Internal auditors got used to cyclical economic crisis situations and the expected risks of natural disasters, unreliable business partners, governmental misbehaviors, mistakes in decision making, human imperfection, and the like. We developed more or less standard solutions to those risks — or at least some recommendations — and hid behind walls of contingency planning, hedging, and training for emergencies. We took for granted all the technical and educational progress that was happening, and where some of us jumped at opportunities, others planned budgets of money and time and postponed some of the developments until better times.
Many auditors forgot that risk is a two-sided coin: On one side is a threat and on the other side is an opportunity. The bigger the risk, the bigger the threat and opportunity. This is close to the concept of risk appetite, but when we add knowledgeable management to it, the case takes on completely new dimensions.
Moreover, almost always our approach to a risk depends on what side of the coin we want to be on: the opportunity side or on the threat side. A few bold leaders such as Bill Gates, Steve Jobs, and Elon Musk challenge the status quo with positive thinking and aggressive ability. Often such leaders capitalize on a major crisis.
The COVID-19 pandemic pulled and pushed most of us from our comfort zone. Instead of just thinking outside of the box, it forced internal auditors to get out of our boxes altogether and face a wild world of unknown. The pandemic also forced us to start learning about ourselves and understanding whether we — both as a society and as individuals — are ready to capitalize on opportunities. While many people still hope to return to the world they were used to, others see that the changing world is bringing us new and undefined areas that we can move toward.
Resiliency is not about recovering the normal business operations amid crisis, which is what we normally call business continuity. Instead, we now are talking about redesigning ourselves to some better and different versions of what we used to be. And this relates to everyone and everything, from individuals to businesses to countries.
For individuals, it's a shift in mentality: being ready to learn, changing our approach from complaining about new hardships to pursuing the opportunities, and asking for help from other advanced thinkers. It means focusing on priorities, developing a plan, and moving on. This change in mindset forces people to think of themselves as entrepreneurs and operate a business of one, even if we are employed in an organization that cares about employees. Human resource specialists increasingly say employees are or should be viewing themselves as business partners of organizations and their equals.
These ideas then extrapolate to businesses in terms of their own inventiveness and ability to capitalize on crises to gain new revenues, markets, products, clients, business partners, ways of doing business, employees, and styles of communications. All of those things will inevitably change what governments are or should be doing. Governments may be slow to react as they have higher inertia and can afford to move a bit slower, but still those will be forced to move on as well.
Over the last year, more and more experts have said the COVID-19 crisis is not the last one of this scale and the world will likely face more severe crises and more often. Market players and risk management specialists describe the major risks arising in technology, information security, legal compliance and frameworks, globalization, re-engineering of business processes and activities, climate change, infections, debt crises, digital power concentration, and inequality. Other rankings rate business resilience risk as a major risk.
What constitutes resilience in general for the business is the ability to capitalize on a crisis to become more profitable, to find new business opportunities, offer new products, and redesign business processes. Instead of returning to business as usual, these organizations become a new and more advanced version of the business.
It is time for organizations to start developing business resilience plans. Those plans should define how the business can be ready to react to something it has never encountered before, how it can learn from it, and how it can use those events as a prompt for future revenues and developments.
In addition to listing risk events that could happen and developing plans to address them, businesses should list opportunities that could arise if these negative events occur and the actions they can take to capitalize on them. Moreover, if the organization decides that opportunities are of greater business interest, it should consider whether it could potentially capitalize on those opportunities without experiencing the downside risks in question.
This is the right area for internal auditors to step in with thought leadership and analysis. Internal auditors are uniquely positioned in the organization with their deep knowledge of business strategies, business risks, and exposures and their interdependencies. Moreover, their independent position allows auditors to have a fresher look at what is going on in the organization.
As such, internal auditors can not only lead management to change its paradigm, but also facilitate management discussions of business resiliency plans. This facilitator role may involve asking questions to add structure to the process. Auditors also can provide information from recent audits about the challenges the organization needs to account for during the planning process, as well as business strengths that the organization can capitalize on.
Yevgeniya Rossova, CIA, CRMA, is an internal audit, risk management, and compliance professional at IIA–Kazakhstan.
Want to be a part of Your Voices? Click here to learn how to contribute a blog post.