Improving business resilience – how can Heads of Internal Audit help?

Covid-19 brought the need for greater resilience into sharp focus with businesses having to adapt rapidly to survive. Immediate challenges included the safety of their workforce, decline in revenue, supply chain disruption, maintaining production operations (in some cases to keep up with increased demand), sustaining cashflow and liquidity issues and many more. As the pandemic continued, many businesses adapted quickly, adapting their business models through necessity to make them more resilient.

As the UK, hopefully, emerges into 2022 from an extended period of restrictions, businesses now need to re-evaluate whether the emergency changes they made to their operational models remain appropriate, or in the case of those that relied on Government support, whether their pre-Covid business model is still viable. This is the immediate challenge, but it is also essential that businesses take stock and consider wider factors that may threaten their future in the longer term.

Successfully evaluating and mitigating resilience risk is therefore essential. Those that do not foresee and respond to short- and long-term threats may find that their business model eventually becomes impracticable.

Devising an appropriate methodology

A structured approach should be followed to capture the complex network of relationships between a business, its customers, people, technology, supply chain, production, logistics and distribution network, which, together with its sources of funding, collectively form its business model. The resilience of the most important of these should be evaluated and understood so that effective mitigations can be put into place, as necessary.

TYPICAL BUSINESS MODEL COMPONENTS

Customers

Customer demand/ ability to pay, market competition, pricing strategy, availability/ suitability of sales channels, product availability and quality

People

Workforce availability, working model, skills, well-being, safety, labour costs

Technology

Customer facing, middle/back- office systems, security, Internet, automated process availability, power supply

Supply chain

Materials availability and cost, quality, supplier reliability/ viability, compliance with regulations

Production

Plant availability, replacement parts, lubricants, power supply, safety, operational cost, compliance with regulations

Logistics and distribution

Availability and cost of drivers, vehicles, transport, fuel, storage, depot/ distribution facilities. Trade restrictions/ regulations

Funding strategy

Availability of working capital, debt management, equity investment, cost of capital

 

Setting a baseline

The most important components should be broken down into their key process steps so that they can assessed in sufficient depth. This should include recording the typical outcomes and resource inputs (quantities, quality, timings) that are required for the process step to be completed as required by the business. Historical performance data will be the primary source for this record.

The aim is to create a short-list of the key baseline measures that illustrate business as usual performance.

Evaluating disruption

To quantify the resilience of the business model, its tolerance to disruption needs to be assessed. Both short term and longer-term disruption factors should be considered. For each of the key baseline measures the direct and indirect impact of disruption needs to be quantified including the maximum value of impact that could arise, for example the financial value of lost sales and reduced cash flow as a result of supply chain delays. In addition, the maximum tolerable duration of the disruption should be quantified. This is the point where the impact becomes critical and the resilience of the business model is exceeded.

Scenario testing

Tolerance assumptions should be tested using scenarios to assess the consequences of severe but plausible disruption of operations. An appropriate range of adverse circumstances of varying nature, severity and duration must be selected relevant to the business model and risk profile and consider the risks to delivery of the component in those circumstances. Reverse scenario testing can also usefully be undertaken to confirm with more precision the point at which the impact becomes critical. Lessons learned from the scenario testing should be taken forward and improvements to process and risk mitigations introduced, where necessary.

Resilience risk mitigation

Businesses are likely to already have a range of mitigations and contingency plans in place to respond to short term and long-term disruption, including business continuity, disaster recovery and crisis management plans and strategic actions such as increasing on-line channels to respond to market trends. Mapping these against the evaluation and tolerance assessments for each component will enable gaps to be identified, allowing management to determine any steps that need to be taken to improve resilience.

Monitoring

Finally, resilience needs to be monitored, with data collected regularly to compare actual performance against tolerance levels. This should include any recent incidents and lead indicators to highlight changes in the probability of disruption as well as its potential impact. In view of its significance, resilience considerations should flow up through the committee structure to the Board.

The developing regulatory agenda

All large and medium sized companies already have to disclose in their annual accounts any ‘material uncertainties’ that could affect the company’s ability to continue as a going concern. Those companies must also describe each year, within their strategic report, the principal risks and uncertainties facing the business. Additional requirements apply to premium-listed companies operating under the UK Corporate Governance Code. These companies must publish annually a going concern statement, a viability statement, and an assessment of the company’s emerging and principal risks and explanation of how they are being managed or mitigated.

The largest companies will therefore have already established arrangements to evaluate their risks and to capture the information needed to meet existing reporting requirements.

However, the Department for Business Energy & Industrial Strategy (BEIS) is currently consulting on proposals which include a formal Resilience Statement, mandating premium-listed companies to set out their approach to managing resilience risks and uncertainties in more depth and, specifically, breaking this down over the short term (1-2 years), medium term (5 years) and long-term. The largest companies will therefore need to look again at their arrangements for managing and reporting resilience risk so that they are prepared for when any new reporting obligations come into force.

What this means for Heads of Internal Audit

Resilience should be high on the agenda for Heads of Internal Audit. As companies continue to reassess and adapt their operating models in response to the consequences of the pandemic, changing market trends and other factors, the resilience of these models is an important area for assurance. For the largest companies, the focus is likely to be on improving existing resilience assessments to respond to regulatory changes. For smaller companies, the framework for managing resilience risk may not be as mature and is likely to benefit from a comprehensive internal audit.

The ICAEW has provided some useful guidance on the audit of operational resilience, which is aimed at internal auditors. This focuses upon the identification and mapping of key components of the business model and their related risk of disruption, impact tolerances, scenario testing and mitigations and will help Heads of Internal Audit define the scope of a review to provide assurance over the effectiveness of resilience risk management.

However, since it is so fundamental to the success of the business, a means of integrating resilience more fully into the audit approach needs to be found so that Heads of Internal Audit can be more confident that their strategy and annual plans have identified, and sought to provide assurance on, those areas where the resilience of the business model is most under threat.

Where risk management arrangements in this area are mature, the highest risk areas will have been identified by the business, together with the key measures, tolerances and indicators of increased probability of disruption. Heads of Internal Audit can therefore use this to devise a strategic programme of assurance that covers the company’s exposure sufficiently, updating this annually based on the most up to date management information.

For less mature arrangements, only the high-level statements on principal risks and uncertainties made by the business may be available as a starting point for devising a programme of assurance. Although, the information in these statements may be limited and not supported by the same level of evaluation seen within a mature framework, Heads of Internal Audit should at least be able to ensure that any resilience issues reported are considered in their audit planning. On a more tactical level, they could also consider including resilience as an element of the scope for all business process audits, ensuring that this important matter is kept “front of mind” by management and auditors alike.

Porter, M. E. The Competitive Advantage: Creating and Sustaining Superior Performance. NY: Free Press, 1985. (Republished with a new introduction, 1998.)

McKinsey - Building Resilient Operations – May 2019

McKinsey - Risk Resilience and Rebalancing in Global Value Chains - August 2020

McKinsey - The Resilience imperative- succeeding in uncertain times - May 2021

Bain & Co - Managing Trade-offs: Prediction, Adaptability and Resilience

BDO UK LLP - Business Resilience for the New Normal - July 2021

UK Government - BEIS consultation- Restoring Trust in Audit and Corporate Governance- March 2021

UK Corporate Governance Code 2018

Independent review of the Financial Reporting Council - “The Kingman Review” - December 2018

Report of the independent review into the quality and effectiveness of audit - Brydon review December 2019

ICAEW - A Guide to Operational Resilience - February 2021

ICAEW - How to Audit Operational Resilience - February 2021