In the wake of the tragedy that led to the loss of 80 lives in the Grenfell Tower fire there have been countless reports of the ongoing investigations as to how such a preventable disaster could happen in our capital city.
Whilst the Institute does not wish to comment ahead of official investigations and add to speculation, the disaster has naturally been the topic of discussion on many occasions among auditors and risk professionals. The formal lessons learnt will be made public in due course however a common question being asked is what as auditors should we be doing now?
Ultimately a governing body such as the Board decides how much risk it is willing to take in operating a service or business but in doing this it will look to experts for advice and take comfort from assurances provided by auditors.
The Grenfell disaster brings into question not only compliance to regulations but the regulations themselves, the tests underpinning them and the cost constrained environment in which they operate. Does internal audit assurance stop at compliance and also trust the experts or skim the surface of a subject when under resourcing pressure?
Not everyone will work in an organisation where cladding is used but this isn’t about the assurance provided over cladding safety, buildings or safety in general. It is about the quality of assurance being delivered to decision makers and those determining the risk appetite of an organisation.
If we think of our own organisations, could a decision be made to save costs without understanding the full impact of the decision, be that downsizing a department, closing a warehouse, outsourcing a call centre, removing a key control?
If we step back and consider the assurance that our own Boards receive, is it a comprehensive, timely and integrated picture or do they obtain different reports from a variety of sources and have to join the dots themselves? We cannot and should not expect non-executives, committee members nor company directors to piece information together from disparate sources, work out linkages and look between the cracks, even if they have the risk mindset to do so it is unlikely that they have the time.
Inappropriate risk management not being effectively called out led to loss of economic stability following the financial crisis, environmental damage after the Deepwater Horizon and from initial findings loss of life at Grenfell Tower. Whilst lessons may be documented what do we do differently today to effect change for tomorrow?
If anyone answers no to any of these questions please contact Liz Sandwith, Chief Professional Practice Advisor, as she would value your insight into this.