Operational Resilience and COVID-19: Internal Audit Planning Considerations | Deloitte UK has been saved
Explore the latest Financial Services Internal Audit (IA) suggested areas of focus for 2021: www.deloitte.co.uk/planningpriorities2021
Why is it important?
The COVID-19 pandemic has, almost overnight, emerged as the single greatest threat for businesses that may impact not just the continuity of services and operations but the survival of the business itself. Operational resilience plans had to be invoked and crisis management teams had to be quickly deployed. Response teams dealt with unprecedented business disruption, supply chain dependency issues, physical and people access restrictions, as well as infrastructure capacity challenges.
It is recognised that most parts of the financial services sector have handled the first stage of the pandemic response remarkably well, moving relatively quickly to digital-only services and with limited disruption to their core services in most instances; however, this is not a time for complacency and organisations should remain alert to the evolving operational resilience risks.
Internal Audit, as the third line of defence, is uniquely placed to play a key role in the response to the crisis, from a position of good organisational knowledge and with a highly relevant skill-set. Functions will need to provide assurance on resilience programmes and associated controls adopted by organisations both on a real-time basis, as the crisis unfolds, as well as later on with the benefit of looking back and leveraging lessons learned.
What’s new?
What should Internal Audit be doing?
First phase: Respond
Functions should adapt their audit approach, including the reporting mechanisms, to respond timely and appropriately to ongoing COVID-19 developments and provide assurance on a real-time basis to add value. This can take the form of participation in crisis committees, unrated reporting, hot reviews, oral or email feedback. Some of the areas of focus for operational resilience and COVID-19 related work by IA functions during this time, should be:
Second phase: Recover
As part of the next phase, organisations must recognise that they will have to face a period of uncertainty and disruption over many months. Throughout this period, they will need to rebuild confidence for the future by ensuring their response is resilient, safeguards the welfare and well-being of people, and is able to adapt to demand and supply challenges. Internal Audit will need to focus on:
Longer term focus and regulatory alignment
What’s next?
The deadline for responses to the regulatory consultation has been extended to 1 October 2020. The publication for the final regulation through a Policy Statement is expected in the first half of 2021.
We expect that regulators will take into account the lessons from how the financial sector performed during the COVID-19 lockdowns, both in terms of finding out what existing processes and tools worked best, but also identifying vulnerabilities that need to be addressed by future standard-setting.
The regulatory focus on operational resilience can only increase, from what is an already a high base. As such, firms will need to take advantage of this period to prepare, consolidate learnings from recent months, draw up their plans and align themselves to the expected operational resilience requirements.
At the same time, Internal Audit needs to advise on the shifting risk profile of the organisation and the state of the control environment, whilst helping to anticipate regulatory requirements or emerging risks. It is important now more than ever that internal audit professionals are proactive and well-prepared as the situation continues to evolve, while remaining pragmatic and empathetic with stakeholders.
Other resources
Some additional relevant Deloitte articles and resources to consider:
COVID-19 and operational resilience in the financial sector: https://ukfinancialservicesinsights.deloitte.com/post/102g7ak/covid-19-and-operational-resilience-in-the-financial-sector
Preparing for the ‘next normal’ - Build modified resilient operations:
https://www2.deloitte.com/uk/en/pages/risk/articles/preparing-for-the-next-normal.html
Sarah leads Operational Resilience across Financial Services and has over 18 years’ experience in global regulatory, technology and change programmes. Sarah has led technology and operations risk programmes across a number of our largest financial services clients, ranging from designing and embedding risk and control frameworks, implementation of Operational Resilience frameworks and assurance with regulatory requirements, risk and compliance operating models, as well as managing broader change and transformation programmes.
Yannis is a Partner in our Technology and Digital Risk practice with over 18 years of experience leading and delivering technology risk, controls assurance and advisory engagements across lines of defence. He currently leads our Technology & Digital Internal Audit proposition for the UK Financial Services sector. Over the course of his career he has led a portfolio of IT risk / control and internal audit engagements across FTSE-100, FTSE-250 clients of the firm, and supported Technology, Operational Risk, Compliance functions in the delivery of high-profile risk remediation, governance and compliance programmes in the UK and overseas. Yannis is a member of the Deloitte UK Financial Services Internal Audit Leadership Team, and has authored a number of Deloitte publications, viewpoints and blogs across the topics of technology, cyber risk, Internal audit analytics and innovation, focusing on helping functions enhance their impact and value to their respective organisations and key stakeholders.