehensive assurance over operational resilience. The revised resiliency audit approach addresses governance structures from an operational resilience perspective and provides coverage of all the foundational elements (e.g., cybersecurity, disaster recovery, business continuity planning, and vendor risk management) within business-as-usual audits, and front-to-back resiliency processes.
This white paper outlines leading practices for providing comprehensive assurance over operational resilience programmes, explains key resiliency concepts, and identifies critical questions every chief audit executive should ask concerning resilience assurance.