Sponsored content

What the new Organisational Resilience Topical Requirement means for internal audit

 

By Richard Chambers

 

In more than five decades in and around internal audit, I've watched our profession absorb financial crises, regulatory upheaval, and a pandemic that rewrote the rules of business continuity overnight. Through all of it, one lesson has held: the organisations that survive disruption are the ones that tested themselves before disruption arrived.

That lesson now carries the weight of professional standards. The IIA's Organisational Resilience Topical Requirement, published in April 2026, applies whenever organisational resilience is the subject of an assurance engagement, and conformance will be evaluated in quality assessments. Auditing resilience well is no longer optional.

The requirement document itself is short, clear, and freely available. The harder question — the one I hear from chief audit executives every week — is where to focus. Resilience spans governance, risk management, and control processes across the entire enterprise, and no audit plan covers all of it at once. 

Knowing where organisations most commonly fall short is what turns a long checklist into a sharp scope. On that point, the evidence is remarkably consistent, and it mirrors what I've seen in boardrooms for years: confidence in recovery is nearly universal, while tested capability is rare.

 

What the Topical Requirement covers

The requirement sets a minimum baseline across three areas. Governance requirements include:

  1. A board-adopted resilience strategy.
  2. An incident command structure.
  3. Validated competencies for critical roles. 

Risk management requirements cover escalation processes, scenario analysis, and periodic stress testing. Control process requirements address dependency identification, data classification, third-party continuity, tested business continuity and disaster recovery plans, and lessons-learned reviews. These apply in full to assurance engagements and are recommended for advisory work.

Much of this territory will already feel familiar to UK internal auditors. Impact tolerances, severe but plausible scenarios, and tested recovery capability are established in the operational resilience frameworks of the UK financial regulators. The difference is reach: the Topical Requirement extends that discipline beyond financial services to every sector.

 

Confidence outruns tested capability

I learned this one the hard way. When I led The IIA through COVID-19, our business model depended on certification exams delivered at testing centres around the world. Those centres closed overnight, and no continuity plan we had on file envisioned that scenario. We rebuilt around remote proctoring in five weeks — not because of the documentation, but because we understood our mission-critical processes and had a workforce willing to adapt. A plan on file is evidence of intent. Only testing produces evidence of capability.

The data says most organisations haven't internalised that distinction. A full 92% of leaders express confidence that their organisation can meet its defined recovery objectives, yet only 39% met their recovery time objectives during their most significant disruption, according to a 2026 Optro survey of more than 500 audit, risk, compliance, business continuity, and IT resilience leaders across North America, the UK, Germany, and the UAE. More than half (54%) took longer than their defined recovery window in the past year.

 

Dependency mapping is the most common failure point

You can't recover what you don't understand. Every critical process rests on interconnected dependencies across people, technology, facilities, data, and vendors, and a crisis will find the weakest link. The Topical Requirement expects auditors to assess whether those dependencies are identified, classified, and kept current. In practice, only 42% of organisations report that all critical services are fully mapped with defined impact tolerances, while 56% describe their mapping as partial or minimal, the research shows.

When continuity plans fell short during real incidents, the causes traced directly to these gaps: 31% of leaders cite impacted processes that were not documented or mapped accurately, and 27% cite third-party failures that process mapping never anticipated.

There's a perception gap at the top, too. C-suite leaders report dependency mapping adoption at 41%, against 27% across all functions. In my experience, executives rarely overstate deliberately — they simply trust documentation that no one has pressure-tested. The UK illustrates the pattern well: British organisations lead global peers in adopting real-time business impact analysis monitoring, at 45% against 32% globally, yet gaps in dependency visibility and third-party concentration risk persist beneath the dashboards.

 

Third-party continuity: beyond the contract

Three in four organisations (76%) experienced at least one vendor failure in the past two years, and more than half of the most significant vendor-driven incidents produced losses of $1 million or more, according to the study. Oversight mechanisms exist on paper: vendor documentation reviews, onboarding assessments, and contractual resilience clauses are all reasonably common. Joint continuity testing with critical third parties is far rarer, at just 31%. A contract is a promise. I have never seen a promise to restore a failed cloud service.

 

The independent assurance gap

Perhaps the most telling finding for our profession concerns validation. Only 35% of organisations have had their business continuity programmes externally validated or audited in the past 12 months, according to the same research report. Nearly 60% have gone more than a year without an independent review, and 5% have never undergone one. Internal metrics reviewed only internally create an echo chamber, and echo chambers conceal weak assumptions until a live event exposes them.

The performance case for getting this right is stark. Organisations with fully integrated continuity programmes recovered within defined targets at twice the rate of minimally integrated peers (31% against 15%) and were more than twice as likely to activate response protocols within four hours (50% against 20%). Among UK organisations whose continuity plans underperformed, one in three blamed unclear ownership or ambiguous decision-making authority. Fragmentation, rather than a lack of investment or attention, is where resilience programmes most often fail — and structural, cross-functional weakness is precisely what internal audit exists to see.

 

Five questions to ask first

If I were scoping a resilience engagement today, these are the questions I would ask first:

  1. Is the resilience strategy a board-adopted document with operational, technological, and financial elements, and does the board receive periodic updates on resilience objectives?
  2. Are critical services mapped to their dependencies across people, technology, data, facilities, and vendors, and when was that mapping last refreshed?
  3. When were continuity and recovery plans last tested against severe but plausible scenarios, and did the results reach the board?
  4. Which critical third parties have participated in joint continuity exercises, and where are alternative suppliers documented?
  5. After the most recent disruption, did a lessons-learned process produce documented changes to plans, controls, or resourcing?

We are living through an era in which disruption is continuous, interconnected, and compounding. The organisations that will perform under pressure are those whose confidence is grounded in tested capability rather than assumption. Our profession now has both the mandate and the evidence base to close that gap. I'd encourage every internal audit leader to treat the Topical Requirement as what it is: an invitation to lead.

 

About Optro

Optro (formerly AuditBoard) helps enterprises transform risk into opportunity, redefining GRC through an agentic system of action. More than 50% of the Fortune 500 trust Optro to elevate audit, risk, and compliance in addressing a new era of risk. Optro is top-rated by customers on G2 and was named a Leader in the 2025 Gartner®️ Magic Quadrant™️for Governance, Risk and Compliance (GRC) Tools, Assurance Leaders. To learn more, visit:

Optro