AuditBoard Live Webinar banner advert Diligent One Platform World tour ad April 2024 TeamMate ESG advertising banner 2023

Crisis scenario: what would you do in a crisis?

The situation

You are the head of internal audit for a multinational organisation. The business recently launched a major new product intended to secure its future as a global market leader. The product cost millions in development and initially sold well, however in the past couple of months there have been several well-publicised incidents in which it malfunctioned and about 50 people have died or been seriously injured. All the products have now been recalled and removed from sale. The research team is confident that it can solve the problems, but the company has suffered a massive reputational hit, the share price has fallen and investors are critical. Sales of other products in the range have fallen sharply. The media has been hostile and the CEO did not improve matters by insisting for too long that the problems were caused by user errors or external factors.

What role can internal audit play now; what questions should auditors be asking about the way the company was prepared for, and dealt with, the crisis?

Malcolm Zack - group internal audit director at Element Materials Technology

Q: What do you see as the primary issues for internal audit?

A: This depends on what industry the organisation is in – in some sectors a death toll of 50 people could mean immediate closure. There is also a question about whether the CEO was kept well-informed as the crisis developed or whether there had been a deliberate attempt to deceive management or to cover up problems. The size of the organisation is important – a smaller one will have more problems remaining solvent while the crisis is investigated and surviving a short-term loss of customers and bad publicity.

Q: What would you do as head of internal audit a) immediately and b) in the longer term to deal with these issues and help managers to prevent them in future?

A: Timing is a key issue. I’ve worked with several organisations on crisis planning and to ensure that they have a good post-crisis communications plan in place. Internal audit can check that the right people have sufficient training to deal with a crisis and with the media, and that management tests crisis plans regularly to ensure they work.

Once a crisis has occurred, the senior management is responsible for the immediate response, although internal audit should later review how and why the crisis occurred and the response to it. This would also be an opportunity to identify  and fill any gaps in the plans.

Q: What questions would you ask managers and the internal audit team about the problems that have already occurred and why these happened?

A: A post-crisis audit should include questions on all aspects of what did we do well, what didn’t we do well, and how can we do it better next time? I was involved in the recovery phase after a real incident and our review showed us that too few senior executives were trained to deal with the media. Training plans were expanded as a result.

The focus at all times should be on ensuring that the organisation has identified the relevant risks – those that are most likely and those that are potentially most serious – and that they have adequate and well-tested contingency plans to mitigate the damage and ensure the right people are informed and know what to do in the 48 hours afterwards.

A plan that is never tested is only 50 per cent adequate. Tests should be based on different scenarios and should be aimed at highlighting weaknesses. Internal audit can advise on the tests and observe what happens. You need to see how people actually behave in a crisis – it’s not always the way you expect. This can also help management to identify who should be on the front line if or when something happens, as well as what happens if key people are unavailable in a crisis.

Crises will always happen, but if all of this is done well, then an organisation can not only mitigate the risks, but can even end up being praised for its response.

Diego Galli - internal audit director at Vodafone

Q: What do you see as the primary issues for internal audit?

A: To identify where the system of internal control failed between the different lines of defence, including internal audit, and to assess how internal audit can support management during and after the crisis.

Q: What are the key risks for the organisation in the short and longer term?

A: Short term: Reputational damage with negative publicity and media hostility; brand damage; loss of customers and sales; reduction in share price.

Longer term: Loss of confidence from stakeholders (customers, investors, shareholders, employees and vendors), plus legal claims and financial penalties could result in the business no longer being viable.

Q: How can the internal audit function best support management at this time?

A: Short term: Provide an advisory review to confirm that the problem has been controlled and contained and to verify the effectiveness of the product recall process, ensuring that root causes are identified. Issue an advisory paper rapidly – including additional actions if those have not already been identified by the management.

Medium term: Provide an assurance review on the effectiveness of the underlining processes – eg, product development and quality assurance management – to identify potential controls that were not designed or operating effectively.

Also review the effectiveness of the crisis management process – eg, risks identification, assessment, escalation, communication, etc.

Q: What would you do as head of internal audit a) immediately and b) in the longer term to deal with these issues and help managers to prevent them in future?

A: Immediately: I would meet relevant senior leadership team members to obtain information to understand the issue and offer internal audit’s rapid support (to confirm that the problem is contained and that the product recall is fully effective).

Longer term: Internal audit would perform an audit review on the underlining processes. As head of internal audit, I would bring together second and third line of defence teams to agree a coordinated approach to understanding what went wrong and produce an assurance plan. We would also revisit the internal audit risk assessment process to ensure that similar risks are considered in the audit plan definition. 

Q: What questions would you ask managers and the internal audit team about the problems that have already occurred and why these happened?

A: Was there a documented product development process, including the design of effective controls and clearly defined accountability/responsibility for product quality – eg, quality control on raw materials, product testing, quality control on finished products and approval from the legal team?

Was the product manufactured in-house or by a third-party manufacturer, were any aspects of the process outsourced and what controls were in place? Was any issue identified earlier in the product line; if yes, what actions were taken?

Was there any previous incident or insights from customer complaints about potential issues with the product?

Did risk management assess the risks in the process, define the risk appetite, calculate the net risk and agree on actions to address the risks?

Was a review performed by the second line of defence on the product development process and what was the outcome? Were any actions raised and followed up?

Was there a framework for establishing business continuity and were crisis management plans in place prior to, and at the time of, the incident? Was it tested and were there any specific plans related to products?

Was the insurance team involved in the product development process? Had they raised any reservations or provided stipulations relating to product development and recall?

Did the internal audit annual risk assessment plan cover the product development process? If not, what was the rationale for this? If it did, what was the outcome?

Carol Hui - chief of staff and general counsel for Heathrow Airport Holdings

Q: What do you see as the primary issues for internal audit?

A: Internal audit should establish its independence and reporting line to the board or audit committee in order to prepare a review, so that the organisation has a forensic and accurate picture that it can rely on, together with sound recommendations for actions that need to be taken.

The primary issues seem to be:

Ensure that the immediate health and safety risks are being dealt with to prevent a recurrence of the issues across the global network of the company.

Review the cause of the malfunction.

Review the governance processes and controls around product design and development.

Review the external factors referred to by the CEO, along with any other factors such as supply chain issues.

Review crisis management and communications to identify immediate actions to be taken.

Review the assurance provided by management that the incident/malfunction has been dealt with.

Check whether there are related (or unrelated) issues with other products in the range.

Review culture in the organisation – was there a fear of speaking up?  Are the whistleblowing/safecall mechanisms adequate, etc?

Compile learnings from the above for the future.

Q: What are the key risks for the organisation in the short and longer term?

A: Health and safety risk for customers using the products in both the short and long term.

Are there potential risks with similar products?

Reputational risk: the damage to the company brand caused by producing the faulty product and by the initially poor company response.

Legal and financial risks: the liability for the faulty products and compensation for affected customers, as well as potential criminal liability, fines (depending on laws in different jurisdictions), the impact on sales and revenue, the longer term impact on investor relations and access to markets, plus higher research and development and insurance costs.

Regulatory risk: the likelihood of increased regulation in the future.

Closure of operations/insolvency risk. As this involves the deaths of 50 people, it is a substantial matter and, if the issues are not dealt with adequately and swiftly, this could lead to areas of the organisation being closed and the resignation or removal of the CEO and/or other key people. It may even lead to insolvency.

Q: How can the internal audit function best support management at this time?

A: Set out robust action plans to address any risks identified and help to rebuild trust in the company.

Help to facilitate risk discussions to identify any other risks that may not yet have emerged (on this or other products).

Provide independent assurance over the design and operational effectiveness of the processes in place across the product design and development lifecycle, sales, crisis management procedures and communications planning.

Identify any potential issues that need to be remediated and lessons learnt for the future (although this may be a longer term action).

Help to identify issues with the culture of the company and make appropriate recommendations to address these.

Q: What would you do as head of internal audit a) immediately and b) in the longer term to deal with these issues and help managers to prevent them in future?

A: Immediately:

Conduct a review of the response to the incident – how was information communicated internally and externally and what lessons have been learnt to make sure this kind of situation doesn’t recur?

Look at any other customer complaints/issues that have been reported – could these lead to similar product recalls? Have they been sufficiently reviewed/escalated?

Review the robustness of action plans to address risks identified.

Facilitate risk discussions to identify any other risks that might not yet have been surfaced (on this or other products).

Long term:

Look at the R&D/product approval/governance processes to ensure that processes are designed and operating effectively to detect any potential issues throughout all stages in the product lifecycle. Specific areas of focus may include, but not be limited to:

Regulatory and health and safety requirements for products – were they appropriately identified and complied with when the products were designed and developed?

Quality control procedures, including the adequacy of testing regimes, and controls over the supply chain (procurement of component parts).

Recruitment processes – are the right people with the relevant qualifications involved in these processes?

Customer complaint and communication processes – review these to ensure the right processes are in place to deal with and escalate issues appropriately, and communicate relevant information internally and externally.

Review the crisis management processes.

Review the risk management processes.

Review culture – safety, speaking up, compliance with standards etc.

Q: What questions would you ask managers and the internal audit team about the problems that have already occurred and why these happened?

A: Assuming safety was a priority for this company, were the safety procedures working and had they been followed?

What action was taken when the initial issues were identified? Was this sufficient?

Was the right information communicated to the right level?

Have other similar issues been identified in the past and how were these dealt with?

When were the relevant product development/H&S/R&D/crisis management/communication processes last reviewed?

How are they communicated to all relevant colleagues?

What are the relevant training requirements for colleagues/management/executives and has all mandatory training
been undertaken?

Have similar issues been identified in previous internal audit reports; what assurance do we have that these were appropriately remediated prior to closing the action?

If a similar issue occurred in the future what would you
do differently?

What is the culture like in the business when issues are identified – is it one that is open and trusting, or is there more of a blame culture where people are afraid to speak out?

The views expressed here are the views of the individuals and not those of their organisations.

This article was first published in November 2019.