The consequences of COVID–19 have changed the risk landscape. Internal audit functions are finding more than ever that they need to be closely aligned with, and responsive to, rapidly evolving business demands and priorities. Increasingly, they need to operate in more flexible and agile ways to remain relevant and support their organisation.
Our Chief Audit Executive (CAE) Forum meets regularly online to exchange ideas about how to manage the audit process through and beyond the current pandemic. The session on 8th July focused on the role best-in-class internal audit functions are playing in helping firms optimise business resilience planning, and how this will continue in the future.
- Operational resilience is delivered when the executive can make conscious and confident decisions with agility – internal audit teams need to make information available in easily digestible formats;
- Lessons learned from the COVID-19 pandemic should be carried forward to apply to the next crisis, even if it is not so all-pervasive;
- Quick decisions based on (possibly) incomplete information are better than delayed decisions with complete data.
Best practice operational resilience planning
A director from Protiviti who is working with organisations on their operational resilience plans began by defining the term itself. She said that "operational resilience is the ability to prevent, adapt, respond to, recover and learn from some sort of failure".
It is not just an extension to business continuity or disaster recovery plans - and it should have clear accountability, while those responsible should have the mandate to make investment decisions that will have an impact in the future.
Operational resilience is now on the watchlist of financial service market regulators: they will be looking for evidence from leadership teams that effective steps have been taken to achieve it.
There is a clear framework to move through: from evolving governance models and culture to deliver operational resilience through to identifying important business services, mapping the processes that enable them, and setting intolerable risk limits. This framework should be regularly tested against potential future scenarios.
Looking specifically at the COVID-19 crisis, planning has focused primarily on employee safety, supporting critical systems, engaging with third parties, understanding how to support customers and partners, safeguarding the firm’s financial position, and understanding and documenting changes in the risk profile.
Organisations have operated well in general. Common success factors have included the ability to support remote working, prompt deployment of relevant tools, reprioritisation of projects, the ability to redeploy staff where needed, regulatory forbearance and continued demand for products and services, generating income.
COVID-19 is an example of a severe but plausible event. It has been slow, prolonged and symmetrical, which has meant firms have had time to think about how to respond – but enhancing operational resilience built throughout the crisis needs to continue so that other threats that are faster and asymmetric can be managed.
It’s also important not to take false assurance from the crisis. Everyone has been in the same boat and there has been a certain amount of patience and forbearance from all parties which may not be present in future scenarios.
Ensuring change for the better doesn’t stop
The group head of an internal audit at a business services company agreed that normal business continuity and disaster recovery plans did not apply in the case of a pandemic that affected the whole world as well as its supply chain.
The biggest challenge for the company was its diverse portfolio, from running leisure centres to providing front-line staff to hospitals. Each business line needed its own response - and effective decisions needed to be made at speed.
The second challenge was the sheer scale and variety of tasks the company was asked to pick up, including turning a warehouse into a hospital. These were outside the normal contract tendering process, so different levers needed to be used, while ensuring that any risks were balanced against the requirement for a successful outcome.
The company has managed the crisis well, partly because of clear communications from senior management. It was crystal clear where the priorities lay, including commitment to stand by government contracts and protect critical national infrastructure, staff safety and revenue protection.
The relatively loose organisational structure at the company also held in in good stead, because divisional or contract heads were already empowered to deliver results. However, there has also been better cross-team communication, and this is something the company is keen to sustain moving forward.
It will also maintain a more agile approach to the audit process, having made decisions in days rather than months during the crisis.
Above all, culture and communication have been the two biggest factors in keeping the company moving forward.
These are difficult to audit as processes - but have already led to some structural change, which means there is better dialogue across sectors and a better understanding of how others in the business operate.
Building on engrained operational resilience
A leader at an oil and gas firm said that their industry had not seen the same level of forbearance from market regulators during the crisis, and that the firm was used to scenario planning and testing for major accidents and hazards, such as an oil rig catching fire.
Safety and cash were at the front of the firm’s planning during the crisis.
One lesson learned was that different parts of the organisations could move at a different pace, with front-line workers adapting first, then IS and support staff, and then the back office.
One of the positive outcomes from the crisis is that the firm did manage to operate normally and managed an organisational restructure, demonstrating successful resilience.
What makes an organisation resilient - and what role should internal audit play?
The Protiviti director returned to spell out the factors that have made organisations resilient over the past few months, including an embedded resilience culture, an exceptional risk radar and dynamic, flexible resources.
She also explained the need for continuous monitoring moving forward, with internal audit teams involved in multiple layers of that process. This should include the documentation of lessons learned and scenario testing, including whether a COVID-19 style scenario should be included, given it is thought to be a one in 200 years event.
Finally, an associate director at a UK insurance group explained that his company had been fortunate in having its financial year beginning on July 1, which meant it could get safely past the ‘react phase’ before starting year end reporting.
Remote working aside, the company has operated normally through the crisis. It has been preferable to adopt a ‘management memo’ approach, giving the leadership team quick overviews of elements such as liquidity, cyber security and technology.
This has all been done through the lens of what impact issues will have on customers and how they can be mitigated, but also what financial impact investment in specific tools will have. Communications to the board have needed to be transparent and include things that are changing, staying the same or not being done.
Different elements of the business have been considered separately, with the group’s online brand operating normally, but the contact centres for another having to be relocated to working from home. This latter measure would not have been considered six months earlier.