AuditBoard Live Webinar banner advert Diligent One Platform World tour ad April 2024 TeamMate ESG advertising banner 2023

View from the top: Advocacy – a route to the future A&R Magazine Nov Dec 21



If you want to be interested in something then you should find somewhere interesting to be, and the healthcare sector certainly fits the bill. In my two and half years at Bupa I have been privileged – and humbled – to witness the immense efforts my colleagues have made to support and care for our customers, be it support for our health insurance policyholders, patients in our dental centres, hospitals and clinics, or residents in our care homes and villages.

The pandemic undoubtedly tested (and in some places continues to test) my company’s resilience and adaptability, but it has also accelerated wider changes in the sector, driven by two key factors.

The first of these is the development in the nature and type of healthcare solutions. It is likely that healthcare systems focused historically on “sick care” will increasingly give way to organisations that can better support chronic care, preventative care and, ultimately,
predictive care.

The second is the use of technology focused on supporting the customer’s journey and improving their health outcome and experience along the way. Accessing and navigating health systems can sometimes feel more complicated than it should be and Bupa, together with many others in the industry, is working hard to leverage technology and manage data more effectively (but responsibly) to make this better. We call this making healthcare more frictionless.

Companies will stand or fall depending on how well they navigate these waters, and whether they address the challenges at the pace required, while still maintaining an appropriate risk and control environment.

This requires my function – Bupa Global Internal Audit (GIA) – to keep up. Internal audit functions of the future must be data led, data literate and data analytical to understand their businesses and deliver assurance with valuable insight. This is not easy, but it is no longer optional, and it represents an exciting challenge. It requires a thoughtful and strategic approach to core elements, some of which are obvious and some not so obvious.

The obvious elements include the necessary investment in team skills and capabilities as well as technology tools. Everyone has been to webinars on these topics. The not-so-obvious elements are the approach to getting better and faster access to relevant organisational data, and obtaining stakeholder buy-in to the internal audit function’s new ways of doing things. Success here is everything and this must be the key focus for internal audit leaders. It’s the difference between developing a connected, collaborative and valuable function which can deliver meaningful and more timely insights – or just building a cost centre. At Bupa GIA we’ve developed a data access and analytics strategy that encompasses all of the above. We appreciate that it will take time, but we’ve made a great start, are clear about where we’re going, and know how we’re going to get there.

But data is only half the story for our future. The other half must come from advocacy.

As organisations embrace change, in particular the “digital revolution”, it is hard for our first-line colleagues (and sometimes those in the second line too) to maintain their focus on effective risk management and control – let alone evolve and automate faster and more effective internal controls as part of the journey.

There are various reasons for this, but top of the list in my opinion is a lack of resources dedicated to helping business leaders really understand what an effective internal control environment is, what it comprises, why it is important, how it can be framed and how it can be implemented.

This is why we’ve developed a framework for describing internal controls. It’s a deliberately simplified, “easy to describe and digest” version of COSO. It describes an effective internal control environment as a combination of optimised governance (oversight), management and operational controls which can be applied at all levels of the organisation. We’ve built it into Bupa’s risk management framework and internal audit methodology.

Most importantly, GIA is taking the initiative by being its strongest advocate. We are promoting conversations about it with everyone we meet, bringing it to life via communication and learning materials, and demonstrating the difference it makes in improving internal controls throughout the business. Every member of our global team is working to bring it to life for our stakeholders.

In turn, our stakeholders are recognising our controls advocacy alongside the independent assurance we provide, and they are being influenced to act because they also learn. This matters because it means that GIA plays a role in building the culture of the organisation, and that’s exactly where I think all internal audit functions should be. 


This article was published in November 2021.