View from the top: Forewarned – stay one step ahead

At times of disruption and rapid change it is more important than ever that internal audit functions are able to identify emerging and evolving risks swiftly and to monitor, prioritise and respond to them accordingly. In our team we have built strong relationships internally and are well connected with key stakeholders, but I must admit that when I have been in their shoes, in operational roles, and the chips are down, my first thought has not always been “I must call internal audit…”

In response to both the volatility inflicted by the COVID-19 pandemic, and AstraZeneca’s decision to partner with Oxford University to develop a vaccine, the internal audit team decided to strengthen and formalise our processes for identifying and tracking emerging risks. This enabled us to have valuable conversations with key stakeholders at the right time, thinking ahead to what needed to be built from a risk and controls perspective.

We also developed a dynamic approach to our audit plan, prioritising real-time work on risks that mattered. While they were initially introduced in light of COVID-19, I strongly believe that these processes will continue to be a valuable part of our work in the future, helping us to remain relevant in our response to any future uncertainties that lie ahead.

I joined AstraZeneca in January 2020, just a few months before the company embarked on this landmark collaboration in the midst of a global pandemic. Looking back, my previous roles in multinationals in different industries all stood me in good stead, giving me the experience I needed to hold an independent view of risk in a rapidly evolving environment, and to engage with senior stakeholders appropriately.

Formalising this into an emerging risk process was a logical early step to match the scale and speed of activity across the enterprise.

Communication and strong relationships throughout the business are vital. Senior management needs to understand the value internal audit can bring by asking them to consider things they have not routinely considered before.

I benefitted from the open and collaborative culture that is at the heart of AstraZeneca, which meant that my inability to meet a number of the senior leaders physically before the first UK lockdown was never an issue – they were always accessible to me. They also respected the new perspectives I brought from other industries and organisations.

Getting the balance right is key. It was essential to provide appropriate challenge, derived from the outputs of the emerging risk process, and well-considered assurance work that was timely and proportionate to address business-critical risks. This engendered trust with stakeholders and the audit committee.

When considering emerging and evolving risks, it’s essential to contemplate a variety of views, drawing on a wide pool of possible sources of qualitative and quantitative information, from within and outside the organisation. Many of the final decisions can still come down to intuition and judgment, but having a broad spectrum of views and the right information readily available can help to inform those decisions. Being able to draw upon the experience and relationships of members of my team was also invaluable, and their full participation in the emerging risk process meant that we began with a common approach and view.

These elements, coupled with the Chartered IIA’s technical guidance on emerging risk assessment in internal audit, helped to inform the development of our emerging risk process. Its primary goal was to ensure that developing risks came on to the radar quickly, were closely monitored as they developed, were discussed with management, and that we could provide timely assurance over them if necessary.

We began by establishing weekly meetings within the internal audit team to discuss the risks that we could see approaching imminently, as well as those that could become important in the longer term. These meetings were informed by regular engagements with key stakeholders, with whom we shared our observations. These included sessions set up with the enterprise risk team, the vaccine programme risk management representatives and senior leaders across the enterprise. We also took external scans through, for example, consulting contacts across our industry.

All potential risks identified were then formally tracked in a log and continuously monitored and assessed. For any that warranted targeted, real-time assurance activities, we reprioritised the audit plan and deferred some less critical audits to create capacity. We shared the approach with the audit committee from the start, and ratified changes to the plan quarterly. This allowed us to cover a variety of issues in real-time, providing assurance in a pragmatic and timely fashion. Management was supportive because they could see that we were looking at what they needed to know, when they needed to know it.

While none of this is rocket science, I think the rigour with which we followed our process and the fact that it was formalised, with regular and frequent repetitions, really helped us to stay on top of fast-moving complexity and to bring an independent view to the table.

Today, we are continuing to develop the emerging risk process further. A director in my team is responsible for driving this, and the objectives for the year ahead include continuing to develop the various inputs to the process, ensuring we are identifying potential risks in a timely fashion, and helping us to be informed in our discussions with the business. This will involve gathering and scanning more data from across the organisation, and looking for opportunities to engage further with third parties.

Many people in our profession use the racing car analogy, devised many years ago by a previous boss of mine, to describe internal controls as the brakes that allow an organisation to go faster by slowing down ahead of the corner and not spinning off the track as you navigate it.

Perhaps I am over-egging the metaphor, but I think internal audit having a formal established emerging risk process is part of the organisation’s advanced driving capability. In order to navigate a corner at optimum speed, there’s a technique called the ‘Limit Point’ that can help you to judge the severity of the bend, where and when to brake and when to accelerate to traverse it at the highest possible safe speed. Since you don’t know what hazards lie ahead or the severity of the risks you will encounter, constantly scanning and monitoring emerging risks, keeping an eye on the Limit Point, is essential to enable internal audit to ask the right questions of the business (have the brakes been fitted, do people know when to apply them, are they working?) and to provide well-judged assurance at the right time.

I’m incredibly proud to have been part of AstraZeneca’s team over the past couple of years – the whole company is truly amazing in the way it works and what it has achieved. I’m also particularly proud of my internal audit team, who have continued to provide well-judged assurance to the business throughout the pandemic. I hope our work will help it to thrive during the challenges ahead. 

This article was published in March 2022.