It is my contention that, while internal audit made some
significant strides in the last decade, there were events that occurred that,
if we had been watching more closely, might have led us to even greater things.
So, I believe it warrants one more look back at the decade to see what we might
have done differently and, with the look back, provide a bridge from that decade
to the next, helping us become even better. Toward that end, I am looking at
the top events that should have impacted internal audit.
Last time we talked about a single event — the Deepwater
Horizon oil spill. This time, let’s talk about a lot of related events.
Quick question. What do Toys “R” Us, Ringling Bros. and
Barnum & Bailey Circus, and Blockbuster Video have in common?
Okay, probably an easy question, but here’s the answer. Every
one of these companies ceased to exist in the last decade. Each was a major,
longstanding, seemingly-eternal brand — symbols that resonated with the public,
icons to millions, big-bucks organizations. And they each disappeared in a puff
of smoke and the wafting smell of disintegrating paperwork and red ink, leaving
nothing but faded memories, nostalgic touchpoints, and cadres of disgruntled
Many of the reasons for failure were much like those of any
failed company: poor management decisions, bad investments, incorrect
strategies. But, at the root of each failure was disruption — the failure to understand
the disruption that was occurring within their industries, the failure to
respond to that disruption in time to survive, and responding to that
disruption in the wrong ways.
Toys "R" Us failed to innovate its business model, incorporate
technology, and adapt to changing consumer behaviors. And when it did react, it
only made things worse, getting in a long-term, one-sided agreement with Amazon,
effectively putting themselves under the control of a major competitor. It
inappropriately responded to the disruption occurring in retail markets.
Ringling Bros. and Barnum & Bailey Circus succumbed to the
public’s increased sensitivity to the mistreatment of animals. In addition,
peoples' standards for what constituted entertainment changed. Acrobats were no
big deal (unless they were Cirque-du-Soleil’ed up), clowns and ringmasters were
old hat, and the venues did not match the customers' desired comfort levels.
Blockbuster Video ignored the signs that people were consuming
movies, videos, and DVDs in new ways. Netflix came to town, and people didn’t
have to go to a store, walk the aisles, and hope what they wanted was at hand. And,
if they did go out, there was always the ease of Redbox.
In each instance, disruption of the business, of the
business models, and the industry were at the root of failure. And responses
that were either wrong, too late, or nonexistent exacerbated the issues. In
particular, the hubris of “we are No. 1 and it can never happen here”
impacted the speed and effectiveness of decisions.
Okay, you already know all this. But what lesson did you
learn when you heard about each of these (and the many other) failures? And, as
an internal auditor, did you recognize the need to help your organization watch
for and react to such disruptions? And what are you doing about it today?
Because, every single industry, every single organization, every
single strategy will (not might, will) be under attack. They will face disruption
— significant disruption, organization-ending disruption — at some point in the
more-than-likely near future. And, if internal audit’s job is to help ensure that
risks to objectives are identified and mitigated, then this is a pretty big one
we should be taking a look at.
Don’t think it will happen to you? What happened to the
music industry, what happened to publishing, what happened to taxi and
transportation, what happened to travel agencies, what happened to banking and
investment, what happened to newspapers, what happened to … well, I think you get
Here’s one example of disruption just around the corner for what
I think is an unsuspecting group — one of the stodgiest of services, insurance.
I just read an article (and it is buried behind a paywall, so I won’t bother
giving you a link to look it up) about a recent university graduate who
interned with various insurance companies. He could not believe how antiquated
the processes were and, upon graduation, began developing artificial intelligence (AI) applications for
insurance. This is not just crunching numbers; this is front-line AI. He has
built interfaces that eliminate the need to use employees in first customer
interactions with the insurance company — claims, sales, etc. They are fast,
they are accurate, and they are extremely efficient and effective.
The insurance world is on the cusp of significant disruption
and some major companies — companies whose commercials you laugh at nightly — will,
in short order, be laughed at as they close the doors and sidle off into the
sunset. Note, I’m not making any prognostications about any particular company.
But, based on what has happened in the past, some will fail. There are various
writings on various walls.
Insurance. Who'da thunk it?
Disruption is everywhere, and it will hit your organization square
between the eyes (if it hasn’t already done so). Which means, as you sit in on discussions
regarding strategies and the directions the organization will take, is anyone
talking seriously about disruption? Is the organization looking forward to what
may happen and taking appropriate steps? Or is disruption already occurring and
management is burying its head crying “It can’t happen to us,” and “We’re No. 1,” and “We are the champions,” and “Nothing can ever take us down; we are too
successful,” and other comments no one wants written on their corporate
(Okay, maybe you’re not important enough to be sitting in on
those meetings. Yes, you the everyday, average internal auditor. That doesn’t
mean you don’t have as much responsibility as anyone else to raise a warning, blow
the trumpet, shout the gardyloo, find someone/anyone to listen, and spread the
word. In fact, you are an auditor; your responsibility is greater than others'.
Many an organization has suffered disastrously because people didn’t think it
was their job or they thought they didn’t have the authority to step forward
and say something. They lost their jobs just like everyone else.)
Every organization should make this risk its No. 1 with
a bullet — the risk of not recognizing and properly responding to disruption.
And internal audit must be there to watch, warn, and act.
And, with that, we bring event No. 2 to a close. We’ve
got at least three more to go, so join in next time and let’s see what happens.
By the way, if you have a vote for the event from the last
decade all internal auditors should have learned from, be sure to share.