Risk Management and Internal Audit in times of COVID-19 Risk Management and Internal Audit in times of COVID-19

Under normal circumstances, around this time risk professionals and internal auditors might find themselves preparing for a yearly ERM exercise and a 3 year audit plan, but these exceptional times call for a different set of priorities and an occasion to use those skills in new ways.

Now is the moment to look beyond the annual routine and step up to help your organization using your specific set of competences and knowledge, which can make a valuable contribution in a number of priority areas over the coming months, including:

Many companies are struggling to cope with the challenges we are currently facing, partially because of the limited attention given to Business Continuity in the past. Now is not the time for regrets, but constructive collaboration to develop agile responses and identify practical solutions. There is still a lot that can be done to catch-up in the response and recovery phases.

What you can do:

1. Contribute to the development and/or execution of the crisis management plan.
2. Contribute to the Business Continuity plan and the IT disaster recovery plan if relevant.

“Predicting the unpredictable: dealing with risk and uncertainty” has always been a key mantra, and this holds true today with the emergence of COVID-19. There are many associated risks which are impacted by COVID-19, for example: Cyber and Fraud risks, Reputation risks, Supply Chain risks, Health & Safety, to name a few.  As a risk professional you are best placed to provide new insights to top management regarding the impact on your organization’s risk and opportunity landscape and to improve structured reflections on the measures taken and anticipated. These risks should be on your organization’s radar now to allow them to take these into consideration when making decisions. Please don’t wait for your yearly ERM update to address these.

Discuss with your management how you can best add value in these critical times. It is probably not an ideal time to stick to your audit plan or other routines if this does not provide value for your organization at this point. It might be more beneficial if Internal Auditors temporarily focus more on their advisory role (for example on business continuity and crisis management) and further take-up the assurance activities once the situation has been stabilized. 

The human aspect of this crisis is fundamental and should also be explicitly addressed when implementing hard risk mitigating and BC measures. Risk professionals can actively take up the role ensuring that the risk management and business continuity measures:

• are clearly defined and understood,
• are made visible in the organization,
• involve the entire organization,
• are fully applied by top management,
• are executable,
• can be openly discussed,
• are enforced,
• are continuously improved.

The sooner you get started, the more effective the outcome for your organization and its people, from top management right through to the newest recruit. We believe you have the knowledge and skill set to add real value at this critical time, and we wish you well as you work to do so over the coming weeks and months.