The emergence of the Novel coronavirus (COVID-19) outbreak, which began in December 2019, and continues to spread presents a significant challenge in respects of both a medical crisis as well as a macroeconomic one in a short space of time across the world.
Information about the virus
UK Government policy action plan
Some of the potential impacts
Ethical stance and values
Role of internal audit
Guidance from other leading authorities
COVID-19 is in the news daily, and rightly so providing an update on the latest situation both in the UK and overseas from the World Health Organisation (WHO) and the UK Government.
Novel coronavirus (COVID-19) is a new strain of coronavirus first identified in Wuhan City, China.
Updates are reported in the media daily, for example, worldometer is providing updated statistics on their website every day showing total cases/new cases along with other statistical information country by country.
Media reporting has also highlighted the impact on the economy with the fall in share prices and the report of £4.6trn wiped off global stocks in February 2020 and £251bn loses on FTSE 350 in London. Airlines and travel companies bore the brunt of the latest chaos on global markets as the spread of the coronavirus triggered more panic-selling, the biggest fall in share prices since the financial crisis in 2008.
In an attempt to contain the spread of COVID-19 travel restrictions have had a significant effect on the travel industry. The oil industry has also suffered considerably from the knock-on effect of travel restrictions and global industrial supply chains, seeing crude oil prices suffer their biggest fall in three decades.
Subsequently through action taken to curtail the virus high street brands, for example, are fighting for survival with some such as Laura Ashley going into administration; other industries are making cuts in staffing and furloughing staff. A package of measures has been put in place by the UK Government to support businesses and individuals.
A coronavirus is a type of virus. As a group, coronaviruses are common across the world. Typical symptoms of coronavirus include fever and a cough that may progress to a severe pneumonia causing shortness of breath and breathing difficulties.
Generally, coronavirus can cause more severe symptoms in people with weakened immune systems, older people, and those with long-term conditions like diabetes, cancer and chronic lung disease.
The UK government issued a 25-page plan to deal with COVID-19 on 3 March 2020. This document sets out what the UK as a whole has already done – and plans to do further – to tackle the current coronavirus outbreak, based on our wealth of experience dealing with other infectious diseases and their influenza pandemic preparedness work.
The exact response to COVID-19 will be tailored to the nature, scale and location of the threat in the UK, as the governments understanding of this develops.
This document sets out:
The overall phases of the Government’s plan to respond to COVID-19 are:
The Plan is now in the ‘mitigate’ phase with lock down now in place and people only allowed to leave their homes under a list of ‘very limited’ purposes; public gatherings of more than two people has been banned and the closure of non-essential shops ordered. The relevant authorities, including the police have been given the powers to apply the changes through fines and dispersing gatherings.
The UK Government Action Plan also highlights the role the public can play, in addition separate COVID-19 guidance has been produced by the Government for employers and businesses.
Just like for any other risk management exercise, managers must consider COVID-19 in the context of their organisation’s own obligations, activities, objectives and values.
Society is facing social and economic disruption, threats to the continuity of essential services, lower production levels, shortages and distribution difficulties.
Large numbers of staff may be absent from work at any one time - not only may people be directly affected – being ill themselves – but they may need to care for others who are sick, or children due to the closure of schools and other childcare facilities. There is also an expectation that some people will stay at home rather than risk infection in the outside world.
If there is disruption to the transportation and logistics networks, all organisations will face problems of obtaining supplies, getting employees into work and general daily disruption. How long could your organisation function with different levels of disruption?
Other organisations may see demand rise. Organisations selling and supplying over the internet could see a boom in demand as customers stay at home but look to buy products and services without going outside. Manufacturing of products relevant to the scenario are also increasing eg antiseptic hand gels have increased from 100,000 per month to 100,000 per day despite advice from Gov UK that washing hands and singing two rounds of ‘Happy Birthday’ is more effective.
Some retail outlets have faced increased demands for household basics, with panic buying and some challenges regarding supplier networks. Some outlets have now placed limits on some or all products that can be purchased and have also prioritised shopping times for the elderly and NHS workers.
How could your organisation weather a downturn in demand and drop-off in cash flows? Can your organisations costs and revenue downturns be flexed as easily?
All of the above have financial and reputational risk associated to them.
As organisations consider the potential direct consequences, there are also ethical considerations to consider. The response can either damage an organisation’s reputation or can enhance the world’s view of its care for customers, suppliers or staff.
Organisations might be within their rights to enforce penalties on suppliers who fail to deliver for example. However, such an action may or may not be in keeping with the ethical stance organisations have taken and may also damage the organisations reputation if they are seen to be unsupportive of the pandemic scenario.
Employers have responsibility for the general health and welfare of their employees some of whom may be asked to move into different roles or asked to work longer hours or to work alone when they usually work in teams or work from home. It will be necessary to review proposals for addressing staff shortages to ensure that your organisation doesn’t breach health and safety legislation or indeed impact the general wellbeing of employees.
Given that COVID-19 is a public health issue, organisations have gone further than the minimum required by Health and Safety legislation through the installation of hand sanitisers in washrooms and reception areas, increasing the frequency/depth of office cleaning, with more working from home/remote working.
As with all risks, it is not internal audit’s role to manage the risk. The primary role of internal audit should be to provide assurance on the governance and the management of the risk. However, through participation in various activities eg attending crisis management meetings and discussions with management internal audit can assess whether the all current and future risks have been identified, some of the risks to consider may include:
Internal auditors should also be looking at whether their organisation’s business continuity planning (BCP) is still appropriate, relevant and up-to-date to meet COVID-19 and other specific scenarios.
Consideration should be given to communication and coordination planning, decision making protocols and emergency action plans. As part of internal audits role, they can provide continuous monitoring to identify any gaps and provide advice and assurance.
Appendix 1 provides an approach to planning for COVID-19 which internal audit may use to consider the effectiveness of the organisation’s plans.
Internal audit should be advising on:
Richard Chambers CEO/President IIA Global advises internal auditors that the virus is a vivid example of an emerging risk. Some emerging risks are very difficult to foresee, and their ultimate impact is hard to judge. But this difficulty does not mask the truth that COVID-19 presents a clear and compelling danger, not only for the health and well-being of the general population, but for organisations around the world.
These types of risks need attention, and internal audit's unique skills and positioning can be invaluable. There are key actions internal auditors should already be starting in support of their organisations.
Management is responsible for managing risks. They should have in motion efforts to identify all possible risks, assess their potential impact, and think through responses.
a. Internal audit is a master at objectively addressing risks. Through conversations with management and participation in any variety of activities, internal audit can assess whether management has identified the full range of risks — direct and indirect — and the range of actions to manage these potential impacts.
b. Management have discussed risks relating to:
c. However, these are only a subset of the potential impacts. Internal audit can assess whether management is considering potential disruptions in offsite data-storage services, how the outbreak will affect customer-buying behaviours, or whether the organisation's ability to provide customers with technical service will be disrupted.
Situations like this reinforce the need for well-developed and tested planning. Crisis management and business continuity plans should clearly articulate designated roles, plans for communication and coordination, decision-making protocols, and emergency action plans.
a. Management should have reviewed these plans for any gaps. Internal audit can monitor this effort and provide advice where deficiencies exist.
b. Now is not the time to merely report a problem, but to help ensure plans are adequate.
c. Also, key is determining how best to keep stakeholders informed about the organisation's activities and educating employees, senior management, and the board about proper protocols.
There are associated risks to COVID-19 that should be on the organisations' radar, including cyber and reputational threats. The IIA Bulletin on COVID-19, published recently, noted, "Even as organisations are in the first stages of determining the potential impacts of the coronavirus on their operations, an ancillary risk is emerging — social engineering amid crisis." The bulletin goes on to describe phishing attacks masquerading as guidance about the virus.
a. Similarly, an organisation's reputation can be affected by how it responds. A major university was recently criticised for its Instagram post that listed "xenophobia, or prejudice against people from other countries" as "normal" reactions to the growing concern about the spread of COVID-19.
The impact of COVID-19 on operations and the overall economy could potentially last for months or even years. Organisations should be looking at how an extended disruption could affect supply chains, productivity, business growth projections, cash flow, profits expectations, and more.
a. Organisations also should be thinking about how they would manage post-epidemic scenarios, such as quickly ramping up production to respond to pent-up demand. It is well-documented that businesses that open first after a natural disaster are often the ones that fare best in the long term.
Emerging risks, by their nature, are unpredictable. Management and internal audit must continually monitor what is happening within and outside of the organisation, being agile in shifting and pivoting, as needed. Management may get consumed in executing plans to handle what they believe is occurring, losing sight of what has changed. Internal audit is well-positioned to help management make this connection.
The World Health Organisation (WHO) offers advice and their materials are regularly updated based on new scientific findings as the epidemic evolves.
With the number of COVID-19 cases continuing to increase, the UK Government have moved to the ‘mitigate’ phase stage of their plan with lockdowns now in place.
Some of the impacts of this virus include social and economic disruption and therefore reviewing, updating and monitoring business continuity planning is essential.
Internal audit, as a trusted partner and advisor, are in a unique position to assist the organisation to provide advice and assurance in relation to the robustness of the business continuity/operational resilience planning and the controls being implemented to accommodate the changing business scenario.
Internal audit doesn’t have the appropriate knowledge or skill to offer any form of medical advice and must not do so.
There is merit in internal audit, as well as others, monitoring various sites such as Gov UK Coronavirus to ensure that as internal audit you have the current up to date information so as to assess whether your organisation is working with the latest information from Government and planning accordingly.
Chartered IIA - COVID-19 hub
IIA Bulletin – Rethinking Preparedness: Pandemics and Cybersecurity
Global perspectives and insights – Crisis Resilience