Improving business resilience – how can Heads of Internal Audit help?
Improving business resilience – how can Heads of Internal Audit help?
Covid-19 brought the need for greater resilience into sharp focus with businesses having to adapt rapidly to survive. Immediate challenges included the safety of their workforce, decline in revenue, supply chain disruption, maintaining production operations (in some cases to keep up with increased demand), sustaining cashflow and liquidity issues and many more. As the pandemic continued, many businesses adapted quickly, adapting their business models through necessity to make them more resilient.
As the UK, hopefully, emerges into 2022 from an extended period of restrictions, businesses now need to re-evaluate whether the emergency changes they made to their operational models remain appropriate, or in the case of those that relied on Government support, whether their pre-Covid business model is still viable. This is the immediate challenge, but it is also essential that businesses take stock and consider wider factors that may threaten their future in the longer term.
Successfully evaluating and mitigating resilience risk is therefore essential. Those that do not foresee and respond to short- and long-term threats may find that their business model eventually becomes impracticable.
Devising an appropriate methodology
A structured approach should be followed to capture the complex network of relationships between a business, its customers, people, technology, supply chain, production, logistics and distribution network, which, together with its sources of funding, collectively form its business model. The resilience of the most important of these should be evaluated and understood so that effective mitigations can be put into place, as necessary.
|
TYPICAL BUSINESS MODEL COMPONENTS |
|
|---|---|
|
Customers |
Customer demand/ ability to pay, market competition, pricing strategy, availability/ suitability of sales channels, product availability and quality |
|
People |
Workforce availability, working model, skills, well-being, safety, labour costs |
|
Technology |
Customer facing, middle/back- office systems, security, Internet, automated process availability, power supply |
|
Supply chain |
Materials availability and cost, quality, supplier reliability/ viability, compliance with regulations |
|
Production |
Plant availability, replacement parts, lubricants, power supply, safety, operational cost, compliance with regulations |
|
Logistics and distribution |
Availability and cost of drivers, vehicles, transport, fuel, storage, depot/ distribution facilities. Trade restrictions/ regulations |
|
Funding strategy |
Availability of working capital, debt management, equity investment, cost of capital |
Setting a baseline
The most important components should be broken down into their key process steps so that they can assessed in sufficient depth. This should include recording the typical outcomes and resource inputs (quantities, quality, timings) that are required for the process step to be completed as required by the business. Historical performance data will be the primary source for this record.
The aim is to create a short-list of the key baseline measures that illustrate business as usual performance.
Evaluating disruption
To quantify the resilience of the business model, its tolerance to disruption needs to be assessed. Both short term and longer-term disruption factors should be considered. For each of the key baseline measures the direct and indirect impact of disruption needs to be quantified including the maximum value of impact that could arise, for example the financial value of lost sales and reduced cash flow as a result of supply chain delays. In addition, the maximum tolerable duration of the disruption should be quantified. This is the point where the impact becomes critical and the resilience of the business model is exceeded.
Scenario testing
Tolerance assumptions should be tested using scenarios to assess the consequences of severe but plausible disruption of operations. An appropriate range of adverse circumstances of varying nature, severity and duration must be selected relevant to the business model and risk profile and consider the risks to delivery of the component in those circumstances. Reverse scenario testing can also usefully be undertaken to confirm with more precision the point at which the impact becomes critical. Lessons learned from the scenario testing should be taken forward and improvements to process and risk mitigations introduced, where necessary.
Resilience risk mitigation
Businesses are likely to already have a range of mitigations and contingency plans in place to respond to short term and long-term disruption, including business continuity, disaster recovery and crisis management plans and strategic actions such as increasing on-line channels to respond to market trends. Mapping these against the evaluation and tolerance assessments for each component will enable gaps to be identified, allowing management to determine any steps that need to be taken to improve resilience.
Monitoring
Finally, resilience needs to be monitored, with data collected regularly to compare actual performance against tolerance levels. This should include any recent incidents and lead indicators to highlight changes in the probability of disruption as well as its potential impact. In view of its significance, resilience considerations should flow up through the committee structure to the Board.
The developing regulatory agenda
All large and medium sized companies already have to disclose in their annual accounts any ‘material uncertainties’ that could affect the company’s ability to continue as a going concern. Those companies must also describe each year, within their strategic report, the principal risks and uncertainties facing the business. Additional requirements apply to premium-listed companies operating under the UK Corporate Governance Code. These companies must publish annually a going concern statement, a viability statement, and an assessment of the company’s emerging and principal risks and explanation of how they are being managed or mitigated.
The largest companies will therefore have already established arrangements to evaluate their risks and to capture the information needed to meet existing reporting requirements.
However, the Department for Business Energy & Industrial Strategy (BEIS) is currently consulting on proposals which include a formal Resilience Statement, mandating premium-listed companies to set out their approach to managing resilience risks and uncertainties in more depth and, specifically, breaking this down over the short term (1-2 years), medium term (5 years) and long-term. The largest companies will therefore need to look again at their arrangements for managing and reporting resilience risk so that they are prepared for when any new reporting obligations come into force.
What this means for Heads of Internal Audit
Resilience should be high on the agenda for Heads of Internal Audit. As companies continue to reassess and adapt their operating models in response to the consequences of the pandemic, changing market trends and other factors, the resilience of these models is an important area for assurance. For the largest companies, the focus is likely to be on improving existing resilience assessments to respond to regulatory changes. For smaller companies, the framework for managing resilience risk may not be as mature and is likely to benefit from a comprehensive internal audit.
The ICAEW has provided some useful guidance on the audit of operational resilience, which is aimed at internal auditors. This focuses upon the identification and mapping of key components of the business model and their related risk of disruption, impact tolerances, scenario testing and mitigations and will help Heads of Internal Audit define the scope of a review to provide assurance over the effectiveness of resilience risk management.
However, since it is so fundamental to the success of the business, a means of integrating resilience more fully into the audit approach needs to be found so that Heads of Internal Audit can be more confident that their strategy and annual plans have identified, and sought to provide assurance on, those areas where the resilience of the business model is most under threat.
Where risk management arrangements in this area are mature, the highest risk areas will have been identified by the business, together with the key measures, tolerances and indicators of increased probability of disruption. Heads of Internal Audit can therefore use this to devise a strategic programme of assurance that covers the company’s exposure sufficiently, updating this annually based on the most up to date management information.
For less mature arrangements, only the high-level statements on principal risks and uncertainties made by the business may be available as a starting point for devising a programme of assurance. Although, the information in these statements may be limited and not supported by the same level of evaluation seen within a mature framework, Heads of Internal Audit should at least be able to ensure that any resilience issues reported are considered in their audit planning. On a more tactical level, they could also consider including resilience as an element of the scope for all business process audits, ensuring that this important matter is kept “front of mind” by management and auditors alike.
Porter, M. E. The Competitive Advantage: Creating and Sustaining Superior Performance. NY: Free Press, 1985. (Republished with a new introduction, 1998.)
McKinsey - Building Resilient Operations – May 2019
McKinsey - Risk Resilience and Rebalancing in Global Value Chains - August 2020
McKinsey - The Resilience imperative- succeeding in uncertain times - May 2021
Bain & Co - Managing Trade-offs: Prediction, Adaptability and Resilience
BDO UK LLP - Business Resilience for the New Normal - July 2021
UK Government - BEIS consultation- Restoring Trust in Audit and Corporate Governance- March 2021
UK Corporate Governance Code 2018
Independent review of the Financial Reporting Council - “The Kingman Review” - December 2018
Report of the independent review into the quality and effectiveness of audit - Brydon review December 2019
ICAEW - A Guide to Operational Resilience - February 2021
ICAEW - How to Audit Operational Resilience - February 2021