Blog: Audit & Assurance
Posted: 20 Jul. 2020 12 min. read

Planning Priorities 2021

Operational Resilience and COVID-19: Internal Audit Planning Considerations

Sarah Black Yannis Petras

Explore the latest Financial Services Internal Audit (IA) suggested areas of focus for 2021: www.deloitte.co.uk/planningpriorities2021
 

Why is it important?

The COVID-19 pandemic has, almost overnight, emerged as the single greatest threat for businesses that may impact not just the continuity of services and operations but the survival of the business itself. Operational resilience plans had to be invoked and crisis management teams had to be quickly deployed. Response teams dealt with unprecedented business disruption, supply chain dependency issues, physical and people access restrictions, as well as infrastructure capacity challenges.

It is recognised that most parts of the financial services sector have handled the first stage of the pandemic response remarkably well, moving relatively quickly to digital-only services and with limited disruption to their core services in most instances; however, this is not a time for complacency and organisations should remain alert to the evolving operational resilience risks.

Internal Audit, as the third line of defence, is uniquely placed to play a key role in the response to the crisis, from a position of good organisational knowledge and with a highly relevant skill-set. Functions will need to provide assurance on the resilience practices followed by organisations both on a real-time basis, as the crisis unfolds, as well as later on with the benefit of looking back and leveraging lessons learned.

At the same time, Internal Audit needs to advise on the shifting risk profile of the organisation and the state of the control environment, whilst helping to anticipate regulatory requirements or emerging risks. It is important now more than ever that audit professionals are proactive and well-prepared as the situation continues to evolve, while remaining pragmatic and empathetic with stakeholders.

What’s new?

  • Building the operational resilience of firms and Financial Market Infrastructures (FMIs) remains now, more than ever, a key shared priority for Bank of England (BoE), the PRA and the Financial Conduct Authority (FCA).
  • Regulators have been monitoring the operational resilience of financial services firms during the pandemic, looking particularly closely at how firms refine their resilience plans, how they approach the governance of their operational resilience (including the role of the Board and SMF24) and the quality of their crisis communications.
  • The three supervisory authorities published a shared policy summary and coordinated consultation papers (CP29/19) on new requirements to strengthen operational resilience in the financial services sector.
  • We believe that in the longer term the COVID-19 experience will validate this proposed UK regulatory approach that focuses on strengthening the resilience of important business services in the face of a wide range of severe but plausible scenarios.
  • The CP principles establish the draft rules that firms will be required to follow, placing particular focus on impact tolerances and the need for regular self-assessments.
  • It builds on the concepts set out in the operational resilience Discussion Paper published in 2018, and addresses many of the proposed policy changes based on the responses received.
  • The PRA has asked IA functions across a number of firms to undertake an operational resilience audit, against the principles in the consultation paper.

What should Internal Audit be doing?

 

 

 

 

First phase: Respond

 

 

 

 

 

 

Adapt their audit approach, including the reporting mechanisms, to respond timely and appropriately to ongoing COVID-19 developments and provide assurance on a real-time basis to add value. This can take the form of participation in crisis committees, unrated reporting, hot reviews, oral or email feedback.

Some of the areas of focus for operational resilience and COVID-19 related work by IA functions during this time, should be:

  • Validating and challenging key MI used by management to make decisions on mission-critical activity;
  • Challenging management’s forecasts of business impact (some of these may directly impact financial reporting, e.g. going concern);
  • Challenging management’s assessment, monitoring and contingency plans of key outsource service providers.

Second phase: Recover

The next phase must recognise that organisations will face a period of uncertainty and disruption over many months. Throughout this period, they will need to rebuild confidence for the future by ensuring their response is resilient, safeguards the welfare and well-being of people, and is able to adapt to demand and supply challenges.

Internal audit will need to focus on:

  • Challenging and benchmarking management’s scenario-planning and assumptions regarding the nature, extent and duration of the situation, as well as the plan to deliver services during prolonged uncertainty in a way that is safe, flexible and resilient based on a clear action plan. It is important to focus on a planning-driven approach based on the scenarios that the business is likely to face over a prolonged period (including the ‘worst case’).
  • Understand whether the resilience achieved to date was by design, and if not, what lessons should be drawn for the future. Try to assess management’s ‘crunch points’ in the ability to deliver services against planning assumptions.
  • Validate the modifications needed to operational capabilities to maintain safety, flexibility and improve resilience, and how those modifications can be implemented quickly with the right resources and outcomes. The adaptability and alternative delivery of important business services has been a critical part of this.
  • What is management’s strategy to return to ‘business as usual’ after the crisis, and move from ‘respond’ to ‘recover’ and then to ‘thrive’; how it can turn the crisis into an opportunity to emerge stronger.

 

 

 

 

 

 

 

 

Longer term focus and regulatory alignment

  • Review how their organisation has interpreted the regulation and taken actions in response to this whilst also leveraging industry response and lessons learned from COVID-19.
  • Challenge the firm’s process to identify their most important business services in order to prioritise their work and investment in operational resilience.
  • Ensure that operational resilience is established across end-to end business services, looks at business outcomes from a customer perspective and takes into account third parties and the ecosystem of the firm as a whole.
  • Ensure firms have an adequate internal governance and control framework in place for managing operational resilience.
  • Ensure that the firm has set appropriate impact tolerances for their important business services, and have documented the people, processes, technology, facilities and information that support their important business services. Focus on management plans to embed operational resilience.
  • Information technology and cyber risks will likely remain the most frequent threat to operational resilience, and should continue to be factored into any audit work. Indeed, cyber, digital and fraud risks have increased significantly in the wake of COVID-19. IA will need to be able to support the increased reliance in digital technology and IT transformation programmes, including the need to factor in resilience-by-design. However the recent experience has shown that firms should be conducting resilience planning based on a wide range of public health, environmental and other scenarios.
  • Challenge the effectiveness of their crisis management and crisis communications with all parties, including internal communications, contact with customers and with other relevant external stakeholders including the regulators themselves.


What’s next?

The deadline for responses to the regulatory consultation has been extended to 1 October 2020. The publication for the final regulation through a Policy Statement is expected in the first half of 2021.

We expect that regulators will take into account the lessons from how the financial sector performed during the COVID-19 lockdowns, both in terms of finding out what existing processes and tools worked best, but also identifying vulnerabilities that need to be addressed by future standard-setting.

The regulatory focus on operational resilience can only increase, from what is an already a high base. As such, it is important that firms take advantage of this period to prepare, consolidate learnings from recent months, draw up their plans and align themselves to the expected operational resilience requirements.

Other resources

COVID-19 and operational resilience in the financial sector: https://ukfinancialservicesinsights.deloitte.com/post/102g7ak/covid-19-and-operational-resilience-in-the-financial-sector

Preparing for the ‘next normal’ - Build modified resilient operations:

https://www2.deloitte.com/uk/en/pages/risk/articles/preparing-for-the-next-normal.html

Sign up for the latest updates

Sign up for the latest updates

Key contacts

Sarah Black

Sarah Black

Partner
+44 (0) 20 7007 9543

Sarah leads Operational Resilience across Financial Services and has over 18 years’ experience in global regulatory, technology and change programmes. Sarah has led technology and operations risk programmes across a number of our largest financial services clients, ranging from designing and embedding risk and control frameworks, implementation of Operational Resilience frameworks and assurance with regulatory requirements, risk and compliance operating models, as well as managing broader change and transformation programmes.

Read full bio
Yannis Petras

Yannis Petras

Partner
+44 (0)20 7303 8848

Yannis is a Partner in our Technology and Digital Risk practice with over 18 years of experience leading and delivering technology risk, controls assurance and advisory engagements across lines of defence. He currently leads our Technology & Digital Internal Audit proposition for the UK Financial Services sector. Over the course of his career he has led a portfolio of IT risk / control and internal audit engagements across FTSE-100, FTSE-250 clients of the firm, and supported Technology, Operational Risk, Compliance functions in the delivery of high-profile risk remediation, governance and compliance programmes in the UK and overseas. Yannis is a member of the Deloitte UK Financial Services Internal Audit Leadership Team, and has authored a number of Deloitte publications, viewpoints and blogs across the topics of technology, cyber risk, Internal audit analytics and innovation, focusing on helping functions enhance their impact and value to their respective organisations and key stakeholders.

Read full bio