Last week, I arrived in California early to prepare for The IIA's 2019 International Conference. While relaxing a bit outside my hotel on July 4, I was jolted by a magnitude 6.4 earthquake centered more than 100 miles away. After the shaking stopped, I asked myself, "Why didn't I think about an earthquake when I was considering all of the risks related to our upcoming conference?"
The next evening, an even stronger, magnitude 7.1 earthquake struck the region while I was dining with my family near our conference site. As all of us in the restaurant regained our composure following the quake, one of the restaurant employees confessed that the business used to undertake earthquake drills, but hadn't done so in years.
Even before California's earthquakes, the media was widely reporting on the heat wave in Europe. Through June, high temperatures across much of the continent's southwest and central regions broke records, including the highest temperature ever recorded in France, when Gallargues-le-Montueux peaked at 45.9° C (114.6° F).
The extreme heat was implicated in the deaths of more than a dozen people in regions where summer temperatures rarely top 38° C (100° F). Much of the affected region appeared ill-prepared to cope with the unexpected heat.
California's earthquakes and Europe's heat wave brought to mind how we might characterize extreme weather and geological events in terms of risk. Before last week, there had not been a major earthquake in Southern California in 20 years. Yet, geologists have long warned that the area is overdue. Meanwhile, in Europe, public health officials understand the importance and value of preparing for dangerous weather, and recent history suggests that climate change is increasing the likelihood of such extreme weather events. The hottest summers in Europe over the past 500 years have all come in just the past 17 years. Globally, of the 17 warmest years on record, 16 have occurred since 2000.
I have often used weather analogies to explain the value that internal audit offers organizations. Practitioners can forecast risk events and help prepare their organizations to cope with them. The variables that affect weather are as complex as the variables that affect risk and risk management. Understanding those variables and finding ways to monitor and mitigate them are what both internal audit and meteorology strive to achieve.
The recent earthquakes and heat waves have brought to mind another analogy — that of the black swan. The concept of the black swan in risk management was first proposed by essayist and scholar Nassim Taleb in his 2007 book,
The Black Swan: The Impact of the Highly Improbable.
Taleb described black swan events as having three characteristics: They are rare, they have an extreme impact, and they are retrospectively predictable (likely to be rationalized as predictable in hindsight). Since then, others have suggested that internal audit's focus should be on "gray swans" — an event defined by Investopedia "that can be anticipated to a certain degree, but is considered unlikely to occur and may have a sizable impact." I believe this is where the California earthquakes and European heat wave fall.
Earthquakes and climate change are nothing new, and the problems the heat wave created for governments and businesses probably should have been anticipated. Indeed, climate change is driving many of the biggest risks that organizations face globally. The 2019 World Economic Forum (WEF) lists extreme weather events, natural disasters, and the failure of climate-change mitigation and adaptation as the three biggest risks in terms of likelihood and impact. Those three risks, along with cyberattacks and data fraud or thefts, shared the WEF's top five global risks in terms of likelihood in 2018 and 2019.
There are any number of other potential gray swans out there, such as a hard Brexit, continued economic fallout from tariff wars, geopolitical uncertainty, and tension between the U.S. and Iran going beyond saber rattling. So, what is internal audit's role in preparing an organization for gray swans?
There are two approaches to dealing with uncertainty. The first relies on something most internal auditors are quite familiar with: assessing the impact and likelihood of any particular risk. These two characteristics have driven audit plans for decades, but they are best suited for inherent and residual risks — those risks that are known, understood, and have controls in place that can be monitored and audited.
The second looks at building flexibility into the organization to endure unexpected risks by implementing safety barriers (think cybersecurity), quality controls, and embracing redundancies, maintenance, and testing. These actions build resiliency that helps organizations adapt to change, manage disruptions, and avoid surprises.
Part of that resiliency building can include testing processes, practices, and people through the use of "red teams." These independent groups take on adversarial roles that challenge the organization to prove its resiliency by randomly testing the effectiveness of its processes and practices.
For internal audit, the best approach to dealing with gray swans may be to adopt the best of both approaches. Clearly, earthquakes and climate change are known risks and planning for different scenarios can be part of an organization's risk management efforts. Audits of crisis management plans, penetration testing, and "red team" role-playing also have a place.
Admittedly, limitations on time, resources, and personnel make it impossible to plan for every eventuality. However, that should not keep us from supporting all efforts to head off risks that should be predictable.
As always, I look forward to your comments.