During the PP-Day on November 12th, the Professional Practice Network of the IIA discussed the theme crisis management and IA(F). We covered crisis response and the role of IA(F) in managing a crisis or 'unpredictable' disruptions/incidents with a high impact.
After the opening and presentation of technical updates, Hendrik-Jan Boers took us into the theory behind crisis management, his experiences from crisis management, and the survey results.
The general picture from the survey results includes:
- The role and measures are diverse and differ per organization.
- It turns out that we see a preference for a testing role, both at the front on the design of the control measures and also at the back of crisis management. In addition, there is also favor of advising crisis plans and measures.
- It is special to observe that almost a third indicates that the Internal Audit has not (yet) played a role in the Covid-19 crisis. Obviously, IA has still been asked little to investigate control measures taken or to be taken.
- Working with a crisis team or crisis committee is often mentioned together with scenario thinking, crisis plans, and to formulate policy. Therefore, we see that much of the measures that have been taken are related to ‘throughput regulation forward’ for ensuring flexibility.
- There is an attention to independence, such as the risk of collision (advice against testing).
- Finally, yet importantly, the current Covid-19 crisis is a super crisis of a magnitude that we have not seen before. This crisis is out of all proportion to any previous crisis.
Based on the presentation on crisis management, the results of the survey, and a number of statements made known in advance, the group split up into break-out rooms to discuss the role of IA(F) with regard to crisis management in a smaller group. The most important points for attention that can be helpful in dealing with crisis management are briefly set out below.
First, an independent role of IA(F) is important to be able to offer certainty and insight, IA(F) can reflect, test and evaluate the plans, scenarios (life-case scenarios) etc.
The question is how the organization deals with unexpected and unforeseen situations. IA(F) can provide a certain level of assurance that is relevant to senior management and stakeholders. To be able to do this, it is important for IA(F) to be involved and to have sufficient audit knowledge and expertise.
The role of IA(F) is diverse and depends on the impact of the crisis and the phase in which the crisis is present. Preference is given to an assessment role both before and after the crisis.
In the pre-crisis situation, the IA(F) will mainly look at whether there are good plans and whether there is a flexible and agile crisis organization. Reference is made here to business continuity models, assessing/advising the measures, building up routine and performing simulations. Crisis management audits will therefore have to be part of the audit plan. The role of the audit here is more traditional and focused on assurance.
A post-crisis situation is referred to as the evaluation of measures, the lessons learned, and RCA. IA(F) can facilitate this process and/or provide assurance on the correctness and completeness of the evaluation and the lessons learned.
During the crisis, the role of IA(F) depends on what the organization has in mind. This can vary from the 'capture' process, participation in the crisis committee, giving advice to a more facilitating or coordinating role. Certain processes can also be screened for specific key controls, for example. This involves intensifying discussions about the risks and investing more than before the focus on the risks with a low probability. Due to a less focus of the business on the regular risks, IA(F) can or must also monitor these regular risks.
Because decisions have to be made quickly and under great pressure during a crisis, smaller teams operate better than larger teams. It is stated that this is one of the reasons that IA(F) does not automatically "participate" in the actual crisis management.
Experience has shown that risk analysis often leads to the same type of risks and offers insufficient insight into unpredictability.
That is why scenario thinking and scenario analysis is important, with attention to flexibility, rationality, and adaptive capacity. Thinking about the criteria in advance is the challenge here. IA(F) can also use standards such as ISO 22301 regarding Business continuity management systems in the context of business continuity management.
With regard to knowledge and expertise, the predominant opinion is that in principle no specific or additional knowledge and expertise is required in addition to what should already be available at the IA(F). Evidently, the importance of knowledge of the industry and the entire supply chain is essential. To make the right decisions, even in ad hoc and crisis situations under high pressure, it’s important to build up a routine.
For more information about crisis management and IA(F):
Questions? Please contact Martin Machielsen via firstname.lastname@example.org