Risk in Focus 2021 dedicates an entire section to the lessons from the pandemic for disaster and crisis preparedness ( see pages 31-33). Even before the start of the pandemic, however, resilience had become a key concern for all types of organisations and regulators alike highlighting the need to strengthen the preparedness against extreme events at all levels of society, from the government and national and international institutions to companies and all the way down to individuals.
This guidance will provide internal auditors with a good understanding of how to incorporate an analysis of potential crises/extreme negative events in planned audits and also provide direction to quantify the impact of such events on the organisation’s resilience programme.
We encourage you to read broadly on this topic.
Extreme events or crises, whether specific to an organisation or as a result of a wider disruption (such as the pandemic) can have devastating social and financial consequences if not managed adequately. Management of extreme events starts from the conceptualisation of these events in risk registers all the way to the mitigation of consequences and the communication to stakeholders once the event has happened. Extreme event disruptions are not easy to integrate in the day-to-day management of an organisation without a consistent framework to do so. This framework starts with the culture of the organisation and flows through governance, risk management, operations, and communication.
The pandemic crisis can, and should, provide the impetus for deep and long-lasting changes in the way organisations view and manage their management of event risk and provide assurance on their controls. Internal audit has an important role to play as an independent assurance provider for preparedness and resilience to executive management and the board. In addition, internal audit can provide key insights by cross-referencing observations on resilience themes from the audit reports in the plan. Internal audit should use the lessons of the COVID-19 crisis to integrate a resiliency view in its internal audit plan and day-to-day work. What this means is that instead of simply focusing on providing assurance on the system of controls in place to mitigate current risks in the existing business setup, internal auditors must now be able to provide foresight on the robustness of controls in times of stress.
The starting point for internal audit is to understand that in a complex world, extreme events are difficult to assess both qualitatively and quantitatively. Events that will generate serious consequences cannot be easily described, categorised and a definitive list can certainly not be established. It is a challenging and sometimes inefficient task to exhaustively describe all potential threats and the best response to these.
Internal auditors should be thinking “Things that have never happened before happen all the time”. Will the next crisis be internal (fraud, major error, industrial accident, fire…), external (geo-political, terrorism, natural catastrophe…) or a combination through a cascade of events? The pandemic is a good example of a novel risk event for our generation and a reminder that ‘once in a lifetime’ risks can happen in our lifetime. It is prudent to plan for the worst and hope for the best when looking at scenarios for crisis management.
As a result of the basic radical uncertainty attached to extreme events, the controls to mitigate them are not easily documented or located in one place. The organisation must be able to rely on different layers of controls all the way from contextual controls at the top of the organisation (covering culture, governance and risk management) down to more specific controls in operational units in order to prevent, detect, mitigate and recover from crises. With the right controls, some events might be fully prevented or mitigated, however others will overcome all defense barriers and the organisation will have to focus mostly on recovery
The following table is indicative of the key controls internal audit should aim to test in order to provide overall assurance on resilience and robustness of operations to crises. It is not exhaustive.
|Key area||Preventative controls||Detective controls||Corrective controls|
Clear risk appetite for major risks
Complexity view of the world vs linear thinking
Culture of adaptability embedded in management thinking
Existence of a well-structured crisis management team
Risk discussions are embedded at the appropriate meetingsChief Risk Officer (CRO) is a member of the Executive Committee
Whistleblowing/Speak up culture to raise internal issues
Robust management reporting on incidents and external events
Crisis management team is operational and meeting regularly
Board is kept up to date on key events
Culture of robustness and tolerance for mistakes
Framework for disseminating lessons learned (knowledge building and transfer of experience)
Open communication with stakeholders
Tracking of emerging risks in risk register
Business continuity policies exist and are regularly updated
“Red teaming” activities (ie rigorous challenge with one party adopting an adversarial approach)
Quantitative risk models (including risk matrices) incorporate the possibility of “Black swan” events to measure impact of potential events against tolerances on organisation’s services (stress-tests, scenarios, stochastic simulations)
Stochastic simulations – random events that cannot be precisely predicted
Key risk indicators linked to impact tolerances for key services
Regular risk assessments of key services including dependencies and coupling
Process to analyse and incorporate emerging risks in the risk register in real-time
Existence of a protocol to perform and disseminate lessons learned and root cause analysis of events
Feedback loop to the risk registers for real-time update
CRO actively involved in post-event analysis and action plan
Identification of the most important services to be restored, in order of priority
Stress test ability of key systems to remain within impact tolerances
Reporting of events and near misses
Monitoring actions and impacts of events on competitors others not necessarily in your market sector
Disaster recovery / crisis management plan exists and is updated regularly
Disaster recovery / crisis management plan is aligned with key services
This means a perspective that considers non-linearities, discontinuities and deep inter-relationships between risks. Stress scenarios cannot be simply derived from past events or from marginal linear extrapolations to the existing environment. They must truly reflect discontinuous events stretching beyond business as usual.
For example, traditional resiliency plans might include a recovery site ready to use if the main site is incapacitated for whatever reason. However, the COVID-19 crisis has demonstrated the value of thinking beyond the simple replacement of a worksite to a completely different paradigm of “working from home”. Internal audit should be innovative and help their organisations to think outside of the box.
The prevention, analysis and response to unexpected large events is an area where internal auditors can use its specialised skills and cross-organisation perspective to provide key insights to management and raise its profile as a contributor to the preservation of the organisation’s assets.
In addition, internal audit must evolve its methodology from a focus on providing assurance on the system of controls in place to mitigate current risks to providing foresight on the robustness of controls in times of stress. This will mean systematically integrating the scenarios from the risk management function (where they exist) in the testing of key controls.
For internal audit to remain relevant in a complex world, they will have to expand their framework to provide insights on the robustness of the system of controls for a wide range of stress scenarios. It is obviously unreasonable to ask internal audit to provide “forward” assurance based on a few plausible but improbable scenarios. The objective is much less ambitious and should be clearly articulated to avoid confusion.
Our insights on the robustness of controls under stress could become a very powerful addition to the overall resiliency planning of organisations and provide a rich source of discussion for the audit committee and the board.