You know, this all started as a nice, easy, beginning-of-the-year post — 10 events from the last decade that could have impacted internal audit, but didn’t. Easy, right? Find 10 and write 'em up. But then I started looking and had 15, then 25, then … well, like Topsy they just growed. (A new year; a really old reference. Do not expect me to change in the new year.)
Okay, no time for all that, so I cut it back down to the top 10, painfully slicing away some of the darlings I particularly loved. (To quote a quote attributed to many famous authors, “Kill your darlings.” That's a lesson every auditor should take to heart when writing reports. An aside to an aside — another bad habit you should not be expecting me to correct in the new year.)
I started writing and then kept writing and writing and, eventually, realized I'd better cut it down to five.
And then I kept writing and writing and … well, the upshot is that I thought it best to provide this introductory warning. This is the beginning of a series of posts a sprint that has become a marathon. Please join me on this ride as we look at significant events from the last decade that should have, but probably didn’t, impact internal audit, including the way they should impact our work into the coming decade.
And now, on to that actual first blog post.
Welcome to the new year! (Well, the middle of the first month of the new year, but I’m dancing as fast as I can.) It’s a time for resolutions and looking forward, determining the visions of the future that will drive us to success.
As always, there’s been an interesting selection of conversations about the past decade and the one we have embarked on. In particular, it is worth your time to visit or revisit Richard Chambers’ blog posts
"10 Events that Defined the Past Decade for Internal Audit,"
"Final Reflections on Internal Audit’s Decade of Progress," and
"Five Internal Audit Resolutions for 2020 and Beyond," as well as Jim Pelletier’s
"Five Important Insights for Internal Audit From 2019."
All good stuff and worth your time.
However, as I read these — and other looks backwards and forwards — I couldn’t help but think that something was missing. A lot happened in the last decade. (And with that I’ll accept the Academy’s award for biggest understatement of the moment.) And a lot of it led to positive change, improvement, and progress for the profession.
We have come a very long way in 10 short years. But I couldn’t help but feel that, in some instances, we missed important events that should have impacted and/or changed us, but didn’t. And, worse than taking a swing and a miss, we didn’t even realize we should have been at bat. So, I’ve put together a list of what I saw as some of those significant events
To give you an idea of what I’m talking about, let’s look at the first event on my list — the Deepwater Horizon oil spill.
You want proof that a decade is a long time. This event occurred on April 20, 2010, the beginning of the decade. Seems longer ago than that, doesn’t it? And, further proof of how long a decade is, some people reading this post may have been in their teens when this happened — some in their early teens — and some may not even remember the actual event except secondhand through stories from parents, teachers, and leaders.
In a nutshell, the Deepwater Horizon oil spill was the largest marine oil spill in history. It was caused by the explosion of an oil rig located in the Gulf of Mexico. An estimated 184 million gallons of oil were spilled into the Gulf. The economic impact on commercial and recreational fishing revenues included the loss of more than 25,000 jobs, $2.3 billion in industry output, $1.2 billion in total value added or gross regional product, $700 million in labor income, $160 million in state and local tax revenues, and $160 million in federal tax revenues. By 2016, British Petroleum (BP), the company leasing the oil rig involved in the incident, had paid $61.6 billion dollars in court fees, penalties, and clean-up. And none of this even begins to touch on the individual human tragedies that resulted.
What followed, for BP, was a public relations nightmare. BP offered no apologies, blaming its contractors. It initially covered up both the seriousness of the accident and the company's inability to quickly fix it, later also denying the existence of huge plumes of oil discovered by scientists. And the pinnacle of the public relations boondoggle was when CEO Tony Hayward, a man apparently woefully unprepared to be a spokesperson, was quoted as saying, “I want my life back.”
The company has survived, but true recovery is ongoing.
An interesting story, a cautionary tale, an epic of epic proportions, an adventure worth telling o’er a snifter of cognac with hail fellows well met. But what of internal audit?
And therein is the question that is within each of the five events I’ll be discussing. Not a question of where was internal audit when something happened (I know nothing about the situations of these shops and it is a far too presumptuous a question for any of us to be asking). Rather, it is asking the question, “What should professional internal auditors have learned from this and how should they have reacted?”
Some time after this event, I was giving presentations on internal audit’s role related to reputation risks and crisis management. I asked how many auditors had ever done a disaster recovery audit. I was a bit flummoxed when few hands were raised. Back in the day, a regular audit for many shops — an audit conducted every two to five years — was to review the disaster recovery plans of the organization. Was there a plan for when disasters — fire, flood, earthquake (a big one for us as our home office was in California), tornado, tsunami, zombie apocalypse — occurred, was it complete, did everyone know about it, and had it been tested?
My intent in asking the question was to follow up to determine if anyone had done a crisis management audit under the assumption that I could safely draw the analogy between disaster recovery and crisis management. Well, that wasn’t going to work. But I boldly moved forward and asked about crisis management in hopes that my original question was impacted by the antiquated word choices I had used. But, no, the vast majority of audit departments had never reviewed to see the completeness of this document, and quite a few didn’t even know if there was one. (Hint: if you don’t know if you have a crisis management plan, even if there is one, then you effectively do not have one.)
And from this small detail, I came to realize that crisis management and the even larger issue of reputation risk were areas internal auditors were ignoring out of ignorance or a misunderstanding of the true impact. (Impact? Again, see Deepwater Horizon.) They were interested, particularly in the reputation part, but I have yet to see any evidence that a large number of audit departments are doing anything about it. I do not see them checking to see the status, and I do not see them helping lead organizations toward greater protection against this risk.
There will be another BP-like event in this decade. It probably won’t happen to your organization. But then again it might. Or maybe it will just be something small like Volkswagen’s monkeying with emissions information or United’s dragging a passenger off a plane or Target’s customer data breach or Wells Fargo’s innovative approach to increasing customer participation or … the list goes on.
And, if those happen, will your organization, your executives, your board members, and your employees know what to do? Or will the reactions only exacerbate the public relations nightmare? Or will something more minor than the ones listed above explode into the story we are telling in the 2030s?
That is the lesson internal audit should have learned almost 10 years ago, and should take to heart today. A lesson to be learned before the CEO stands in front of a camera and destroys the organization’s reputation. Make sure there is a plan for crisis, makes sure everyone knows it and understands it, and make sure reputation risk is on everyone's lips.
So, there it is, one example of what I’m talking about — events from the last decade where internal audit should have taken action and, apparently, didn’t. And lessons/warnings about what we should be doing in 2020.
And one more thing before we go. I’ve said this is the top five. Don’t hold me to that until we get done. Might be four; might be 10. We’ll just have to see where it all goes. Join me next time and let’s see what comes up.