Limited functionality available
Explore the latest Financial Services Internal Audit (IA) suggested areas of focus for 2021: www.deloitte.co.uk/planningpriorities2021
Why is it important?
The COVID-19 pandemic has, almost overnight, emerged as the single greatest threat for businesses that may impact not just the continuity of services and operations but the survival of the business itself. Operational resilience plans had to be invoked and crisis management teams had to be quickly deployed. Response teams dealt with unprecedented business disruption, supply chain dependency issues, physical and people access restrictions, as well as infrastructure capacity challenges.
It is recognised that most parts of the financial services sector have handled the first stage of the pandemic response remarkably well, moving relatively quickly to digital-only services and with limited disruption to their core services in most instances; however, this is not a time for complacency and organisations should remain alert to the evolving operational resilience risks.
Internal Audit, as the third line of defence, is uniquely placed to play a key role in the response to the crisis, from a position of good organisational knowledge and with a highly relevant skill-set. Functions will need to provide assurance on the resilience practices followed by organisations both on a real-time basis, as the crisis unfolds, as well as later on with the benefit of looking back and leveraging lessons learned.
At the same time, Internal Audit needs to advise on the shifting risk profile of the organisation and the state of the control environment, whilst helping to anticipate regulatory requirements or emerging risks. It is important now more than ever that audit professionals are proactive and well-prepared as the situation continues to evolve, while remaining pragmatic and empathetic with stakeholders.
What should Internal Audit be doing?
First phase: Respond
Adapt their audit approach, including the reporting mechanisms, to respond timely and appropriately to ongoing COVID-19 developments and provide assurance on a real-time basis to add value. This can take the form of participation in crisis committees, unrated reporting, hot reviews, oral or email feedback.
Some of the areas of focus for operational resilience and COVID-19 related work by IA functions during this time, should be:
Second phase: Recover
The next phase must recognise that organisations will face a period of uncertainty and disruption over many months. Throughout this period, they will need to rebuild confidence for the future by ensuring their response is resilient, safeguards the welfare and well-being of people, and is able to adapt to demand and supply challenges.
Internal audit will need to focus on:
Longer term focus and regulatory alignment
The deadline for responses to the regulatory consultation has been extended to 1 October 2020. The publication for the final regulation through a Policy Statement is expected in the first half of 2021.
We expect that regulators will take into account the lessons from how the financial sector performed during the COVID-19 lockdowns, both in terms of finding out what existing processes and tools worked best, but also identifying vulnerabilities that need to be addressed by future standard-setting.
The regulatory focus on operational resilience can only increase, from what is an already a high base. As such, it is important that firms take advantage of this period to prepare, consolidate learnings from recent months, draw up their plans and align themselves to the expected operational resilience requirements.
COVID-19 and operational resilience in the financial sector: https://ukfinancialservicesinsights.deloitte.com/post/102g7ak/covid-19-and-operational-resilience-in-the-financial-sector
Preparing for the ‘next normal’ - Build modified resilient operations:
Sarah leads Operational Resilience across Financial Services and has over 18 years’ experience in global regulatory, technology and change programmes. Sarah has led technology and operations risk programmes across a number of our largest financial services clients, ranging from designing and embedding risk and control frameworks, implementation of Operational Resilience frameworks and assurance with regulatory requirements, risk and compliance operating models, as well as managing broader change and transformation programmes.
Yannis is a Director in our Technology and Digital Risk practice with over 15 years of experience in the financial services sector. He focuses on delivering technology internal audit, IT risk and controls advisory services, and over the course of his career he has supported Technology and Operational Risk, Compliance and Internal Audit functions in the delivery of high-profile risk remediation, governance and compliance programmes in the UK and overseas. Yannis is a member of Deloitte UK Financial Services Internal Audit Leadership Team, and is currently leading a portfolio of IT risk and internal audit engagements across FTSE-100 financial services clients.