Operational Resilience and COVID-19: Internal Audit Planning Considerations

It is recognised that most parts of the financial services sector have handled the first stage of the pandemic response remarkably well, moving relatively quickly to digital-only services and with limited disruption to their core services in most instances; however, this is not a time for complacency and organisations should remain alert to the evolving operational resilience risks.

Internal Audit, as the third line of defence, is uniquely placed to play a key role in the response to the crisis, from a position of good organisational knowledge and with a highly relevant skill-set. Functions will need to provide assurance on resilience programmes and associated controls adopted by organisations both on a real-time basis, as the crisis unfolds, as well as later on with the benefit of looking back and leveraging lessons learned.

What’s new?

• Building the operational resilience of firms and Financial Market Infrastructures (FMIs) remains now, more than ever, a key shared priority for Bank of England (BoE), the PRA and the Financial Conduct Authority (FCA).
• Regulators have been monitoring the operational resilience of financial services firms during the pandemic, looking particularly closely at how firms refine their resilience plans, how they approach the governance of their operational resilience (including the role of the Board and SMF24) and the quality of their crisis communications.
• The three supervisory authorities published a shared policy summary and coordinated consultation papers (CP 19/32 and CP 29/19) on new requirements to strengthen operational resilience in the financial services sector.
• We believe that in the longer term the COVID-19 experience will validate this proposed UK regulatory approach that focuses on identifying and strengthening the resilience of important business services in the face of a wide range of severe but plausible scenarios.
• The CP principles establish the draft rules that firms will be required to follow, placing particular focus on identifying important business services, setting impact tolerances and the need for regular self-assessments.
• It builds on the concepts set out in the operational resilience Discussion Paper published in 2018, and addresses many of the proposed policy changes based on the responses received. 
• The PRA has asked IA functions across a number of firms to undertake an operational resilience audit against the principles in the consultation paper or broader governance and approach.

What should Internal Audit be doing?

First phase: Respond

Functions should adapt their audit approach, including the reporting mechanisms, to respond timely and appropriately to ongoing COVID-19 developments and provide assurance on a real-time basis to add value. This can take the form of participation in crisis committees, unrated reporting, hot reviews, oral or email feedback. Some of the areas of focus for operational resilience and COVID-19 related work by IA functions during this time, should be:

• Validating and challenging key MI used by management to make decisions on critical activity;
• Challenging management’s forecasts of business impact (some of these may directly impact financial reporting, e.g. going concern);
• Challenging management’s assessment, monitoring and contingency plans of key outsource service providers.

Second phase: Recover

As part of the next phase, organisations must recognise that they will have to face a period of uncertainty and disruption over many months. Throughout this period, they will need to rebuild confidence for the future by ensuring their response is resilient, safeguards the welfare and well-being of people, and is able to adapt to demand and supply challenges. Internal Audit will need to focus on:

• Challenging and benchmarking management’s scenario-planning and assumptions regarding the nature, extent and duration of the situation, as well as the plan to deliver services during prolonged uncertainty in a way that is safe, flexible and resilient based on a clear action plan. It is important for management to focus on a planning-driven approach based on the scenarios that the business is likely to face over a prolonged period (including the ‘worst case’).
• Understanding whether the resilience achieved to date was by design. If not, then what lessons should be drawn for the future? What are management’s ‘crunch points’ in the ability to deliver services against planning assumptions?
• What are the modifications needed to operational capabilities to maintain safety, flexibility and improve resilience, and how those modifications can be implemented quickly with the right resources and outcomes? The adaptability and alternative delivery of important business services has been a critical part of this.
• What is management’s strategy to return to ‘business as usual’ after the crisis, and move from ‘respond’ to ‘recover’ and then to ‘thrive’? How can it turn the crisis into an opportunity to emerge stronger?

Longer term focus and regulatory alignment

• Review how the organisation has interpreted the regulation and taken actions in response to this whilst also leveraging industry response and lessons learned from COVID-19.
• Challenge management’s process to identify their most important business services in order to prioritise their work and investment in operational resilience.
• Ensure that operational resilience is established across end-to end business services, looks at business outcomes from a customer perspective and takes into account third parties and the ecosystem of the firm as a whole.
• Validate whether the organisation has an adequate internal governance and control framework in place for managing operational resilience.
• Ensure that it has set appropriate impact tolerances for their important business services, and has documented the people, processes, technology, facilities and information that support their important business services. Focus on management plans to embed operational resilience.
• Information technology and cyber risks will likely remain the most frequent threat to operational resilience, and should continue to be factored into any audit work. Indeed, cyber, digital and fraud risks have increased significantly in the wake of COVID-19. IA will need to be able to support the increased reliance in digital technology and IT transformation programmes, including the need to factor in resilience-by-design. However the recent experience has shown that firms should be conducting resilience planning based on a wide range of public health, environmental and other scenarios.
• Challenge the effectiveness of their crisis management and crisis communications with all parties, including internal communications, contact with customers and with other relevant external stakeholders including the regulators themselves.

What’s next?

The deadline for responses to the regulatory consultation has been extended to 1 October 2020. The publication for the final regulation through a Policy Statement is expected in the first half of 2021.

We expect that regulators will take into account the lessons from how the financial sector performed during the COVID-19 lockdowns, both in terms of finding out what existing processes and tools worked best, but also identifying vulnerabilities that need to be addressed by future standard-setting.

The regulatory focus on operational resilience can only increase, from what is an already a high base. As such, firms will need to take advantage of this period to prepare, consolidate learnings from recent months, draw up their plans and align themselves to the expected operational resilience requirements.

At the same time, Internal Audit needs to advise on the shifting risk profile of the organisation and the state of the control environment, whilst helping to anticipate regulatory requirements or emerging risks. It is important now more than ever that internal audit professionals are proactive and well-prepared as the situation continues to evolve, while remaining pragmatic and empathetic with stakeholders.

Other resources

Some additional relevant Deloitte articles and resources to consider:

COVID-19 and operational resilience in the financial sector: https://ukfinancialservicesinsights.deloitte.com/post/102g7ak/covid-19-and-operational-resilience-in-the-financial-sector

Preparing for the ‘next normal’ - Build modified resilient operations:
https://www2.deloitte.com/uk/en/pages/risk/articles/preparing-for-the-next-normal.html