What BSI’s internal audit and risk team did to win the Audit and Risk Award for Outstanding Team – Private Sector in 2024
When your entire purpose is establishing and disseminating standards in a rapidly changing global business environment, then it is essential your internal audit function does not lag behind. Over three years, British Standards Institution (BSI) underwent a significant restructuring programme under a new CEO and CFO. Its internal audit and risk function needed to transform itself and accelerate its continuous improvement processes to meet the needs of a larger, more globally focused, organisation. Its success won it the Audit and Risk Award for Outstanding Team – Private Sector in 2024.
BSI is the UK’s national standards body and a founding member of the International Organisation for Standardisation (ISO). It works across a range of highly regulated business areas and must collaborate with regulatory bodies, accreditation bodies,
recognition bodies, governments and other external authorities. It employs thousands of auditors and receives external audits from a variety of bodies throughout the year.
Since 2021, the organisation has moved from a regional to a divisional structure and now operates across more than 30 countries. The internal audit and risk team’s nomination form explained that its transition from a “large, small organisation” to a “small, large organisation”, required new governance frameworks.
Danouglas Hurt, Audit & Risk Committee Chair at the time, described the business’s transformation as “significant” and said the organisation spent nearly £40m in 40m in projects including new operating models for key businesses, updating its IT architecture, data management, business systems and processes. At the same time the organisation continued to grow its business.
Internal audit therefore faced a considerable challenge to ensure assurance activities were timely, while also expanding its capabilities, influence and scope. Sahil Bhardwaj, who became BSI’s Group Director of Internal Audit and Risk in 2023, realised that it needed to increase its direct communications with the board and its influence on board and c-suite decisions if it was to add value today and in the future.
“The basis of our application is not founded on a response to a poor external quality assessment (EQA), profit warnings or tarnished reputation. Instead, it is one that we believe epitomises a commitment to continuous improvement during equally challenging circumstances,” he told the judges.
What BSI did
To meet BSI’s developing and future needs, the internal audit and risk team restructured from a regional to a centralised model and designed and rolled out a three-year “risk transformation roadmap” to take BSI’s enterprise risk management to a new level. The roadmap included introducing a risk acceptance process into audits, so management can choose to accept risks rather than commit to actions; the formation of a Group Risk Committee which provides a forum for the whole leadership team to discuss audit reports; and the creation of “principal risk owners”, so members of the leadership team are directly accountable for specific risks and undertake regular “deep dives” following a template provided by internal audit.
At the same time, the team has broadened its audits to cover more complex areas that are aligned with the organisation’s principal risks. They have also allowed time to respond to leadership requests for additional reviews of areas such as bullying and harassment. Root-cause analysis is included for every audit observation, so the team can suggest solutions to underlying causes. Each audit is sponsored by a member of the group leadership team to improve engagement and commitment.
“We are the internal audit and risk team, and our risk transformation roadmap recognised that audit and assurance is part of good risk management,” explains Bhardwaj. “It’s not enough for us to be assurance experts, we must be able to build trust, communicate clearly and influence the decisions that move the organisation forward.”
This is why he wanted the Group Risk Committee to act as a “lever” by getting the leadership to discuss internal audit findings as a collective. It was also why it was important to allocate principal risks to specific senior owners and engage leaders in discussions about risk acceptance. Bhardwaj wanted to change the culture around audit and risk and ensure that senior leaders were fully engaged in audit and risk discussions.
“We don’t have the authority to tell the C-suite what to do, so the fact that we managed to do all this is testament to our credibility,” he says. “Great audit work leads to changes that make a real difference to the organisation, but what do you do then? Do you do more of the same, or do you leverage this credibility to drive the business forward and influence more significant changes?”
The success of the roadmap prompted the Audit and Risk Committee (ARC) to suggest that the internal audit and risk team should grow from six to seven internal auditors, while a new guest auditor programme has brought in expertise from other parts of the organisation. All internal auditors now have access to best practice tools and peer networks via tools such as Gartner.
What the team achieved
As a consequence of this programme, management requests for additional work increased and the team played a key role in the organisation’s alignment to best practice frameworks such as ISO 31000 Risk Management.
Susan Taylor Martin, CEO of BSI, praised the team’s meticulous approach and attention to detail, but also highlighted its “proactive and thoughtful” attitude to planning. “The combination of unwavering professionalism with a collaborative approach has resulted in a team trusted at all levels within the organisation. Of particular note is the rapport the team has built with the BSI Board which is very strong; given our governance model the strength of this relationship is particularly important, and it is a testament to the commitment and quality of the internal audit and risk team,” she said.
Positive feedback prompted BSI’s Company Secretary to adopt the audit and risk team’s papers as the templates for group-wide board reporting. ARC members commented that the team has raised the level of the information and services that it provides. They were so impressed that they invited Bhardwaj to share examples of best practice with the boards and audit teams of other organisations where they hold executive and non-executive roles.
Since 2023, auditees have been surveyed for their opinions about communications, professionalism and quality after each audit engagement. The results show that 95% of all auditees believe the experience had added value.
Winning the award
As the icing on the cake, the team gained “a glowing EQA report” in 2024, and then went on to win the A&R Award. “These were the perfect validation of three years’ hard work and were great for different reasons,” he says. “They instilled further confidence in the board and the business that we are a valuable resource that can drive meaningful change, and winning meant we got more requests to do advisory work from the leadership team.”
He adds that when a new Audit Committee Chair and other non-executives recently joined BSI, “knowing that we had won an award was a great way to start the relationship. It inspired confidence.”
The team’s morale has also benefited. “Seeing that our effort had paid off and our success was recognised by our peers and by our professional institute really meant a lot to the team – it’s not superficial,” Bhardwaj says.
This was important to him as the team leader who had “banged the drum” for three years and could now point to proof that it had been worth the effort.
“Every member of the team has had exposure to this success and knows they can go on to become a great leader and take forward our experiences and what we learned to other organisations, so this is not a one-off effort,” he says. “It validates the work they’ve done, but also has a real impact on their careers and has the potential to benefit them and the wider profession today and tomorrow.”
He sees the award as a way to “amplify” what they have achieved so far, because it starts conversations and encourages managers to trust them and engage with what they are doing.
This applies externally as well as within BSI. “When we had lightbulb moments on our journey, people invited me to talk to other organisations and groups because they wanted to learn from what we’d done. That should be one of the big outcomes from the awards – how can we share and learn from each other’s ideas and innovations to drive all our organisations forward?” Bhardwaj asks.
He adds that BSI is a unique organisation with a stated purpose of inspiring trust for a more resilient world. “That’s what we advocate for, so that’s what we have to live and breathe across the whole organisation,” he says. The transformational work that he and his team have begun puts them in a stronger position to support this than ever before.