These types of risks need attention, and internal audit's unique skills and positioning can be invaluable. There are key actions internal auditors should already be starting in support of their organizations.
1. Understand and assess the full range of immediate risks. Management is responsible for managing risks. They should already have in motion expanded efforts to identify all possible risks, assess their potential impact, and think through responses.
Internal audit is a master at objectively addressing risks. Through conversations with management and participation in any variety of activities, internal audit can assess whether management has identified the full range of risks — direct and indirect — and the range of actions to manage these potential impacts, especially if the unthinkable might happen.
Management likely has started discussing risks relating to business travel, assessing the capabilities of employees working remotely for potentially long periods, determining whether critical business operations can be transferred to different locations, considering interruptions in supply chains, and ensuring effective two-way communication with staff. However, these are only a subset of the potential impacts. Internal audit can assess whether management is considering potential disruptions in offsite data-storage services, how an outbreak could affect customer-buying behaviors, or whether the organization's ability to provide customers with technical service will be disrupted.
2. Assess the organization's existing crisis management and business continuity plans. Situations like this reinforce the need for well-developed and tested planning. Crisis management and business continuity plans should clearly articulate designated roles, plans for communication and coordination, decision-making protocols, and emergency action plans. Management should be reviewing these plans for any gaps. Internal audit can monitor this effort and provide advice where deficiencies exist. Now is not the time to merely report a problem, but to help ensure plans are adequate.
Also key is determining how best to keep stakeholders informed about the organization's activities and educating employees, senior management, and the board about proper protocols should a local outbreak occur.
3. Advise your organization on thinking beyond immediate risks. There are associated risks to COVID-19 that should be on the organizations' radar, including cyber and reputational threats. The IIA Bulletin on COVID-19, published recently, noted, "Even as organizations are in the first stages of determining the potential impacts of the coronavirus on their operations, an ancillary risk is emerging — social engineering amid crisis." The bulletin goes on to describe phishing attacks masquerading as guidance about the virus.
Similarly, an organization's reputation can be affected by how it responds. A major university was recently criticized for its Instagram post that listed "xenophobia, or prejudice against people from other countries" as "normal" reactions to the growing concern about the spread of COVID-19.
4. Advise your organization on thinking about the long-term implications. The impact of COVID-19 on operations and the overall economy could potentially last for months or even years. Organizations should be looking at how an extended disruption could affect supply chains, productivity, business growth projections, cash flow, profits expectations, and more.
Organizations also should be thinking about how they would manage post-epidemic scenarios, such as quickly ramping up production to respond to pent-up demand. It is well-documented that businesses that open first after a natural disaster are often the ones that fare best in the long term.
5. Continue to monitor and update your thinking. Emerging risks, by their nature, are unpredictable. Management and internal audit must continually monitor what is happening within and outside of the organization, being agile in shifting and pivoting, as needed. Management may get consumed in executing plans to handle what they believe is occurring, losing sight of what has changed. Internal audit is well-positioned to help management make this connection.
Each of the areas addressed above stem from a central concept articulated simply and eloquently by longtime chief audit executive (CAE) and internal audit blogger Norman Marks. He wrote in his post on COVID-19 last week that internal audit's biggest contribution is simply to ask management, "How can we help?" Helping can come in many forms, but internal audit brings unique objectivity, perspective, process, and position within an organization.
Let me offer a few additional thoughts.
- To be an effective and trusted partner, internal auditors must understand their organizations' business well enough to know, understand, and anticipate risks. A firm grounding in the organization's strategy and operations is essential to see the risk landscape fully.
- An epidemic such as COVID-19 is what risk management is all about. There should be no question or hesitation by CAEs about taking on active and high-profile roles in their organizations' plans and actions.
- Boards worry about their organizations' ability to successfully identify emerging and atypical risks. That message came across clearly at a recent meeting of the National Association of Corporate Directors Houston chapter, where The IIA was invited to speak about our OnRisk 2020 report. Boards also want assurance that their corporate culture encourages collaboration across the organization to develop business plans that adapt to market disruptions, such as the COVID-19 epidemic. Internal audit should be providing that assurance.
Some might see the plunge in markets, incessant news coverage, and social media obsession with COVID-19 as an overreaction. But even if the epidemic is contained and the economic impacts are temporary and mild, the outbreak offers an opportunity to examine our capabilities, strengthen our plans to manage any significant crisis, and position internal audit as a trusted partner and advisor.
As always, I look forward to your comments.