Executive tools to prevent the next disaster

Risk audits can help business leaders gauge their ability to survive future threats

Organizations that use audits to evaluate their risk of disruptions are building resilience faster.

In his 2007 book “The Black Swan,” Nassim Nicholas Taleb popularized the term for a significant negative event that has broad impact, is statistically improbable and, in hindsight, is widely rationalized.

Taleb argues that the COVID-19 pandemic is not a black swan—he says it’s a “white swan,” an event with major impact that can be predicted—yet organizations of all types and sizes had no functional plan to mitigate its impacts.

With the threat of new COVID variants and plans to return to the office delayed, one big question for business leaders is, What is the future of work?

For organizations and their people, black swan and white swan events pose a problem: If we know an event will happen but don’t know when, where, or to what degree, can we adequately prepare for it?

A recent survey by ESI ThoughtLab and ServiceNow asked more than 1,000 executives in 13 countries about their organizations’ resilience. The survey found that many executives are undertaking risk audits to gauge and prepare for future shocks.

So what’s a risk audit?

Audits by industry

Financial services companies have used risk audits for years. Companies perform these internal checks to measure the effectiveness of their disaster recovery, business continuity, risk management, resilience planning, and cyber-security programs.

[Read also: A new era of operational risk]

Telecom companies, which are especially sensitive to major weather events and other unavoidable disasters, also undertake such auditing as a best practice. According to the ESI ThoughtLab/ServiceNow research, half of telecom executives surveyed say risk audits provide significant value to their organizations.

Leaders beyond financial services and telecoms are now exploring auditing in their own companies as a way to gauge their operational resilience. Roughly six in ten COOs and CROs say risk auditing is an important initiative for their businesses. Furthermore, a Deloitte Global survey found that 9 of 10 C-level execs in non-finance fields felt their companies should emulate the financial services industry in regularly assessing risk and resilience.

Defining operational resilience

Business consulting firm Protiviti defines operational resilience as “an organization’s ability to detect, prevent, respond to, recover, and learn from operational disruptions” that could impact the business’s services, functions, or products.

Testing operational resilience involves evaluating the organization’s entire ecosystem, including vendors and supply chains, which might break during a crisis.

Vaishali Jain, senior program manager for business continuity management at ServiceNow, says risk auditing forces a company to plan for disruption and test to make sure they are ready.

“Do [executives] have a plan to respond? Do they test those plans often? If there’s a hurricane, have they identified a different location their team can work if their primary location is not available? Are there any gaps?”

The pandemic tests business resilience

Although many companies have various disaster and crisis plans in a drawer ready to go, the COVID-19 pandemic still caught many off guard. One explanation for why could be that many companies aren’t testing their plans or preparing for how to use them.

According to our survey, fewer than a fifth of manufacturing companies polled were performing regular risk audits—even during the pandemic itself. Given the impact of COVID-19 on company supply chains this is a surprising finding.

At the beginning of the pandemic, a survey from the National Association of Manufacturers showed that almost eight of ten manufacturers believed the pandemic would have a financial impact on their businesses, while more than a third said they faced supply chain disruptions.

Another possibility is that some C-level executives aren’t on board with risk auditing. For instance, less than a third of chief customer officers (CCOs) reported risk auditing as a high-value exercise for their businesses. Yet many CCOs and other leaders acknowledge the massive customer service disruptions that have occurred throughout the pandemic.

Even if businesses do perform regular audits, it’s difficult to prepare for cataclysmic events with such wide-ranging and cascading global impacts. “Yes, people had pandemic plans,” Jain says, “but nobody had to exercise them at this level, where the impact wasn’t just regional but global.”

Risk audits can’t mitigate the dangers and threats that businesses face, but they can help companies to survive—if not thrive—when they do happen in an increasingly unpredictable world.

Preparing for unknown unknowns

The Canadian Institute of Internal Auditors derived four main questions and advice to help businesses gauge their resilience, which can guide auditors:

 

1). How is resilience built into your organization’s governance and structure?

 

Governance refers to policies, rules, and procedures, as well as the decision-makers who create them. If the organization experiences a shock, is leadership empowered to make organizational changes? Are there procedures in place that allow them to quickly and decisively seek new revenue streams, digitize customer experience, or instruct employees to work from home, all while maintaining regulatory and compliance standards?

 

2). Does the company have a risk-management plan?

 

A tech company could undergo a cyberattack. A financial services firm could be impacted by the outbreak of war. A manufacturing or petrochemical company could suffer a natural disaster near one of its plants. An auditor asks whether a company is quantifying these risks and measuring their potential impacts. Do they know how a disruption might impact the financial health, employee productivity, and revenue streams?

 

3). Does the company have a workable crisis-management plan?

 

A workable plan must define individual roles during a crisis and include processes for communication and decision making when regular lines of communication might break down. Auditing will force companies to confront issues and make decisions preemptively, such as deciding who will be on the crisis management team and how the team will communicate with the organization as a whole during a crisis.

 

4). Is the organization seeking ways to boost resilience?

 

Companies should be conducting ongoing crisis-management training. They should also continually test their plans, personnel, and systems to discover problems before they’re in the middle of an emergency. They should practice scenarios like ransomware attacks or extreme weather events and include training for new hires to understand what to do in case of a crisis.