Disaster recovery: lessons from a crisis
The past weeks and months have been difficult in many nations and industries. It has been a time of wars and storms, of labour disputes and supply-line disruptions, of stock market turmoil and pandemic illness. Across the world, internal auditors have helped their organisations cope with fires, floods, volcanic eruptions and other catastrophes. And, unfortunately, many organisations have learnt hard lessons about business continuity and disaster recovery plans.
These are extraordinary times. Yet we know that extraordinary events happen dismayingly often. Sooner or later, there will be another crisis, and in many cases that crisis will trigger further crises. The coronavirus transformed from a medical crisis to a macroeconomic one in days. Cybercrimes followed almost immediately. Other cascading risk events continue throughout the world and more issues will emerge in the aftermath of the pandemic.
This is not a time for business as usual. Many internal audit functions are receiving urgent requests for non-audit assistance. Take the accounting and finance functions, for example. During a pandemic, every accounting estimate, assumption, budget and forecast is suspect. As demand fluctuates wildly, companies must re-examine fair value measurements and adjust allowances for expected credit losses. Corporate reputations will change overnight and non-financial assets such as goodwill must be evaluated. Tax considerations, liquidity risks, compensation changes, derivative and hedging issues, out-of-balance investment portfolios and other finance issues all demand management’s immediate attention. Factories are shut, travel is restricted and key staff are absent – each one of these issues is daunting.
Internal audit may be asked to do more with less. Most organisations are slashing budgets and financial forecasts, and some internal audit teams will be asked to cut staff or to “lend” people to other departments. But, while we need to do what we can to assist, it’s important to remember that, when systems and processes are in turmoil, a cut in internal audit resources can have disastrous consequences.
Internal audit is rarely more important than in a crisis. New risks appear every day, and we are the third and final line of defence against waves of disaster. Controls are most likely to break down when systems are changing. When the unthinkable happens, internal audit helps to ensure that management identifies the full range of risks and takes appropriate action to address them.
The coming months will be difficult. This is not a situation that anyone wished for, but we can hope that our organisations learn from the experience. For years, internal auditors have highlighted issues such as incomplete, out-of-date or untested business continuity and disaster recovery plans, yet these persist.
In a 2019 survey by ContinuityCentral.com, more than half the respondents stated that the biggest challenge that might hold back their business continuity plans was a lack of budget and resources. That must change. When IIA Global conducted a flash poll of internal audit executives to gauge the readiness of organisations for Covid-19, one in five respondents was ambivalent or unsure about the sufficiency of their organisation’s resources. What’s more, nearly 40 per cent of internal audit functions were not involved in risk and response discussions in a timely manner. That too must change.
Risk management, internal audit and business continuity preparedness are not luxuries; they are the costs of doing business in the modern world. Emerging risks rarely make appointments. We must be ready when they arrive. All of us can help our organisations to prepare.
Managers are responsible for risk management and I hope your management team has expanded its efforts to update plans, identify emerging risks, assess their potential impact and think through appropriate responses. But stressed managers can make mistakes or overlook details. That’s why, in extraordinary times, internal audit is more essential than ever.
Our world is changing, and risks are growing. We must help to ensure that internal audit resources can meet future challenges, that risk management processes are appropriate for changing conditions and that our organisations have comprehensive disaster recovery and business continuity plans. We can’t wait for the next disaster.
Check out IIA Global’s Covid-19 Resource Exchange for risk guidance, thought leadership, training, tools and events.
This article was first published in May 2020.