COVID19 has reinforced, again, the problem with a “failure of imagination” in many risk management processes.
– and that applies to internal audit as well
I’ve just facilitated a head of audit event, with only one person pulling out because of COVID19. However, it was inevitably a key topic of conversation, and here are some reflections that might be of interest:
A failure of imagination was one of the key learnings from the 9/11 tragedy, and it looks like many organisations have found themselves with a similar problem with COVID19, and all its knock-on impacts. It may not be a big priority right now, but all organisations who have felt blind-sided by what has happened should be prepared, at the right time, to take a long hard look at their risk management processes.
- What other risks are there where might we be thinking “that will never happen”?
- How do we make sure we prioritise impact over probability?
- How good is your organisation in thinking through the knock-on consequences of one risk on other aspects of its operations?
A new coronavirus was first identified on 31st December 2019; when did it start to get on your organisations radar screen?
CNN have done a great timeline of the COVID19: key points include:
11th January 2020: First death
16th January 2020: In Japan
17th January 2020: Selective screening in the US
21st January 2020: First case in the US
23rd January 2020: Emergency committee of WHO formed
29th January 2020: White House task force
30th January 2020: Person to person transmission in the US
2nd February 2020: First death outside of China (in the Philippines)
14th February 2020: COVID19 found in Egypt
etc.
The evolving news story has been well publicised across the world and was effectively an early warning that a pandemic might happen and could have prompted organisations to look at their business continuity arrangements. So, when, in fact, did your organisation start to make preparations in earnest? Are there other areas where more attention could be paid to early warning signals?
Are past assurances given about continuity arrangements proving to be too positive?
Hopefully most organisations are working flat out to prepare themselves for COVID19 and double-checking past plans and assurances. If these are proving to be too positive, and are needing to be revisited, it would suggest that the amount of assurance that is being given needs to be thought about more carefully. This may apply to back-up plans for payroll and IT and home-working as well as third party suppliers and service providers.
When you ask others for assurance, have you defined what assurances you are expecting in terms of service levels – and what assumptions have been made about staffing levels etc. When you look at arrangements relying on third parties, what do the contractual arrangements say; are there any “force majeure” clauses and are you clear about fall back
contact/emergency cover details?
Whilst organisations need to be pragmatic and flexible to “fight fires” now, how do we ensure we won’t cut corners we will regret in 3-6-12 months’ time?
If there is a crisis, a fire, let’s put it out. This means organisations may need to adopt the 80/20 rule in many areas – “good enough will be good enough”, but how clear is the organisation about areas where compromises to standards should not be made? This could be in relation to treating customers fairly, or in relation to certain data security and other control processes; otherwise cuts in these areas will just lead to other problems and surprises shortly or in some months’ time.
- Are we clear which aspects of our operations can be good enough with the 80/20 rule and which activities need to be continue to be delivered to the highest standards?
- What record will be kept or where corners are being cut, so we have visibility of this?
- What are the areas where we have zero tolerance to short-cuts?
Turning to Internal Audit
What adjustments are needed to the audit plan?
This is the obvious one, any planned audits that are not business critical should probably be seriously challenged and/or postponed, since there are undoubtedly key risks / new projects where internal audit’s skills could be invaluable, either to assure progress of business critical continuity plans, or to advise on process changes that will maintain operations and compliance where fewer staff are available.
Heads of Audit should urgently clarify with Senior Executives and Audit Committee areas which audits should continue and which should be postponed, as well as the key areas it might be sensible for audit to get involved in. One good practice is to have P1 audits on the plan which cannot be sacrificed and P2 which are nice to have. Also, do not forget the option of seeking “direct assurance” from project managers/executives to the audit committee, where a “follow-on” piece of assurance from IA is possible on any areas of residual concern.
Of course, adjustments to the audit plan should factor in possible staffing shortages in the audit team, as well as arrangements for remote working/direct access to systems as much as possible.
Assignments should focus on just the key exam questions
With everything going on at the moment, it is crucial that audits do not progress per business as usual. Ask tough questions about which scope areas are really essential to be covered (particularly in areas not linked to COVID19) and focus only on these.
Few business managers will have an interest in “nice to have” matters for the next 3-6-9 months. Likewise audit reports should recommend only the most critical issues are remediated; anything else will likely be challenged “you auditors are not living in the realworld”.
Look at open issues and the follow-up process
There are two key considerations. With everything else that’s going on consider the amount of open audit issues and determine which really must be remediated, notwithstanding COVID19. Based on this engage key stakeholders on two key points:
- Which lesser issues should probably be deferred given everything else that is going on?
- How to make sure critical issues will be remediated, even if there are staffing and other disruptions.
In summary although COVID19 poses many fundamental challenges to organisations it also provides a very important opportunity for internal audit to “step up to the plate”, so I hope you are planning to discuss these issues with your audit team and key stakeholders in the near future if you have not already done so.
Finally my thoughts go out to all of you in these unsettling times.
Comments most welcome: jcp@RiskAI.co.uk and www.RiskAI.co.uk.