TeamMate ESG advertising banner 2023

Auditing strategic and operational resilience

What is resilience and why is it important?

ISO 22300:2021 refers to resilience as the ‘ability to absorb and adapt in a changing environment and BS65000 refers to this as the ‘ability of an organisation to anticipate, prepare for, respond and adapt to incremental change and sudden disruptions in order to survive and prosper.’ This is a very general statement, but it has the great benefit of applying to all kinds of organisations and economic sectors. In practice, an operationally resilient organisation should be less subject to untimely disruptions in its operations and losses from such disruptions, thus lessening the impact of incidents on critical operations and related services, functions, and systems.

At its core, resilience thinking is focused on making sure that the organisation can fulfil its mission and provide its key services whatever the circumstances. This does not mean that the organisation itself can continue unchanged through crises. It might have to evolve in order to retain its role in its eco-system. The organisation must start by defining what its resilience level should be in relation to that eco-system. Resilience is a relative concept as every entity will have a level of critical fragility past a certain threshold of destruction.

While existing concepts such as Business Continuity Planning and Disaster Recovery were designed along mechanistic views of the world and the re-establishment of existing processes in the same stable context as previously, the concept of resilience is much more holistic and proactive. It feeds from a complex view of the socio-technical environment of the organisation. This requires a complete change of thinking for the governance entities and senior management.

In regulated sectors such as banking or energy, the regulators have defined specific goals and metrics for the key companies they regulate. In addition, resilience and out-sourcing management are viewed by the financial regulators in the UK as deeply intertwined as demonstrated by the out-sourcing paper CP30/19 and the resilience paper CP29/19 published together by the Bank of England. (see: PS6/21 | CP29/19 | DP1/18 Operational Resilience: Impact tolerances for important business services | Bank of England).

Designing a series of bad scenarios and imagining how and in which order to recover the organisation’s systems and processes is not enough anymore. In a complex world, crises may not happen as events but rather as a continuous deterioration of existing conditions which might create cascading effects at critical points. Climate change is an example of such unfolding complex phenomenon. The increase in temperatures across the world might not create an immediate major crisis in developed countries within a year or even within the next 5 years but the regular disappearance or re-distribution of resources such as water in some parts of the world will potentially have devastating consequences for a number of economic players.

The past couple of years have highlighted the importance of resilience and the necessity to design innovative solutions to address the multiple facets of the concept:

  • The covid pandemic has stressed all sectors of the economy and given rise to working remotely enabled by technology as an effective response to the difficulties of interacting in person.
  • The war in Ukraine has stressed supply chains in particular for energy, wheat, and sunflower (of which Ukraine is one of the top global suppliers). In response, some cooking oil manufacturers have had to substitute sunflower with other raw materials.
  • Finally, climate change is stressing all aspects of the socio-technological models around the world and will force a complete rethink of how we consume increasingly scarce resources starting with water.

Resilience and risk management

Resilient thinking and risk management are deeply intertwined, as they both aim to break an organisation’s silos to protect future outcomes and corporate strategic objectives in the face of the highly uncertain and multifaceted nature of potential negative events.

Managing risks with a resilience lens is not only about avoiding potential threats but much more about a constant state of awareness of the increasing volatility, uncertainty, complexity, and ambiguity of the world that we all live in. This implies that risk management moves away from a single technical view of risks focused on identifying and measuring threats with fairly stable and foreseeable hazard frequencies and severities (found for example in risk registers and risk matrices) in order to return to pre-existing conditions as soon as possible. In the complex adaptive systems that most organisation exist in, an overemphasis on planning for separate and predictable negative events may result in over-confidence in the preparedness of the organisation. The objective should be to better understand the emerging features of the organisation’s eco-system to prepare for unforeseeable “black swans” which could have severe impacts.

This change of framework applied particularly to the business continuity/disaster recovery area of risk management which has traditionally focused on a series of pre-planned reactive steps to a variety of hazards, resulting in large binders of procedures usually put away on a shelf and rarely if ever updated…

Careful anticipation and preparation for troubled times is still important of course but true resilience will necessitate the capacity to evolve and adapt to changing conditions and to apply lessons learned toward future scenarios.

The framework for risk management must include much more dynamic and proactive tools as illustrated below:

 

 

 Source: IRM (“Organisational Resilience White Paper 2021: A Companion Summary for Risk Managers”, Adapted from Risk and Resilience Ltd)

 

Although existing Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) available in Resource Planning (RP) systems could be used as a first attempt to measure aspects of organisational resilience, full organisational resilience measurement will probably need more dynamic and up-to-date risk management technologies. Risk management tools will need to feed from internal and external real time indicators and trends and be able to correlate them to the drivers of the organisation’s performance in continuous time rather than simply trying to identify potential static incidents.

The role of internal audit

Given internal audits understanding of the control framework of the organisation, they have a key role to play in making sure that the resilience framework of the organisation is robust. The resilience of internal audit in organisations has itself been challenged in the past 2-3 years and many internal auditors have revolutionised their working processes and functions to operate in tandem with the organisations they serve. They have become trusted business advisors in addition to their assurance function. This advisory capability will be important for any work on resilience.

In the UK, the BEIS (Department for Business, Energy and Industrial Strategy) consultation paper of March 2021 (“Restoring Trust in Audit and Corporate Governance” available at: Restoring trust in audit and corporate governance (publishing.service.gov.uk) ) indicates that annual viability and going concern statements should be replaced by a resilience statement. This should be a catalyst to help organisations enhance their understanding of their own resilience capability and internal audit functions will have to focus on the risks identified in the resilience statement.

We believe there is a role for internal audit in independently reviewing, verifying, and auditing the narrative of the Resilience Statement in terms of accuracy and transparency, prior to it being formally submitted to the statutory auditors. Potentially this could include reviewing the company’s approach to risk management and how business-critical risks, including the strength of the internal control framework in mitigating these risks, are being reflected in the resilience of the organisation and the Resilience Statement itself. 

This change of perspective must also help reshape the governance provided by the board/audit and risk committee towards a more robust challenge on the resilience and sustainability efforts of management against the key financial objectives of the firm. The key relevant governance committees of the board (Audit and Risk for private companies) need to ensure that the second and third lines are properly equipped to inform, and influence management decisions based on methodologies that organically incorporate resiliency in their day-to-day work.

Traditional internal audit practices tend to focus mostly on simple structured problems where processes can be designed in an easy to control and predictable environment. 

In such cases, reasonably static control systems can be identified and imposed in a straightforward fashion. In a more complex environment, internal audit solutions must be rethought and re-framed with the recognition that organisational resilience is an emergent property of multiple control/management activities. As a result, resilience auditing should not start with an analysis of existing processes and their linear relationships but with a thorough mapping of the organisation’s internal organisation and its position in the eco-system network (including clients, providers, out-sourced services, regulators…).

A resilience mindset requires to shift the emphasis towards providing insights on the robustness of controls in times of stress rather than simply providing assurance on the effectiveness of controls in the existing context.

Answering the three key questions below will help internal audit to determine the extent of the work to be performed:

  • Do we fully understand the eco-system network in which the organisation participates? (This includes services, clients, providers, out-sourcing, regulators demands). If not a map of the eco-system might be necessary
  • What does resilience mean for the governing body of the organisation and top management? (What are the key services which provided to our eco-system, how fast must they be restored? What are the interdependencies between them?)
  • What are the sources of stress and the key existing and emerging threats to our business and the socio-technological system in which we provide our services? Internal audit can then use this information to shift its emphasis towards providing insights on the robustness of controls in times of stress rather than simply providing assurance on the effectiveness of controls in the existing context. For example, following the Covid 19 pandemic, all controls should now be tested with periods of forced high absenteeism at all work locations.

Key practical elements and tips for internal audit

The most effective way to include resilience in the audit universe is to make it a theme across the whole plan. In practice this means that internal audit can approach resilience from a number of different angles: 

  • A high-level audit of the resilience framework should cover the resilience strategy of the organisation and ensure that the board/audit committee and executive management have a shared understanding of the eco-system network of the organisation, of what resilience means to them and how it will be implemented in existing and new businesses. It will be important to make sure that the board/audit committee receive regular briefing on the state of awareness and preparedness of the organisation in relation to its resilience objectives. Depending on the complexity of the organisation, different tools could be used to gauge the level of preparedness of an organisation. For simpler cases (such as charities or companies relying only on local markets), a comparison of existing business continuity and disaster recovery plans with resilience objectives might be enough. For complex organisations, it might be worth doing a gap analysis versus leaders in the field or refer to a resilience maturity model as a guide to the status of the organisation (see illustration in appendix 1)

 

  • The strategic resilience audit should be supplemented with more technical audits of risk management and other key functions to ensure that the scenarios used for business continuity and crisis management policies and procedures include a dynamic and proactive view in line with the resilience philosophy of the governing bodies (see Appendix 2 for auditing of risk scenarios). An example of a dynamic approach would include defining sets of service indicators for normal times and times of stress and switch from one set to the other dynamically depending on the external context and its predicted evolution. The notion of impact tolerance introduced by the FCA and the Bank of England for financial institutions can definitely be translated to non-financial services organisations and serve as a good starting point for the discussion with senior management on the recovery objectives for the different services of the organisation. The organisation should put in place or adapt its crisis management process to handle topics of resilience for events beyond the impact tolerance of a key business service. Communication (internal and external) is also a key element of resilience plans. Financial regulators in the UK for instance have been noticeably clear on the need for institutions to have clear communications strategies and decision escalation paths in place with timely and relevant communications in particular, for important warnings or advice, to consumers/clients and other stakeholders

 

  • Finally, all audits in the plan should include an overview of the resilience aspects relevant to the controls examined. A good example of the necessity to include a resilience view is that of third party and out-sourced services management. There will be limits to what firms can do with their suppliers beyond initial due diligence and regular monitoring of services provided. MSLAs (Master Service Level Agreement) are useful in the sense that they can be tailored to include service indicators in normal times and times of stress, however it is unreasonable to expect that all organisations can enforce their resilience standards (in particular through resilience audits) to all their providers especially when they are only one of many clients and not the biggest. A case in point is provided by the provision of cloud services which takes place in a very concentrated industry with powerful players (Google, Amazon, Microsoft) for whom even the biggest firms are only regular clients. The best that one can hope for is to perform shared audits of these providers or rely on certificates provided by external parties (such as the big four accounting firms).

In conclusion, internal audit can and should use its own experience in developing resilience in the past three years to promote the idea of resilience across the organisation and make it a key theme in the audit plan.

Most internal audit teams are trusted business advisors in addition to their assurance function and this advisory capability will be crucial to help their organisation prepare for mostly unpredictable challenges in a world which becomes more complex by the day.


 

Appendix 1: Resilience capability maturity model

Maturity Definition
Ad hoc Resilience thinking is not used at governance level. Business continuity and disaster recovery processes are unpredictable, poorly controlled, and reactive.
Repeatable Resilience thinking and processes are used mostly for projects or new businesses and remain reactive.
Controlled Resilience thinking is embedded in the governance of the organisation. Processes are used for the whole organisation in a proactive manner.
Managed Resilience thinking is well embedded across the organisation. Processes are used for the whole organisation in a proactive manner and measured.
Optimised Resilience thinking drives the agenda of the governing bodies and the strategy of the organisation. Processes are controlled and measured. The focus is on continuous process improvement.

More advanced internal audit teams can use the basic framework to build a comprehensive, ranked, and weighted set of selection criteria for each of the organisation’s services and or functions, eventually leading to an agile International Organisation for Standardisation (ISO) resilience maturity model e.g., ISO 22301:2019 Security and resilience — Business continuity management systems — Requirements and ISO 27001:2017 Information Resilience.


 

Appendix 2: auditing risk management scenarios for resilience

Good scenarios for resilience planning must have at a minimum the following three characteristics:

  • They must proceed from a complex world view ie., one that considers non linearities and discontinuities. This means that stress scenarios are not simply derived from past events or from marginal linear extrapolations to the existing environment. They must truly reflect discontinuous events stretching beyond business as (almost) usual. For example, most traditional corporate resilience plans have typically incorporated a recovery site ready to use if the main site is temporarily incapacitated for whatever reason (fire, terrorism, flood...). However, COVID-19 has demonstrated the value of thinking beyond the simple replacement of a worksite to a completely different paradigm of “working from home”, linked to organisational data being held in the Cloud. In addition inter-relationships between risks cannot be boiled down to historical correlations as crises can completely change the dynamic of these relationships. The 2022 summer draught in Europe combined with the conflict in Ukraine provides a striking example of the change in risk dynamics. In a “normal” context, the risk of nuclear energy could be compared to the risk of fossil fuels to optimize the production of electricity while trying to minimize the impact on pollution and eventually climate change. In the current context where gas is being rationed because of the Ukraine conflict at the same time that nuclear power is limited by a lack of cooling water, the risk of recourse to fossil fuel (including coal) has to be weighed against the risk of not producing enough electricity for the winter. 
  • Once scenarios have been imagined and developed, the escalation of these to the Executive and the board/audit committee must include full narratives of the improbable events instead of relying on aggregated risk indicators used for the usual risk reporting process. What is useful to management is the story behind the event rather than the simplified characterisation of the probability/severity of the risk. In the case of the pandemic scenario, the full narrative will now have to include the possibility of a significant fraction of employees unable to work because of sickness while most others will work and communicate from home. This means that the firm will also have to assess their digital strategy to support this mode of working and look at further risks impacting the scenario. Examples would include: What if network providers fail or are experiencing bandwidth issues? How will our employees be able to balance work and personal life depending on their living arrangements?
  • Finally, scenarios must incorporate action plans which are regularly tested and can be implemented in a streamlined fashion (i.e., without excessive governance or bureaucracy). The results of the tests should be shared and discussed regularly with management and the board/audit committee. It is important that the plans not only focus on the handling of the imminent crisis but also outline adaptive mechanisms for returning to more normal circumstances.

 

References/Further Reading

Content reviewed: 10 May 2023