Crisis management - extreme events

Risk in Focus 2021 dedicates an entire section to the lessons from the pandemic for disaster and crisis preparedness ( see pages 31-33). Even before the start of the pandemic, however, resilience had become a key concern for all types of organisations and regulators alike highlighting the need to strengthen the preparedness against extreme events at all levels of society, from the government and national and international institutions to companies and all the way down to individuals.

This guidance will provide internal auditors with a good understanding of how to incorporate an analysis of potential crises/extreme negative events in planned audits and also provide direction to quantify the impact of such events on the organisation’s resilience programme.

We encourage you to read broadly on this topic.


Why do our organisations need to prepare?

Extreme events or crises, whether specific to an organisation or as a result of a wider disruption (such as the pandemic) can have devastating social and financial consequences if not managed adequately. Management of extreme events starts from the conceptualisation of these events in risk registers all the way to the mitigation of consequences and the communication to stakeholders once the event has happened. Extreme event disruptions are not easy to integrate in the day-to-day management of an organisation without a consistent framework to do so. This framework starts with the culture of the organisation and flows through governance, risk management, operations, and communication.


The role of internal audit

The pandemic crisis can, and should, provide the impetus for deep and long-lasting changes in the way organisations view and manage their management of event risk and provide assurance on their controls. Internal audit has an important role to play as an independent assurance provider for preparedness and resilience to executive management and the board. In addition, internal audit can provide key insights by cross-referencing observations on resilience themes from the audit reports in the plan. Internal audit should use the lessons of the COVID-19 crisis to integrate a resiliency view in its internal audit plan and day-to-day work. What this means is that instead of simply focusing on providing assurance on the system of controls in place to mitigate current risks in the existing business setup, internal auditors must now be able to provide foresight on the robustness of controls in times of stress.


Key controls

The starting point for internal audit is to understand that in a complex world, extreme events are difficult to assess both qualitatively and quantitatively. Events that will generate serious consequences cannot be easily described, categorised and a definitive list can certainly not be established. It is a challenging and sometimes inefficient task to exhaustively describe all potential threats and the best response to these.

Internal auditors should be thinking “Things that have never happened before happen all the time”. Will the next crisis be internal (fraud, major error, industrial accident, fire…), external (geo-political, terrorism, natural catastrophe…) or a combination through a cascade of events? The pandemic is a good example of a novel risk event for our generation and a reminder that ‘once in a lifetime’ risks can happen in our lifetime. It is prudent to plan for the worst and hope for the best when looking at scenarios for crisis management.

As a result of the basic radical uncertainty attached to extreme events, the controls to mitigate them are not easily documented or located in one place. The organisation must be able to rely on different layers of controls all the way from contextual controls at the top of the organisation (covering culture, governance and risk management) down to more specific controls in operational units in order to prevent, detect, mitigate and recover from crises. With the right controls, some events might be fully prevented or mitigated, however others will overcome all defense barriers and the organisation will have to focus mostly on recovery

The following table is indicative of the key controls internal audit should aim to test in order to provide overall assurance on resilience and robustness of operations to crises. It is not exhaustive.

Key area Preventative controls Detective controls Corrective controls
Governance

Clear risk appetite for major risks

Complexity view of the world vs linear thinking

Culture of adaptability embedded in management thinking

Existence of a well-structured crisis management team

Risk discussions are embedded at the appropriate meetings

Chief Risk Officer (CRO) is a member of the Executive Committee

Whistleblowing/Speak up culture to raise internal issues

Robust management reporting on incidents and external events

Crisis management team is operational and meeting regularly

Board is kept up to date on key events

Culture of robustness and tolerance for mistakes

Framework for disseminating lessons learned (knowledge building and transfer of experience)

Open communication with stakeholders

Risk management

Tracking of emerging risks in risk register

Business continuity policies exist and are regularly updated

“Red teaming” activities (ie rigorous challenge with one party adopting an adversarial approach)

Quantitative risk models (including risk matrices) incorporate the possibility of “Black swan” events to measure impact of potential events against tolerances on organisation’s services (stress-tests, scenarios, stochastic simulations)

Stochastic simulations – random events that cannot be precisely predicted

Key risk indicators linked to impact tolerances for key services

Regular risk assessments of key services including dependencies and coupling

Process to analyse and incorporate emerging risks in the risk register in real-time

Existence of a protocol to perform and disseminate lessons learned and root cause analysis of events

Feedback loop to the risk registers for real-time update

CRO actively involved in post-event analysis and action plan

Operations/IT

Identification of the most important services to be restored, in order of priority

Stress test ability of key systems to remain within impact tolerances

Reporting of events and near misses

Monitoring actions and impacts of events on competitors others not necessarily in your market sector

Disaster recovery / crisis management plan exists and is updated regularly

Disaster recovery / crisis management plan is aligned with key services


Tips for internal audit

How can internal audit assist an organisation in preparing for a significant risk event?

  • Incorporate a systematic approach to extreme events in methodology. This means making sure that they are contextualised and considered in every operational audit of the plan and that extreme events become a topic of discussion in thematic audits (governance, risk management framework, fraud, etc).
  • Challenge the risk management framework to uncover blind spots and dead angles in the risk methodology. For instance, many quantitative risk models’ quantifications are loosely based on simple assumptions of correlations and tractable statistical distributions (such as the normal or lognormal distributions) which do not accommodate rare events or singularities. Asking how these rare events would be handled by the risk framework (including the simple frequency/severity risk matrices) will allow internal audit to test the validity of these models at a high level.
  • Probe the treatment of cascading or interdependent risks - the possibility that one event could trigger or increase the probability of other risks eg the pandemic and the increase in cybersecurity risk.
  • Risk management scenarios must take a complex world view.

This means a perspective that considers non-linearities, discontinuities and deep inter-relationships between risks. Stress scenarios cannot be simply derived from past events or from marginal linear extrapolations to the existing environment. They must truly reflect discontinuous events stretching beyond business as usual.

For example, traditional resiliency plans might include a recovery site ready to use if the main site is incapacitated for whatever reason. However, the COVID-19 crisis has demonstrated the value of thinking beyond the simple replacement of a worksite to a completely different paradigm of “working from home”. Internal audit should be innovative and help their organisations to think outside of the box.

How does the role of internal audit impact its participation in response to a risk event?

  • Reference to best practices or external case studies can help internal audit add value to crisis management in real-time.
  • Internal audit should be part of the follow-up to risk events. As observers, internal audit can ensure that the lessons learned from the event are incorporated in the processes of the organisation and that a root cause analysis addresses any improvements. One area worthy of deeper challenge by internal audit is the similarities and differences in responses to catastrophic risk events (eg, earthquake, hurricane, significant financial crisis, etc) versus strategic risk events (eg, increased commodity costs, supply chain management issues, emergence of new competition, etc).

Conclusion

The prevention, analysis and response to unexpected large events is an area where internal auditors can use its specialised skills and cross-organisation perspective to provide key insights to management and raise its profile as a contributor to the preservation of the organisation’s assets.

In addition, internal audit must evolve its methodology from a focus on providing assurance on the system of controls in place to mitigate current risks to providing foresight on the robustness of controls in times of stress. This will mean systematically integrating the scenarios from the risk management function (where they exist) in the testing of key controls.

For internal audit to remain relevant in a complex world, they will have to expand their framework to provide insights on the robustness of the system of controls for a wide range of stress scenarios. It is obviously unreasonable to ask internal audit to provide “forward” assurance based on a few plausible but improbable scenarios. The objective is much less ambitious and should be clearly articulated to avoid confusion.

Our insights on the robustness of controls under stress could become a very powerful addition to the overall resiliency planning of organisations and provide a rich source of discussion for the audit committee and the board.


Further reading

Climate financial risk auditing

Business resilience and crisis planning

Operational resilience

Content reviewed: 8 July 2021