Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

​​​​​​Resilience Through Crisis

The ability to weather difficult times is crucial to the success — and even survival — of organizations.

Comments Views

​On April 20, 2010, an explosion at the Deepwater Horizon drilling rig started what is commonly referred to as the BP oil spill. Eleven people died and from four to five billion barrels of oil leaked into the Gulf of Mexico. During the ensuing public relations nightmare, BP took several questionable actions in terms of its accountability, acknowledgment of the accident's s​eriousness, and release of information to the public. The organization's negative perception was reinforced by CEO Tony Hayward's famous comment "You know, I'd like my life back." Over the course of this industrial disaster, BP suffered considerable reputational, legal, and financial damage. 

Virtually every organization, regardless of size, geography, or industry, will face a crisis at some point. The chances are it will not be as significant as that faced by BP. But it's not a matter of if a crisis will occur, but when — and to what extent it will impact the business. The ability to recover — the resiliency to rebound from financial and reputational fallout — depends on steps taken well ahead of time to manage the event and, most importantly, the associated communications.

Internal audit can play an essential role in crisis preparedness. With the risks inherent in crisis management, an audit of the process may be a given. But internal audit can also provide invaluable assistance by remaining proactively involved throughout the development and implementation of any crisis management plans, and by participating in post-crisis analysis. 

​Crisis Team

The key to an organization's ability to recover from the impact of a crisis is preparation. To ensure the organization is prepared, a crisis team should be established with responsibility for identifying potential crises, developing crisis plans, and educating and training all employees on how the plan will work.

As with any group responsible for identifying potential risks and related actions, the team will require individuals with the skill to methodically work through potential issues and resolutions. However, because the team will be actively involved during crisis management, members should also be fast thinkers who can make quick, real-time decisions.

The crisis team should be cross-functional, with representation from each major organizational division. Because crisis management is about communication, the organization's public relations group — whether in house or outsourced — will play an important role, as will the group responsible for brand management (usually the marketing department). And, while the team does not need to include the full executive management suite, it should have at least some executive-level representation. The team should also include representation from areas such as legal and compliance, to ensure regulatory and legal issues are considered.

Internal audit should also be part of the team. Although the auditors will have to ensure they are not directly involved in decision-making, which could negatively impact their independence, they can provide input to help ensure the team is addressing the appropriate issues.

​The Prism of Public Perception

One area often overlooked in discussions about crisis management is the impact of internal decisions on the public's perception of the organization. In particular, spending that is perceived by the public to be "lavish" can be the cause of serious backlash.

Any significant operational decision has a public relations component and should be considered in that light. Financial decisions that seem to make perfect sense in the boardroom may raise questions about the board's ability to carry out its fiduciary responsibilities, eroding investor, donor, or taxpayer support. For corporations, the bar for outrage can be very high. But nonprofits and governmental agencies have a smaller margin for error and need to maintain constant vigilance.

For example, in January 2016, CBS News reported on questionable spending by the Wounded Warriors Project, including increased expenses for conferences, travel, and public relations. A compelling argument could be made that only part of the organization's story was told. Nonetheless, donations to the veterans' charity decreased significantly after the report, and both the CEO and chief operating officer were dismissed. Whether the public's perception was correct or not, the incident underscores how internal decisions can be spread to the public in a way that paints the organization in a bad light.

Strategic and tactical decision-making represents an area where internal audit can have a positive influence. When conducting a review of any area, auditors can step back and view key decisions through the public's eyes. If they see the potential for anyone outside the organization to raise questions, practitioners should bring it to the attention of management and determine if any action is necessary. Moreover, the chief audit executive should keep this topic front and center in discussions with the board and audit committee.​

Crisis Identification

The team's first responsibility is identifying potential crises. To understand the circumstances that might lead to a crisis, team members should conduct a thorough review of external and internal influences that includes interviews with employees and other stakeholders. Based on its analysis, the team can develop a set of scenarios to serve as the foundation for crisis planning. 

This is an area where internal audit's expertise can be invaluable. Auditors can provide insights from prior audits and work completed in enterprise risk assessments. Moreover, internal audit's interviewing and process analysis skills can play an important role in crisis identification and evaluation.

The crisis team should also identify operational and communication issues that might cause or contribute to a crisis. It can then provide recommendations for systems revisions that could impact the potential for a crisis before it occurs.

In evaluating crises, the team should be prepared for situations where the organization has not caused a crisis but is part of an industry or territory where a crisis is occurring. For example, within a week of the U.S. Environmental Protection Agency announcing that Volkswagen had bypassed emissions control testing, Ford Motor Co. President of the Americas Joe Hinrichs announced, "We don't use defeat devices and we clearly understand what it means from an integrity standpoint to make sure our vehicles perform on the road like they do in the lab." Being prepared to separate your organization from such events can be just as important as preparing for its own crises.

Crisis Plan

Once potential crises are identified, the team should develop a comprehensive plan that provides a formal cadence for the organization's response. The plan should define each person's roles and responsibilities, as well as the specific processes and procedures to be followed for each type of crisis. At the same time, it should be designed to allow for the flexibility necessary to respond to constantly changing situations. 

The crisis plan should include activation protocols: the events or situations that cause the crisis plan to be put in place. It should also provide a method whereby all employees can report potential crisis situations. Because front-line employees are often best positioned to see the early indicators of a crisis situation, providing them a reporting method gives the organization a better chance of getting in front of the situation — acting rather than reacting. 

Communication Protocols 

Effective communication is fundamental to successful crisis management. In fact, some organizations refer to the crisis plan as the crisis communication plan. No plan would be complete, therefore, without specifically addressing communication protocols. 

Stakeholders Rapid contact with all stakeholders — including employees, customers, vendors, and volunteers — is essential. The plan should include details on the notification systems used for initial contact, as well as ongoing updates. And while call trees are a fundamental part of any notification system, the organization must be prepared to use multiple modalities — emails, texts, social media, etc. To ensure timely and complete communication, a comprehensive list of stakeholders' contact information must be maintained and constantly updated. 

Perhaps most importantly, the plan should describe how notifications and feedback will be coordinated with executives and the board. Details should include the format for reporting, the information to be included (e.g., customer impact, financial impact, and media coverage), and expectations of how often (usually daily) and when updates will be received. Careful planning helps limit the barrage of phone calls from executives seeking the latest information. 

Spokesperson The single most important aspect of crisis communication may be the organization's official spokesperson. The crisis plan should identify who will act in this role, as well as a list of backup spokespersons who may be called on depending on the situation, the location, and the availability of personnel. For example, if an immediate response is needed at a location before the official spokesperson has arrived, a backup should already be identified. The plan should also outline restrictions placed on anyone else who might be contacted for information.

​The spokesperson must possess the right skills and hold an appropriate position within the organization. Often, the responsibility falls to the organization's highest level of authority. But if that individual lacks the necessary communication skills, someone else at the executive level should take on the role. Many experts agree that BP's Hayward was a poor fit as the organization's spokesperson, and that any turnaround in the dialogue with the public was the result of Executive Director Bob Dudley taking on the role. 

Anyone who may be called upon to serve as spokesperson should receive in-depth training. Generally, training in media interview skills is not a focus for executive managers. And just because someone can speak to a crowd effectively does not mean he or she is prepared for the media onslaught a crisis can elicit. Training should come from professional services, and it should be reinforced regularly — to the point where the individual falls into the spokesperson role without a moment's hesitation. ​

Media The crisis plan's media-related protocols should be twofold. First, they should include guidance on crisis response messages. Although complete statements cannot be developed up front, the organization should design general messages tailored to the scenarios developed by the crisis team that can then be adapted after a crisis breaks. 

Second, the plan should include detailed information regarding members of the media who will be involved in communications, including television, radio, print, and social media. Rather than viewing the media as a liability, crisis communicators should immediately engage the media through open and honest communication, using them as a resource in managing the crisis. If possible, the organization should reach out to the media before the media contacts the organization.

Moreover, the organization should establish effective working relationships with the media well before a crisis occurs. Strong relationships will help give crisis communications a firmer footing and allow the organization to identify individuals who may be counted on to give a favorable, or at the very least balanced, reporting of events. 

​Tone of Communications

People do not remember the specifics of a crisis as much as they remember the organization's response. Accordingly, the success or failure of crisis management often hinges largely on communication.

In most cases, successful crisis communication starts by saying "I'm sorry," and saying it with candor, sincerity, compassion, sympathy, and even embarrassment. This is, in part, why the spokesperson's training is so important — without understanding how best to deliver the message, it can far too easily ring false.

The response to the crisis must be prompt — a public acknowledgement of what has occurred — or rumor and innuendo will fill the gap. Communication must be honest (no spin) and provide as much explanation as is available. It should answer the basic reporter questions — who, what, why, when, where, and how — sharing as much about the error or oversight as is known. If nothing is known, then this should be admitted.

The organization should publicly commit to taking specific, positive steps to address the issue and emphasize its commitment to doing what is right. The actions that follow must support those statements, without any signs of waffling. As those actions are taken, the organization should communicate what has been accomplished, what is left to achieve, and how it will be done.

This approach may not be popular with some, particularly many legal experts, but crisis management experts contend it is the best way to manage negative events. And it is the best way to bring the company back from its reputation nightmare.

Validation and Updates

Internal audit should provide validation throughout the development and update phases, providing assurance that a crisis assessment has taken place, a comprehensive crisis plan has been developed, training and practice activities have been implemented, and alignment with the initial assessment has been achieved. While the organization may have in-house crisis management expertise, external experts should also be brought in to provide additional knowledge and an objective analysis of the plan. Validations — internal or external — should be repeated every few years, or whenever significant events warrant a new review.

The crisis team must constantly update its analysis and adjust the plan as necessary, and it should establish a system that enables stakeholders to provide input on potential issues. To facilitate updates, the team should meet monthly, or at least quarterly, to ensure emerging events are considered and the plan reflects the most current conditions.

​Training and Practice

A crisis plan is useless unless people understand when and how it should be implemented. All employees should receive training to understand their roles and be able to implement the plan flawlessly. 

The organization should also conduct crisis simulations. A set of scenarios representing the broad range of potential crises should be developed, and personnel should be run through the full gamut of these experiences. This exercise will prepare employees to act quickly, decisively, and accurately, while maintaining the flexibility necessary during an actual crisis. The simulations also provide an opportunity to identify plan improvements before a crisis occurs.

Internal audit should take a role as observer in all simulations. It should provide assurance the plan is working as designed, and, when activated, is providing complete coverage for all potential issues.

The Crisis Occurs

If a comprehensive crisis plan has been developed, tested, and fully integrated within the organization, members of the organization should be able to execute it with little hesitation. The effects of the crisis, while still impactful, should be greatly reduced, helping ensure the organization's resilience in recovering from the reputational onslaught.

During the crisis, beyond any role that may be defined in the crisis plan or as a part of post-crisis evaluation, internal audit will want to serve as an active observer and help ensure the plan is executed as designed. Plan implementation includes flexibility, and internal auditors can provide instant feedback to help the crisis management team see where such flexibility may be necessary. The auditors can also serve as outside observers, advising on bigger picture issues that may be overlooked as the plan is carried out. 

After the Crisis

Once the crisis is over, the organization should evaluate the plan's performance. Without a thorough post-crisis analysis, preparedness and response are unlikely to ever improve. Internal audit should be included in any self-assessment efforts conducted by the organization; outside experts may be of benefit as well.

The types of questions that should be asked in any self-assessment include:

  • Were there signs that could have provided an earlier warning that might have helped forestall the crisis?
  • What were the weaknesses and vulnerable points that allowed the crisis to occur?
  • How effective were internal and external communications?
  • Were the right people on the crisis team? Who excelled and who failed?
  • Is additional training required to bolster effectiveness?
  • What was done well and what could have been done better?

All levels of management should receive the results of these postmortems. The board, in particular the audit committee, should also be involved, ensuring any necessary corrective action is taken.

Road to Recovery

For an organization to have the resilience to bounce back from a crisis, it must be prepared. And as a key steward of organizational well-being, internal audit can maintain both active and proactive roles. Being involved in crisis analysis, plan development, training, and plan execution, internal audit can help ensure the organization does crisis management right. And in the process, it can help make organizational resiliency a part of all operations. 

Mike Jacka
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author



Mike JackaMike Jacka<p>​​​​​​​​​​​Mike Jacka, CIA, CPA, CPCU, CLU, worked in internal audit for nearly 30 years at Farmers Insurance Group. He is currently co-founder and chief creative pilot for Flying Pig Audit, Consulting, and Training Services (FPACTS). In <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=ac8af301-e15c-49bc-9c04-b97c2e183a4b" data-feathr-click-track="true">From the Mind of Jacka​</a>, Mike offers his wit and wisdom on the internal audit profession.</p> Jacka blog posts


Comment on this article

comments powered by Disqus
  • AuditBoard-July-2021-Premium-1
  • SCCE-July-2021-Premium-2
  • CIALS-July-2021-Premium-3



Thanks, We Already Know That, We Already Know That
U.S. SEC: Environmental, Social, and Governance Risks Better Be on Your Radar SEC: Environmental, Social, and Governance Risks Better Be on Your Radar
Newswire: Week of July 5, 2021 Week of July 5, 2021
7 Steps to Transformation Steps to Transformation