PwC’s Mark Stocks highlights how internal auditors are in a unique position to review how effectively an organisation can respond to change.
Without a doubt, ‘Resilience’ is something of a buzz word. It raises the hackles of many of us, because it is one of those terms to that can mean whatever you want it to mean. To an IT specialist it might mean multi-site resilient storage, to an HR specialist it might mean the ability of people to cope with change, to a Business Continuity specialist it might mean the opportunity to rebadge their role with a grander sounding title.
But there is now a British standard (BS65000) defining Organisation Resilience, and an ISO standard should follow toward the end of 2016. These see Organisation Resilience as the ability to respond to change, ranging from unexpected disasters through to long term market movements. They look at a broad range of organisational attributes, such as its culture, the leadership, the ability to horizon scan, and so on.
But the most important goal in the short term is to build a much better alignment between the protective disciplines, including business continuity, risk management, crisis management, and security and so on. Better alignment of the protective disciplines will mean better resilience at a lower cost and with more engagement.
Internal Audit has a crucial role to play in this. They are almost uniquely positioned to look across the protective disciplines and judge whether or not they share the same priorities, whether there are gaps in the protection they offer the business, whether there are overlaps and inefficiencies, and most importantly – whether collectively they do the job that the executive and the board expect them to be doing.
Our recommendation for this is that there is a single modular programme to review Resilience – this may be applied over several years, but part of the review would include how effectively they interrelate.
These are some modules that we suggest should be contained within an Operational Resilience review framework.
Risk Management should start with risk appetite statements set at the top of the business. Your audit should assess the quality of these statements and check that they translate into key performance and risk indicators. You need to ensure that the controls for these metrics are consistent not only with the risk appetite statements but also across the various protective disciplines.
Effective BCM helps to minimize the impact of disruption. Plans should be practiced and focused on recovering what is most important to the business. Your audits should explore the alignment between capability and the organization’s recovery requirements, the usability of plans and the extent to which critical resource dependencies can be recovered in an incident. A consistent BCM specification will help audit teams to guide the delivery of reviews aligned to industry best practice, and should provide the questions to ask and evidence to look for when conducting a BCM audit.
Security should be an enabler instead of an inhibitor. Audits in this area typically consider alignment between the business and security strategies and risk appetite, assessing the interconnections between the constituent parts of a physical security capability. This provides a line of sight from strategy through to control effectiveness and the extent to which security policies support the organisation’s success factors.
IT Resilience should take a structured approach and aligned with the organization’s requirement for resilience, not delivered in isolation. Audits must assess the robustness of the IT resilience programme, its associated technical solutions, plans, processes and controls. Where third parties are present, the effectiveness of contract arrangements and the performance against contract requirements are assessed.
An organisation’s capability to respond to and manage a corporate crisis involves more than plans. It involves a framework for incident response, plans and procedures to guide that response, and a rehearsed and confident team of responders. Your audits should review the organisation’s end-to-end capability, from technical, or operational incident management through to strategic corporate response.
Resilience relies upon a range of capabilities often delivered in separate parts of an organisation, with different governance structures and reporting regimes. Taking an integrated view of resilience allows Internal Audit to provide a more complete level of assurance when compared with individual reviews delivered for each resilience capability. It also creates an opportunity to spot dependencies and single points of failure that would otherwise be left unreported.
Mark Stock is a member of the ICAEW’s Internal Audit Panel and a Partner in Risk Assurance at PwC.