ISO 22300:2021 refers to resilience as the ‘ability to absorb and adapt in a changing environment and BS65000 refers to this as the ‘ability of an organisation to anticipate, prepare for, respond and adapt to incremental change and sudden disruptions in order to survive and prosper.’ This is a very general statement, but it has the great benefit of applying to all kinds of organisations and economic sectors. In practice, an operationally resilient organisation should be less subject to untimely disruptions in its operations and losses from such disruptions, thus lessening the impact of incidents on critical operations and related services, functions, and systems.
At its core, resilience thinking is focused on making sure that the organisation can fulfil its mission and provide its key services whatever the circumstances. This does not mean that the organisation itself can continue unchanged through crises. It might have to evolve in order to retain its role in its eco-system. The organisation must start by defining what its resilience level should be in relation to that eco-system. Resilience is a relative concept as every entity will have a level of critical fragility past a certain threshold of destruction.
While existing concepts such as Business Continuity Planning and Disaster Recovery were designed along mechanistic views of the world and the re-establishment of existing processes in the same stable context as previously, the concept of resilience is much more holistic and proactive. It feeds from a complex view of the socio-technical environment of the organisation. This requires a complete change of thinking for the governance entities and senior management.
In regulated sectors such as banking or energy, the regulators have defined specific goals and metrics for the key companies they regulate. In addition, resilience and out-sourcing management are viewed by the financial regulators in the UK as deeply intertwined as demonstrated by the out-sourcing paper CP30/19 and the resilience paper CP29/19 published together by the Bank of England. (see: PS6/21 | CP29/19 | DP1/18 Operational Resilience: Impact tolerances for important business services | Bank of England).
Designing a series of bad scenarios and imagining how and in which order to recover the organisation’s systems and processes is not enough anymore. In a complex world, crises may not happen as events but rather as a continuous deterioration of existing conditions which might create cascading effects at critical points. Climate change is an example of such unfolding complex phenomenon. The increase in temperatures across the world might not create an immediate major crisis in developed countries within a year or even within the next 5 years but the regular disappearance or re-distribution of resources such as water in some parts of the world will potentially have devastating consequences for a number of economic players.
The past couple of years have highlighted the importance of resilience and the necessity to design innovative solutions to address the multiple facets of the concept:
Resilient thinking and risk management are deeply intertwined, as they both aim to break an organisation’s silos to protect future outcomes and corporate strategic objectives in the face of the highly uncertain and multifaceted nature of potential negative events.
Managing risks with a resilience lens is not only about avoiding potential threats but much more about a constant state of awareness of the increasing volatility, uncertainty, complexity, and ambiguity of the world that we all live in. This implies that risk management moves away from a single technical view of risks focused on identifying and measuring threats with fairly stable and foreseeable hazard frequencies and severities (found for example in risk registers and risk matrices) in order to return to pre-existing conditions as soon as possible. In the complex adaptive systems that most organisation exist in, an overemphasis on planning for separate and predictable negative events may result in over-confidence in the preparedness of the organisation. The objective should be to better understand the emerging features of the organisation’s eco-system to prepare for unforeseeable “black swans” which could have severe impacts.
This change of framework applied particularly to the business continuity/disaster recovery area of risk management which has traditionally focused on a series of pre-planned reactive steps to a variety of hazards, resulting in large binders of procedures usually put away on a shelf and rarely if ever updated…
Careful anticipation and preparation for troubled times is still important of course but true resilience will necessitate the capacity to evolve and adapt to changing conditions and to apply lessons learned toward future scenarios.
The framework for risk management must include much more dynamic and proactive tools as illustrated below:
Source: IRM (“Organisational Resilience White Paper 2021: A Companion Summary for Risk Managers”, Adapted from Risk and Resilience Ltd)
Although existing Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) available in Resource Planning (RP) systems could be used as a first attempt to measure aspects of organisational resilience, full organisational resilience measurement will probably need more dynamic and up-to-date risk management technologies. Risk management tools will need to feed from internal and external real time indicators and trends and be able to correlate them to the drivers of the organisation’s performance in continuous time rather than simply trying to identify potential static incidents.
Given internal audits understanding of the control framework of the organisation, they have a key role to play in making sure that the resilience framework of the organisation is robust. The resilience of internal audit in organisations has itself been challenged in the past 2-3 years and many internal auditors have revolutionised their working processes and functions to operate in tandem with the organisations they serve. They have become trusted business advisors in addition to their assurance function. This advisory capability will be important for any work on resilience.
In the UK, the BEIS (Department for Business, Energy and Industrial Strategy) consultation paper of March 2021 (“Restoring Trust in Audit and Corporate Governance” available at: Restoring trust in audit and corporate governance (publishing.service.gov.uk) ) indicates that annual viability and going concern statements should be replaced by a resilience statement. This should be a catalyst to help organisations enhance their understanding of their own resilience capability and internal audit functions will have to focus on the risks identified in the resilience statement.
We believe there is a role for internal audit in independently reviewing, verifying, and auditing the narrative of the Resilience Statement in terms of accuracy and transparency, prior to it being formally submitted to the statutory auditors. Potentially this could include reviewing the company’s approach to risk management and how business-critical risks, including the strength of the internal control framework in mitigating these risks, are being reflected in the resilience of the organisation and the Resilience Statement itself.
This change of perspective must also help reshape the governance provided by the board/audit and risk committee towards a more robust challenge on the resilience and sustainability efforts of management against the key financial objectives of the firm. The key relevant governance committees of the board (Audit and Risk for private companies) need to ensure that the second and third lines are properly equipped to inform, and influence management decisions based on methodologies that organically incorporate resiliency in their day-to-day work.
Traditional internal audit practices tend to focus mostly on simple structured problems where processes can be designed in an easy to control and predictable environment.
In such cases, reasonably static control systems can be identified and imposed in a straightforward fashion. In a more complex environment, internal audit solutions must be rethought and re-framed with the recognition that organisational resilience is an emergent property of multiple control/management activities. As a result, resilience auditing should not start with an analysis of existing processes and their linear relationships but with a thorough mapping of the organisation’s internal organisation and its position in the eco-system network (including clients, providers, out-sourced services, regulators…).
A resilience mindset requires to shift the emphasis towards providing insights on the robustness of controls in times of stress rather than simply providing assurance on the effectiveness of controls in the existing context.
Answering the three key questions below will help internal audit to determine the extent of the work to be performed:
The most effective way to include resilience in the audit universe is to make it a theme across the whole plan. In practice this means that internal audit can approach resilience from a number of different angles:
In conclusion, internal audit can and should use its own experience in developing resilience in the past three years to promote the idea of resilience across the organisation and make it a key theme in the audit plan.
Most internal audit teams are trusted business advisors in addition to their assurance function and this advisory capability will be crucial to help their organisation prepare for mostly unpredictable challenges in a world which becomes more complex by the day.
Maturity | Definition |
Ad hoc | Resilience thinking is not used at governance level. Business continuity and disaster recovery processes are unpredictable, poorly controlled, and reactive. |
Repeatable | Resilience thinking and processes are used mostly for projects or new businesses and remain reactive. |
Controlled | Resilience thinking is embedded in the governance of the organisation. Processes are used for the whole organisation in a proactive manner. |
Managed | Resilience thinking is well embedded across the organisation. Processes are used for the whole organisation in a proactive manner and measured. |
Optimised | Resilience thinking drives the agenda of the governing bodies and the strategy of the organisation. Processes are controlled and measured. The focus is on continuous process improvement. |
More advanced internal audit teams can use the basic framework to build a comprehensive, ranked, and weighted set of selection criteria for each of the organisation’s services and or functions, eventually leading to an agile International Organisation for Standardisation (ISO) resilience maturity model e.g., ISO 22301:2019 Security and resilience — Business continuity management systems — Requirements and ISO 27001:2017 Information Resilience.
Good scenarios for resilience planning must have at a minimum the following three characteristics: