Business resilience and crisis planning

21 February 2020


Wildfires in Australia, flooding in the UK and now the Wuhan coronavirus outbreak – all of these events highlight the need for organisations to have robust business resilience and crisis plans. The role of internal audit to provide assurance to the board, audit committee and senior management regarding operational resilience is of significant importance in the current climate of uncertainty around the coronavirus.

The UK accounting watchdog requires British firms to flag up the full extent of the risks posed by the coronavirus outbreak to their businesses in forthcoming annual reports. The Financial Reporting Council (FRC) said companies have a duty to make "up-to-date and meaningful" disclosures to investors on the potential impact of the disease. It also confirmed it is in talks with accountancy firms over the potential effect that coronavirus - also known as Covid-19 - could have on their ability to sign off accounts, given travel restrictions in and to China.

The FRC's reminder about firms' obligations to disclose risks comes after technology giant Apple warned over second-quarter results because the coronavirus outbreak in China has hit production of iPhones. Banking giant HSBC also cautioned on announcing 2019 figures that coronavirus had caused "significant disruption" to its business, especially in mainland China and Hong Kong, and may knock lending and transactions in the region.

An emerging area of risk for crisis management is the exploitation of communications by cybercriminals. Recently malware-laced emails masquerading as guidance about coronavirus were detected by Japanese companies, according to TechRadar Pro, a UK-based consumer technology news and reviews website. 

An FRC spokesman said: "Given the potential for rapid spreading of the virus, required disclosures will likely change over time as more information about the epidemic emerges."

Aside from the human cost, the diverse economic impact of coronavirus is already being seen from reduced business travel, supply chain issues and cancelled events such as the F1 Grand Prix. The automotive, fashion and travel industries have been among the first to declare concerns as the world waits to see if a pandemic is declared.

According to the World Health Organisation 290,000 to 650,000 deaths a year are attributed to influenza; coronavirus is the latest strain to emerge but with resistance to current medicines.


Internal audit has a call to action across three key stages of any crisis event; prepare, engage and improve.

Stage 1 - Prepare

In a globalised world, it is not only localised events that impact continuity of operations. Internal audit should provide regular assurance that the organisation is properly addressing disaster preparedness and resilience planning. The best time for planning is when there is no pressure and a crisis has yet to happen!

Stage 2 – Engage – which is now

When the risk becomes an issue, it is not the time for internal audit to be diligently following the audit plan. Now is the time to:

  • Roll your sleeves up.
  • Put your skills to productive work – attend meetings to advise on governance arrangements, are plans being followed, check action plans for completeness – challenge risk assessments for robustness.
  • Observe and listen – real-time auditing, what works well, where is training needed, identify weaknesses in resilience arrangements for immediate mitigation, capture evidence for lessons learnt exercise after the event.

Ask the obvious/awkward questions. Hold people to account. Be the trusted advisor.

Stage 3 – Improve

Crisis events are temporary. The situation either becomes the norm or an organisation returns to a steady state. Internal audit should ensure that a lessons-learnt review is carried out relatively quickly; ideally while emotions are raw, and memories are fresh.

Coronavirus is the latest threat to test the resilience of your organisation, but if internal audit has been providing risk-based assurance, the tools to manage it should already be in place. 


Further guidance

IIA Bulletin – Rethinking preparedness: Pandemics and cybersecurity

Content reviewed: 5 March 2020