The European Talk show for Risk and Insurance professionnals
For me, it means that an organization has performed a comprehensive risk assessment, analyzing in what types and severity levels of risks it makes sense to have an active risk response to control, and for what other types it is less possible to control, manage and prepare, and you just have to be resilient. Able to bounce back from an unfortunate event or happening, to the normal situation again, without losing too much time and money. Detection ability, escalation and crisis management, recovery procedures, change power, clear roles and responsibilities, and the like are imperative to have organized well, in order to be ready.
In my role of internal auditor, it is most important to have done the work before the crisis itself. So auditing the policies and procedures in place, being present or participating in crisis management and incident recovery exercises, adding value to the design of all related processes, and observing and commenting on rehearsals.
During the crisis, Internal Audit needs to be represented in the different (levels of or local) crisis management teams, to observe and add value where it can. It however should not be in the way and delay anything.
If the crisis maintains (like with Covid-19 was the case), Internal Audit can build a reference framework (standards) and audit/review the crisis management and the effectiveness of the resilience that was observed.
Really showing resilience will be extremely important in case of a non-rehearsed, black swan type of happening or event. Even with the highest level of preparation for an incident or a disaster, insecurity and doubt about the facts and circumstances, the potential impact, the root causes, the way to handle the crisis, the required escalation and communication, and many other things will not be easy to analyse and decide on. In such a case collaboration is the only way to survive. If for instance the three lines just stick to the traditional roles (and the distance often between them), or for instance local entities use their local legal power not to communicate in time or not at all, the damage by default will be much higher, if not worse. No borders, no ranks (although clarity of command), no limitations in collaboration.