Some COVID-19 lessons for Risk Management and Internal Audit

 
crisis.png

By Hervé Geny and Christian Thurow

(The opinions expressed in this article are the authors’ personal views)

 “Never Let a Good Crisis Go to Waste” - Winston Churchill

 

Early in 2020 Covid-19 hit the world globally with unexpected force. The health care systems in many countries got overwhelmed, forcing governments around the globe to take drastic measures to slow down the spread of the virus. Many national economies went into an artificial coma with all, but the most essential businesses forced to shut down until the peak of the pandemic is deemed over by the respective national governments. The divergent approaches of countries in dealing with the pandemic put severe disruptions on the flow of people, goods and services around the world. The resolution of the crisis will hopefully yield useful insights for governance and management at all levels, from supra-national organisations to country governments all the way down to more local institutions. In this article we focus on the lessons learned so far for Corporate Risk Management and Internal Audit, although we believe that they could also be useful to governments and other institutions.

The first of these lessons should be humility considering the general lack of preparedness and coordinated actions on Covid-19. We have known for more than 20 years that such a serious pandemic could happen (see for example the CDC paper from 1998:“Preventing Emerging Infectious Diseases: A Strategy for the 21st Century”) and, yet, Covid-19 has been described widely by politicians and key economic leaders such as CEOs as an unprecedented event. In addition, it is not the case that such murderous pandemic episodes have not happened before (the 1918 Spanish flu killed 25 to 50 million, while the flu seasons of 1957 and 1968 killed somewhere between 1 and 4 million people each) or that the Covid-19 symptoms are completely new to health professionals (quite similar to previous SARS or MERS outbreaks). However, the combination of a more populous and complex world with the globalisation of travel and the integration of production supply chains makes a global pandemic a much bigger risk now than ever before. And, yet, it seems that most governments, health systems and economic actors were caught severely unprepared by the emergence of Covid-19. 

This crisis must provide the impetus for deep and long-lasting changes in the way corporate entities view and manage their risks and provide assurance on their controls. In the rest of the article, we will focus our recommendations on 3 main areas:

  • Resiliency: revisit the worst-case scenarios for key risks and the contingency plans to deal with more interconnected events characterised by complexity and discontinuities;

  • The risk management process: redirect the value chain of the second line of defence towards influencing strategic decision making instead of focusing mostly on identification, ranking and reporting of risks;

  • The internal audit process: shift the emphasis towards providing insights on the robustness of controls in times of stress rather than simply providing assurance on the effectiveness of controls in the existing context.

The recommendations highlighted above will also hopefully help reshape the governance provided by the board towards a more robust challenge on the resiliency and sustainability efforts of management against the key financial objectives of the firm. The key relevant committees of the Board (Risk and Audit) need to ensure that the second and third lines of defence are properly equipped to inform, and influence management decisions based on methodologies that organically incorporate resiliency in their day to day work.

Resiliency

Resiliency has recently become a major topic for financial regulators worldwide. In the UK, the Bank of England published a discussion paper on the topic at the end of 2019 (Bank of England/PRA: CP 29/19 issued in December 2019), while the EBA (European Banking Authority) had revised its guidelines on outsourcing in February 2019 to strengthen the management of outsourced services in case of disruptions. The Covid-19 crisis, however, has brought to the fore the necessity to have robust resiliency plans for all types of companies and institutions across the spectrum of economic activities.

We believe that resiliency planning must feed directly from the key risk scenarios of the risk management processes (see more in the risk management section below) and good scenarios for resiliency planning must have at a minimum the following three characteristics:

  • They must proceed from a complexity world view i.e. one that considers non-linearities, discontinuities and deep inter-relationships between risks. This means that stress scenarios are not simply derived from past events or from marginal linear extrapolations to the existing environment. They must truly reflect discontinuous events stretching beyond business as (almost) usual. For example, most traditional corporate resiliency plans typically incorporate a recovery site ready to use if the main site is incapacitated for whatever reason (fire, terrorism, flood...). However, Covid-19 has demonstrated the value of thinking beyond the simple replacement of a worksite to a completely different paradigm of “working from home”.

  • Once scenarios have been imagined and developed, the escalation of these to the executive and the board must include full narratives of the improbable events instead of relying on aggregated risk indicators used for the usual risk reporting process. What is useful to management is the story behind the event rather than the simplified characterisation of the probability/severity of the risk. In the case of the pandemic scenario, the full narrative will now have to include the possibility of a significant fraction of employees unable to work because of sickness while most others will work and communicate from home. This means that the firm will also have to assess their digital strategy to support this mode of working and look at further risks impacting the scenario. Examples would include: What if network providers fail or are experiencing bandwidth issues? How will our employees be able to balance work and personal life depending on their living arrangements?

  • Finally, scenarios must incorporate action plans which are regularly tested and can be implemented in a streamlined fashion (i.e. without excessive governance or bureaucracy). War is planned in times of peace! The results of the tests should be shared and discussed regularly with management and the board. It is important that the plans not only focus on the handling of the imminent crisis but also outline adaptive mechanisms for returning to more normal circumstances.

The Risk Management Process

Although there are various risk management frameworks in place, the fundamental elements of corporate risk management follow a standard process: risk identification, risk assessment, risk mitigation, risk monitoring and reporting.

What is typically missing from these models, however, is a clear relationship to the decision-making process of the company. Truly, if one is spending larger and larger amounts of money on a risk framework employing more and more people, the result should be associated with better decision making because of greater awareness and understanding of risk events. Otherwise you are simply creating another drag on the business. Alas, while much energy has been spent in putting in place the standard process above, there is still a large gap in trying to relate the work of the risk management function to the strategic direction of the firm in a dynamic way. 

One key example is the emergence of risk appetite statements which should clarify the risk bearing capacity of the relevant company and the risk tolerance of the board. However, there is currently a large disconnect between vague risk appetite statements and the tools used to generate these, in most cases the risk matrices and the estimates of probability/impact of various events. Risk matrices have been accepted as best practice by many firms because they supposedly provide a simple and effective way to identify and rank risks. In reality risk matrices are not supported by any “science”, they suffer from many consistency issues[1]and can create errors of their own. In addition, once risk events have been positioned in a risk matrix, it is impossible to link them directly and consistently to the risk appetite of the company because there is no basis for loss measurement. Most often risk matrices also only capture each risk on a stand-alone basis and in different categories. But the occurrence of two unrelated risks at the same time can lead to a higher aggregated risk (e.g. in most HR risk registers, one can find a risk entitled “Lack of Succession planning”. There might also be another risk in a separate business risk register called “Risk of pandemic”. Whatever the original estimates for these 2 risks on a stand-alone basis, in times of a pandemic, both the likelihood (due to employees falling ill) and impact (due to problems to find external successors) of the HR risk will clearly be higher).

Risk methodologies must evolve toward better quantitative standards if they want to influence decision making at executive level. Covid-19 is a case in point. One can assume that most firms had some kind of pandemic event in their risk register. Maybe these were rated with a “Low” likelihood and “severe” impact. So far so good. Then what? How do you relate such estimates to a risk appetite that might say: “In a case of pandemic, we should be able to continue to operate x% of our business and not lose more than £Ym while ensuring the maximum safety of our personnel”. How do you then justify the investment in digitalisation and communication technologies to ensure resiliency if all the risk “measurement” you have is a “Low likelihood/severe impact” event? How do you prioritise these investments against the mitigation of other competing risk events with the same probability/impact categorisation?

There are much better ways to provide a quantitative basis for risk-based decisions, but they will require a shift in thinking for operational risk management teams. Some of these statistical tools look complicated but they have been used by engineers and actuaries for decades. A simple loss exceedance curve (LEC) model[2] for example can easily be substituted for risk matrices and provide a quantitative link to the risk appetite, liquidity, profitability and capital of the entity. It can also be used as a tool to link different inter-related risks, measure the impact of risk mitigation effort and serve as the basis for the investment decision in such mitigation. More sophisticated tools can be used to analyse scenarios further (Bayesian analysis, coherent stress testing…)

These tools can also be used to rebase the risk appetite of the firm. If Covid-19 has impacted the risk position of the company, it is likely that more risks are now outside of the previously agreed risk appetite. In that case, the existing risk mitigation measures must be re-evaluated. Further questions that need to be answered include:

  • Are the existing risk limitation measures still on track / effective?

  • Does the company still have the resources to mitigate / limit the identified risks?

  • Do more risks need to be transferred to lower the overall risk exposure?

  • Do the existing risk transfer schemes cover pandemic related risks (several insurance policies exclude pandemic risks)?

  • Are there established rules about risk acceptance? Is there a need to re-evaluate accepted risks as the risk level might now have been changed? 

The internal audit management process

Internal Audit is the third Line of Defence. Its main objective is to provide reasonable independent assurance to the Board and to senior management on the adequacy and effectiveness of the organisation’s governance, risk management and internal control systems.

In the short run and due to the fluidity of the current situation, Internal Audit should rather design a short continuous monitoring programme around Covid-19 instead of performing a more typical lengthy “full-blown” audit. In an agile audit style, topics should be chosen for each week and short “sprints” be performed. For example, there could be a “Finance focus” with tests around changes to financial controls, DSO (Day Sales Outstanding), etc. The results could be fed back to the CFO in a continuous and timely manner. With that approach Internal Audit can keep an eye on the situation and give up-to-date responses to Senior Management. On the other hand, the Chief Audit Executive also must evaluate the impact of the current situation on the ability of the function to deliver the existing audit plan. Questions to answer are:

  • Can Internal Audit still deliver the audit plan or is there a need to reprioritise audits?

  • Does the situation impact Internal Audit’s ability to access company information?

  • Does the situation have an impact on the closure of open audit actions (either due to changes in the actions or changes in the agreed timeframe)?

In the longer run, Internal Audit should use the lessons of the Covid-19 crisis to integrate a resiliency view in its audit plan and day to day work. What this means is that instead of simply focusing on providing assurance on the system of controls in place to mitigate current risks in the existing business setup, internal auditors must now be able to provide insights on the robustness of controls in times of stress. This will mean systematically integrating the scenarios from the risk management function in the testing of key controls. It is obviously unreasonable to ask Internal Audit to provide “forward” assurance based on a few plausible but improbable scenarios. The objective is much less ambitious but these insights on the robustness of controls under stress could become a very powerful addition to the overall resiliency planning of companies and provide a rich source of discussion for the Audit Committee of the Board. 

Covid-19 is an example in point for this new approach to auditing as it has demonstrated that our way of working can change very quickly in particular with the wide adoption of remote working. In such a context, how do we know that the controls we established years or months ago still work? 

Examples of questions that managers are now asking themselves include:

  • Have business and control processes changed due to Covid-19 related measures? The initial pre-pandemic risk identification was based on the business processes that were in place at that time. Due to the Covid-19 lockdown measures in many countries, existing business processes have been disrupted and sometimes replaced by new “workarounds”. A good starting point are pre-pandemic process maps. Is that process flow still in place? 

  • Are the relevant controls and control self-assessments still in place? Or has the working from home situation, the travel restrictions etc. led to a change of the existing processes? If so, which new risks can arise? A key area will be data leakage and data loss prevention, especially for those companies who have a “BYOD” (Bring Your Own Device) policy.

  • What will be the impact of external changes on which we have little or no influence? The pandemic is having a severe impact on the business landscape of most countries. In general, both the supply side and the customer side of a firm are deeply impacted. The supply side not only encompasses suppliers of goods and services but also new hires. Questions to evaluate are:

    • Does the company still receive the required goods and services?

    • Can clients or suppliers end or cancel existing contracts?

    • Is there a risk of a supplier default?

    • Has the crisis had an impact on the quality of the received goods and services?

    • Can the company still attract the required talent? Are there any critical roles unfilled?

    • What will happen to my employees’ wellbeing and what will be the consequences on the company’s workforce overall?

The current lockdown situation increases the mental and physical health risk for many employees. Depression, alcohol abuse, domestic violence seem to be on the rise. Line managers should be given tools and guidance on how to engage with their staff. Existing health and safety measurements might need to be expanded. 

For Internal Audit functions to remain relevant in a complex world, they will have to expand their framework to provide insights on the robustness of the system of controls for a wide range of stress scenarios.

Hervé Geny is former Chief Internal Auditor at the London Stock Exchange Group and was Chief Risk Officer at ICAP

Christian Thurow CFE, CFSA, CRMA, Chartered MCSI, is a Senior Business Audit Manager based in London

[1] For a discussion of the problems with risk matrices, see for example: L.A. Cox, “What’s wrong with risk matrices?” Risk Analysis 28, vol.2 (2008), p.497-512

[2] See: “A New Approach for Managing Operational Risk”, Society of Actuaries 2009, 2010