Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

​What Boards Have Learned From the Pandemic

The past year’s crisis provides numerous corporate governance lessons.

Comments Views

​Eighteen months have passed since COVID-19 slammed into the world. It’s been quite a journey from those first days of panic to, well, whatever this is today.

We can’t really say the pandemic has faded from view — because while it has faded in North America, Europe, and several other countries, it hasn’t receded in much of the developing world. We can say, however, that the challenge of COVID-19 has changed. 

It has evolved from an acute condition, threatening the survival of the organization, to a chronic one that must be managed. COVID-19 exerted enormous influence over the duties and details of corporate governance, and it’s likely to keep doing that for a long while yet. 

So what lessons can board directors infer from this ordeal? With the benefit of hindsight, what did they get right and get wrong? And in what unexpected ways did this crisis actually improve corporate governance? 

“Companies that embraced change, found different ways to do things, and were agile enough to be flexible have evolved into a better version of themselves,” says Alpa Parikh, who serves on the audit committee of a Seattle-area family services nonprofit and who joined tech company Smartsheet as head of internal audit while the pandemic was raging last year. “I believe that this resilience will allow such companies to be better prepared to face future challenges.”

Parikh’s point is lofty, and very valid. Let’s consider it more fully.

Start With Resilience and IT Risk

A recent McKinsey & Co. report, How Boards Have Risen to the COVID-19 Challenge, and What’s Next, suggests that boards had a steep learning curve in 2020. Among 673 corporate directors surveyed, only 20% rated their boards as “very effective” at responding to last year’s crisis. The most commonly cited obstacles were lack of in-person communications among directors, struggles with remote work and its related technologies, and lack of crisis management processes. 

It should be no surprise, then, that boards also made lots of changes last year to address those problems: investment in digital collaboration tools (cited by 45% of respondents), more frequent communications with management (cited by 37%), and more flexibility in the board’s agenda (cited by 37%).

The other big change, according to McKinsey, was much more talk about operational resilience. Only 44% of board directors cited resilience in the prior year’s survey; that figure popped to an impressive 60% this year. 

The deeper point for board directors is how all these issues tie together. Of course every organization wants to foster resilience in the face of wrenching disruption. But attention to IT risk management is what makes such resilience possible — because without robust IT systems and management of IT risks, the organization isn’t going to be resilient. It’s going to be paralyzed. 

In practice, that means boards should pay more attention to IT risk management and give serious thought to establishing a board risk committee to oversee security and IT risk. Then the board can drive better operational performance — and more resilience to changing conditions — because it has the right technology to enable it.

A good example of this comes from the World Discipleship Association (WDA), a nonprofit headquartered in Atlanta that does missionary work around the globe. In a stroke of luck, the WDA had done a review of its IT risks just before the pandemic struck, as part of a larger strategic planning effort. That review led the WDA to take steps such as providing all employees, board members, and volunteers with corporate email addresses, which helped fight the threat of phishing attacks targeting people working remotely. 

“It was fortuitous that a lot of our strategic planning to improve operations also allowed us to be more resilient when the pandemic started, because we had no idea how long it was going to last,” says Keyaan Williams, chair of the WDA’s risk committee. 

​A Risk Assessment

How can internal audit help boards embrace all of these lessons? Here are a few ideas:

  • Communication channels. Assess the security and durability of boardroom communication channels. For example, rather than emailing board materials to directors, send secure, individualized login pages to view documents in a virtual data room. 
  • Talent risk. Does the board have the right directors for the new challenges of working remotely or expanding into new, more lucrative lines of business? Is the board asking about employee engagement, and assuring that people working in isolation still feel valued and part of the organizational whole?
  • Policy management. Not all policies adopted during the pandemic’s dark days need to continue. Policies should be revisited at regular intervals to see which ones should be decommissioned. Conclusions should be documented thoroughly; if the policies are relevant to a regulatory investigation, regulators will want to see the homework.

The Challenges of Engagement

The other big governance lesson from the pandemic was the importance of communication and trust among the board. Yes, to a certain extent that point has always been true — but the pandemic made the point more true, so to speak. 

The pandemic has been both good and bad on that front. Yes, it drove the need for more board discussions, either as formal meetings or telephone conversations. On the other hand, scheduling Zoom calls adds a certain formality to the process. It also squelches the interpersonal dynamics that exist in physical meetings: the body language that indicates a person’s true engagement with a topic, the spontaneous conversations that can lead to surprise insights. 

For example, Raoul Ménès, who stepped down in May as audit committee chair for the Salt River Pima-Maricopa Indian Community in Arizona, appreciated being able to drop by the internal audit team before a board meeting just to chat. Those days are on hold for a long time. “How do we keep people engaged while they’re virtual?” he asks.

That’s a legitimate concern. Williams, however, offers a valid counterpoint: “The thing I did appreciate about the pandemic was that the frequency of communication went up dramatically,” he says. “People had to get together all the time.”

Those more frequent, more virtual communications can be taxing. For example, boards need to consider confidentiality concerns, and they must work hard at delineating what is or isn’t overstepping management’s job of running the company. 

But “there should definitely be options so that board members who cannot make it are able to join in remotely,” Parikh says. “That, in turn, will open up the options to increase diversity on company boards.”

What Have We Gained Here?

Nobody should say it was good for boards to go through this pandemic; the disruption was severe, and often painful. More accurate is to say that the pandemic taught us valuable lessons. Foremost, boards can step up in difficult times. 

“It was a lesson learned,” Ménès says. “People can throw out words like ‘internal audit agility’ and ‘resilience,’ but if you’re not living those values and making them part of your DNA, it’s just a buzzword with no spine to it.”

The world paid a steep price to learn that lesson. Boards everywhere should take it to heart. 

Matt Kelly
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author



Matt KellyMatt Kelly<p>​Matt Kelly is editor and CEO of, an independent blog about audit, compliance, and risk management issues, based in Boston. ​</p>


Comment on this article

comments powered by Disqus
  • AuditBoard-November-2021-Premium-1
  • OnRisk-2022-November-2021-Premium-2
  • 2021-All-Star-Conference-November-2021-Premium-3



Stopwatch Auditing Auditing
Thanks, We Already Know That, We Already Know That
Hidden Goals Goals
Building a Better Auditor: Which Way Should I Go? a Better Auditor: Which Way Should I Go?