Limited functionality available
Why is it important?
The COVID-19 pandemic has, almost overnight, emerged as the single greatest threat for businesses that may impact not just the continuity of services and operations but the survival of the business itself. Operational resilience plans had to be invoked and crisis management teams had to be quickly deployed. Response teams dealt with unprecedented business disruption, supply chain dependency issues, physical and people access restrictions, as well as infrastructure capacity challenges.
It is recognised that most parts of the financial services sector have handled the first stage of the pandemic response remarkably well, moving relatively quickly to digital-only services and with limited disruption to their core services in most instances; however, this is not a time for complacency and organisations should remain alert to the evolving operational resilience risks.
Internal Audit, as the third line of defence, is uniquely placed to play a key role in the response to the crisis, from a position of good organisational knowledge and with a highly relevant skill-set. Functions will need to provide assurance on resilience programmes and associated controls adopted by organisations both on a real-time basis, as the crisis unfolds, as well as later on with the benefit of looking back and leveraging lessons learned.
What should Internal Audit be doing?
First phase: Respond
Functions should adapt their audit approach, including the reporting mechanisms, to respond timely and appropriately to ongoing COVID-19 developments and provide assurance on a real-time basis to add value. This can take the form of participation in crisis committees, unrated reporting, hot reviews, oral or email feedback. Some of the areas of focus for operational resilience and COVID-19 related work by IA functions during this time, should be:
Second phase: Recover
As part of the next phase, organisations must recognise that they will have to face a period of uncertainty and disruption over many months. Throughout this period, they will need to rebuild confidence for the future by ensuring their response is resilient, safeguards the welfare and well-being of people, and is able to adapt to demand and supply challenges. Internal Audit will need to focus on:
Longer term focus and regulatory alignment
The deadline for responses to the regulatory consultation has been extended to 1 October 2020. The publication for the final regulation through a Policy Statement is expected in the first half of 2021.
We expect that regulators will take into account the lessons from how the financial sector performed during the COVID-19 lockdowns, both in terms of finding out what existing processes and tools worked best, but also identifying vulnerabilities that need to be addressed by future standard-setting.
The regulatory focus on operational resilience can only increase, from what is an already a high base. As such, firms will need to take advantage of this period to prepare, consolidate learnings from recent months, draw up their plans and align themselves to the expected operational resilience requirements.
At the same time, Internal Audit needs to advise on the shifting risk profile of the organisation and the state of the control environment, whilst helping to anticipate regulatory requirements or emerging risks. It is important now more than ever that internal audit professionals are proactive and well-prepared as the situation continues to evolve, while remaining pragmatic and empathetic with stakeholders.
Some additional relevant Deloitte articles and resources to consider:
COVID-19 and operational resilience in the financial sector: https://ukfinancialservicesinsights.deloitte.com/post/102g7ak/covid-19-and-operational-resilience-in-the-financial-sector
Preparing for the ‘next normal’ - Build modified resilient operations:
Sarah leads the risk advisory banking sector within financial services and has been responsible for leading a number of large scale regulatory, technology and change programmes. She specialises in operational resilience and how to support clients with innovation, new technology, digital disruption, change management and embedding these within an organisations risk and control culture and frameworks.
Yannis is a Director in our Technology and Digital Risk practice with over 13 years of experience in the financial services sector. He focuses on delivering technology internal audit, IT risk and controls advisory services, and over the course of his career he has supported Technology and Operational Risk, Compliance and Internal Audit functions in the delivery of high-profile risk remediation, governance and compliance programmes in the UK and overseas. Yannis is a member of Deloitte UK Financial Services Internal Audit Leadership Team, and is currently leading a portfolio of IT risk and internal audit engagements across FTSE-100 financial services clients.