The consequences of COVID–19 have changed the risk landscape. Internal audit functions need to be closely aligned with, and responsive to, rapidly evolving business demands and priorities more now than ever before. Increasingly, they need to operate in more flexible and agile ways to remain relevant and support their organisation to accomplish its objectives.
Our virtual Chief Audit Executive (CAE) Forum meets regularly to exchange ideas about how to manage the audit process through and beyond the current pandemic. The session on 8th July focused on the role best-in-class internal audit functions are playing in helping firms optimise business resilience planning, and how this will continue in the future.
- An embedded resilience culture, clear and timely communications and flexible resources have been key attributes demonstrated by those organisations that have responded well to the COVID-19 pandemic
- The effectiveness of organisations resilience planning and testing enhances the ability of organisations to adapt to a greater range of scenarios
- Organisations should not take false assurance from their ability to respond to COVID-19 and continue to enhance their operational resilience to prevent, adapt, respond to, recover and learn from a variety of operational disruptions.
- Internal Audit need to be able to adapt to the business needs during an operational disruption to best support the business and provide the insights needed
- Internal Audit should employ a range of approaches to provide assurance over operational resilience from continuous monitoring and providing real time input and challenge on the effectiveness of governance, risk management and internal controls during management of a disruption, through to conducting standard audits of resilience framework elements and foundational areas of cyber, business, technology and third-party resilience.
Common approaches to operational resilience planning
One speaker who is working with organisations on their operational resilience plans began by defining the term itself. She said that:
"operational resilience is the ability to prevent, adapt, respond to, recover and learn from operational disruptions."
It is not just an extension to business continuity or disaster recovery plans, under most traditional BCM programs, there are no formal or consistent definitions of important business services, front to back mapping of all resources supporting these services are not comprehensively captured, and tests are not scoped or facilitated in a manner that validates all aspects of the function or line of business being tested.
There should be clear accountability for operational resilience within an organisation, while those responsible should have the mandate to make investment decisions today that will have a positive impact in the future and help to prevent harm.
Operational resilience is a key topic for regulators, boards and audit committees. With heighted levels of interest, they are looking for evidence from leadership teams that effective steps have and are being taken.
There is a clear framework to move through: from evolving governance models and culture to deliver operational resilience through to identifying important business services, mapping the processes that enable them, setting impact tolerances and conducting regular scenario testing to understand the circumstances in which tolerances can and cannot be met. Test findings should be used to evolve and develop resilience plans over time.
Looking specifically at the COVID-19 crisis, organisations responses have focused primarily on employee safety, supporting critical systems, engaging with critical third parties, understanding how to support customers and partners, safeguarding the firm’s financial position, and understanding and communicating changes in the risk profile and control environment.
For those organisations in sectors where demand for products and services has continued, common success factors which have contributed to effective operational resilience have included the ability to support remote working, prompt deployment of relevant technology, reprioritisation of projects, the ability to redeploy staff where needed and regulatory forbearance.
COVID-19 is an example of a severe but plausible event. When considering severe but plausible events consideration should be given to the speed, scale, and symmetry of the operational disruption. In the case of COVID-19, the pandemic was slow, prolonged and symmetrical, which has meant firms have had time to think about how to respond and there has been a high-level of goodwill and tolerance across all stakeholder groups which may not be present in future scenarios. Therefore it’s important not to take false assurance from organisations response to COVID-19 and continue to enhance operational resilience built throughout the crisis so that other threats that are faster, differ in scale, and are asymmetric can be equally well managed.
Ensuring change for the better doesn’t stop
One contributor agreed that normal business continuity and disaster recovery plans did not apply in the case of a pandemic that affected the whole world as well as its supply chain.
The biggest challenge for the company was its diverse portfolio, from running leisure centres to providing front-line staff to hospitals. Each business line needed its own response and effective decisions needed to be made at speed.
The second challenge was the sheer scale and variety of tasks the company was asked to manage, including turning a warehouse into a hospital. These were outside the normal contract tendering process, so different levers needed to be used, while ensuring that any risks were balanced against the requirement for a successful outcome.
The company has managed the crisis well, partly because of clear communications from senior management. There was no doubt where the priorities lay, including commitment to stand by government contracts and protect critical national infrastructure, staff safety and revenue protection.
The relatively loose organisational structure at the company also held it in good stead, because divisional or functional heads were already empowered to deliver results. Key, however, was also better cross-team communication, and this is something the company is keen to sustain moving forward to help remove silos.
It will also maintain a more agile approach to the audit process, having made decisions in days rather than months during the crisis.
Above all, culture and communication have been the two biggest factors in keeping the company moving forward.
These are difficult to audit as processes - but have already led to some structural change, which means there is better dialogue across sectors and a better understanding of how others in the business operate.
As well as considering the adequacy of resilience plans, audit should consider the ability of organisations to adapt and change approaches as different scenarios unfold.
Building on engrained operational resilience
Another contributor said that their industry had not seen the same level of forbearance from market regulators during the crisis, and that the firm was used to scenario planning and testing for major accidents and hazards, such as an oil rig catching fire.
Safety and cash were at the front of the firm’s planning during the crisis.
One lesson learned was that different parts of the organisations could move at a different pace, with front-line workers adapting first, then information systems and support staff, and then the back office.
The ability of the business to continue to operate normally and continue with planned organisational restructuring, demonstrated the strength of resilience planning which was embedded within all parts of the organisation.
What makes an organisation resilient - and what role can internal audit play?
Our speaker returned to spell out the factors that have made organisations resilient over the past few months, including an embedded resilience culture, clear and timely communications, and dynamic, flexible resources.
She also explained that audit should have a seat at the table with senior executives managing the COVID-19 response to provide real-time input and challenge over the effectiveness of governance, risk management and internal controls, particularly where decisions are being made outside of the typical process, which often involves a skill set different to that of a ‘traditional auditor’.
Internal audit functions are increasingly moving towards a range of audits and continuous monitoring activities of the different processes or components related to operational resilience. This includes providing assurance over scenario development and testing on a continuous basis, with an emphasis on quality of the severe but plausible scenarios and application of any lessons learnt. Audits could continue to focus on key foundational elements, such as business resilience, cyber resilience, third-party resilience and technology resilience as well as integrating coverage of resilience into other relevant BAU audits to provide a comprehensive view of the resilience of the organisation.
In response to COVID-19, one contributor explained that there was a need for their audit plan to be flexible, with agreement over audit activity for 3 months but recognising activity beyond this time frame may need to change to adequately respond to the organisations management of the pandemic. It was highlighted that it was equally as important to maintain a view on what was not being covered as a result, so a list of these areas was also maintained and regularly communicated.
Finally, another contributor explained, remote working aside, that the company has operated normally through the crisis. It has been preferable to adopt a ‘management memo’ a communication approach, giving the leadership team quick overviews of elements such as liquidity, cyber security and technology.
This has all been done through the lens of what impact issues will have on customers and how they can be mitigated, but also what financial impact investment in specific tools will have. Communications to the board have needed to be transparent and include things that are changing, staying the same or not being done.
Different elements of the business have been considered separately, with the group’s online brand operating normally, but the contact centres for another having to be relocated to working from home. This latter measure would not have been considered six months earlier. Audit’s focus has therefore also needed to adapt to those areas that pose the greatest risk.