Corresponding author: Isabel van Maaren (
Academic editor: Annemarie Oord
There is a growing interest in the organisational resilience. The internal audit function can contribute to growing and maintaining organisational resilience by including the topic in the internal audit plan. Auditing it requires a reference model. The study described used a mixed methods approach to develop a reference model for auditing organisational resilience. Six relevant hard and soft (behavioural) elements of resilience are determined: people, culture, strategy, processes, governance and regulation. The internal audit function can use the tool to assess attention areas to include in the audit scope and formulate a specific reference framework for the organisation.
The internal audit function can use the reference model as a starting point and tool of risk analysis for auditing the resilience of their organisation.
The last few years have presented extraordinary challenging times to all types of organisations worldwide. The outbreak of the COVID-19 pandemic incited a global economic and health-crisis that put our lives on hold for two years, only to be followed by another period of uncertainty and unrest caused by the war in the Ukraine. These crises affect society as a whole including many companies and organisations in all sectors. In response to the growing volatility, uncertainty, complexity and ambiguity in recent years, there is a growing interest for the concept of organisational resilience.
Organisational resilience is the continued ability to adjust under challenging circumstances and the potential to emerge from these circumstances even stronger and more resourceful (Sutcliffe and Vogus 2003, as cited in
The Institute of Internal Auditors (
The
This research aimed to determine the most relevant elements to include in a reference model that can be used by the
A resilient organisation is able to anticipate, avoid, prepare for and adjust to disruptions and shocks that could present an incremental change to the organisation’s environment (
On the topic of resilience,
A widely used and referenced model for organisational resilience is the herringbone resilience model by
Herringbone resilience model by
The activities and capabilities in the resilience model represent, to some extent, measurable elements and therefore one can argue that this spectrum of the model can be considered as the more tangible or ‘hard’ side of resilience. These activities and capabilities will most likely be present in many types of organisations. Nevertheless, the way in which they effectively take into account times of uncertainty and unrest is what could ultimately contribute to the resilience of the organisation.
A resilient organisation can effectively align its strategy, management systems, operations, governance structures and decision making capabilities in such a way that the organisation can adjust to changing risks and circumstances and can survive disruptions and use them to create advantages (
Several other activities and capabilities are included in the model, such as infrastructure and technology capability, relationship management, compliance and financial management. According to
In short, organisational resilience can be influenced by many measurable factors which
The other side of the herringbone resilience model can be seen as the ‘softer’ and more intangible, behavioural side of organisational resilience. Many characteristics inherent in an organisation can impact the manner in which the organisation performs under both routine and non-routine situations.
Furthermore clear leadership, tone at the top and acts based on shared priorities and values are detrimental in order to execute the plans for risk management,
Especially non-routine circumstances demand for an organisation to have a strong and united purpose, strategic surety and a level of stress coping (
In sum,
A qualitative approach was used to identify patterns and themes to build a conceptual reference model that could be compared to the reference model resulting from the literature review. Although the literature review presented a comprehensive resilience reference model, the practical research was based on inductive reasoning in order to validate whether the practical research would provide the same answers compared to the theoretical framework. Inductive reasoning was used in order to prevent steering the respondents in the qualitative research into a specific direction. It was the assumption that this would help prevent bias in the research. The goal was to create a reference model that internal auditors can use as a starting point for auditing their organisational resilience.
The results from the interviews conducted were coded, analysed and summarised into a preliminary reference model. This model was then compared and contrasted to the herringbone resilience model in a fit-gap analysis, after which a new version of the model was created. This model was validated by the respondents in the qualitative research, followed by an additional validation by three experts on organisational resilience. Semi-structured interviews were held on the practical view of internal auditors and experts on organisational resilience, including opinions on the most relevant elements of resilience to be included in a reference model. Respondents were asked to provide their definition of resilience, in addition to a number of questions related to the way to measure and audit resilience. Finally, respondents were asked to provide a list of elements of organisational resilience they would include in a reference model or audit scope.
In total, eleven internal auditors and
This chapter presents the reference model that was created based on the herringbone resilience model by
Based on the practical research, a reference model was formed that internal auditors can use as a starting point for auditing the resilience of their organisations. As with the herringbone resilience model by
The reference model is divided into six categories: people, culture and strategy, processes/facilities, governance and regulation. The remainder of this paragraph briefly discusses each of the elements in the reference model. The full reference model is included in the appendix. Figure
Elements of resilience.
The majority of the respondents in the practical research indicated that the ‘human aspect’ of people and employees should be considered a significant part of organisational resilience. An organisation can function by virtue of its employees and therefore not only the organisation itself, but the people within it should be resilient as well. Within a resilient organisation, staff is aware of both their impact and limitations, experience the freedom to make their own decisions and feel involved and aware of their roles and responsibilities.
Table
Element of organisational resilience ‘People’.
People |
---|
|
How involved and satisfied are your employees? Can you measure their vitality/health? |
Do your employees understand their (critical) position in the organisation and are they able to learn from it? How proactive are your employees towards preventing incidents? |
What is the employee’s perception and experience of work pressure in your organisation? |
To what extent is your organisation controlled: what is the level of individual decision room and authority? |
Closely linked to the element of people is culture. All respondents in the qualitative research proposed that the culture of an organisation is a significant determinant for the resilience of that organisation. Part of this culture is leadership and tone at the top. This view by the respondents in the qualitative research is in line with the proposed views by
Table
Element of organisational resilience ‘Culture’.
Culture |
---|
|
Does your organisation have a thorough understanding of its purpose, its role in the market and impact on its surroundings? |
To what extent is your organisation open, transparent, formalised, structured, static or flexible? Is it risk aware, risk avoidant? Is your organisation willing to change and how fast can it change/adapt? |
What is the style of leadership and tone at the top? |
Can your organisation learn from past wins and losses, incidents and disruptions, and even those of your competitors? |
The last aspect of the soft side of organisational resilience concerns the organisation’s strategy.
Other elements of strategy include having a financial buffer, incorporating sustainability/ESG into the strategy and the ability to be innovative and change in adjusting markets and environments.
Table
Element of organisational resilience ‘Strategy’.
Strategy |
---|
|
Which elements of strategy impact your resilience? What are your core products/services and what are the threats to them? |
What is your reputation risk? Which events or disruptions could badly/positively impact your reputation? |
How innovative and sustainable are you and your products or services? How important are innovation and sustainability to your organisation? If you don’t innovate, what will your place in the market be in 5 years? Does your focus on sustainability contribute to ensuring your continuity? |
Do you have any buffers, funds set aside for worse times? How is your cashflow controlled? How long can you survive financially should your business be disrupted? |
Having discussed the soft and intangible side of the resilience model, the remainder of this chapter will examine the harder and tangible side of resilience. Firstly, the qualitative research proposed a number of processes and systems closely related to resilience. These include
Table
Element of organisational resilience ‘Processes’.
Processes |
---|
|
Is there a |
How is organisational resilience incorporated in your risk management processes? |
Is there enough insight into the critical suppliers, relations, outsourcing partners? Have you analysed the impact of one of the suppliers being disrupted? And how about your own critical (ICT) systems and technologies? |
Are scenarios for disruption of the business identified? Which measures have you identified for these scenarios? |
The second element listed on the tangible side of resilience is that of governance. The practical research indicated that many governance-related aspects contribute and are inherent to resilience. One of the most important aspects is having such a governance structure that it is possible to get resilience on the agenda at board or management level. It was believed that this would be a challenge for any organisation. Respondents argued that the
Table
Element of organisational resilience ‘Governance’.
Governance |
---|
|
Is resilience a topic at board level? |
Is it clear how and what type of decisions are made, by whom and why? What is the speed of decision-making at board level? Can your organisation make the right decisions under pressure? |
Are roles and responsibilities clear throughout the organisation? |
Is there insight into end-to-end processes and have critical function holders been identified within these processes? Is your internal control framework tailored to these processes? |
How is your organisation structured, do you take a holistic approach, or do you work in silos? In case of the latter, are these silos able to communicate in times of crisis? |
The final element of resilience included in the model is regulation. Respondents in the practical research noted that for some organisations in specific sectors, such as the financial sector, there is a legal obligation to have
Table
Element of organisational resilience ‘Regulation’.
Regulation |
---|
|
Are you familiar with the rules and regulations your organisation has to comply with in general? Can/will you still comply in times of crisis? Are there any rules or regulations on organisational resilience applicable to your organisation? |
Does your external accountant include resilience/ |
What does your external supervisor (for example DNB or AFM) require regarding resilience? |
Have you received or considered any external accreditation, for example ISO 22301 for |
The main aim of this research was to create a reference model for auditing organisational resilience. A mixed methods approach consisting of literature review and qualitative research was used to form a basis for a resilience model. The model resulting from both phases of the research was validated by respondents in the qualitative research (internal auditors and chief audit executives) and experts on organisational resilience. This resulted in a final reference model for auditing organisational resilience consisting of three ‘soft’, intangible elements and three ‘hard’, tangible elements.
The
The
The proposed reference model can be used as a tool of risk analysis to make a first assessment of the level of resilience within the organisation. Based on this first assessment, the
The reference model includes the aspect of ‘getting resilience on the agenda’ as one of the questions discussed during the qualitative research was whether resilience is a topic on the agenda at board level. One way to get this topic on the agenda is to plan for an audit on organisational resilience. Therefore, the first recommendation for the
Subsequently, as this research was based on input from the
Full reference guide for auditing organisational resilience.
Auditing organisational resilience: Introduction.
|
|
* |
Auditing organisational resilience.
Auditing organisational resilience. Asking the right questions.
|
|
How involved and satisfied are your employees? Can you measure their vitality/health? |
Do your employees understand their (critical) position in the organisation and are they able to learn from it? How proactive are your employees towards preventing incidents? |
What is the perception of work pressure in your organisation? |
To what extent is your organisation controlled, what is the level of individual decision room and authority? |
|
|
Does your organisation have a thorough understanding of itself, its role in the market and impact on its surroundings? |
To what extent is your organisation open, transparent, formalised, structured, static or flexible? Is it risk aware, risk avoidant? Is your organisation willing to change and how fast can it change/adapt? |
What is the style of leadership and tone at the top? |
Can your organisation learn from past wins and losses, incidents and disruptions, and even those of your competitors? |
|
|
Which elements of strategy impact your resilience? What are your core products/services and what are the threats to them? |
What is your reputation risk? Which events or disruptions could badly impact your reputation? Which could influence them positively? |
How innovative and sustainable are you and your products or services? How important are innovation and sustainability to your organisation? If you don’t innovate, what will your place in the market be in 5 years? Does your focus on sustainability contribute to ensuring your continuity? |
Do you have any buffers, funds set aside for worse times? How is your cashflow controlled? How long can you survive financially should your business be disrupted? |
|
|
Is there a |
How is organisational resilience incorporated in your risk management processes? |
Is there enough insight into the critical suppliers, relations, outsourcing partners? Have you analysed the impact of one of the suppliers being disrupted? And how about your own critical (ICT) systems and technologies? |
Have you identified scenarios for disruption of your business? Which measures have you identified for these scenarios? |
|
|
Is resilience a topic at board level? |
Is it clear how and what type of decisions are made, by whom and why? What is the speed of decision-making at board level? Can your organisation make the right decisions under pressure? |
Are roles and responsibilities clear throughout the organisation? |
Is there insight into end-to-end processes and have critical function holders been identified within these processes? Is your internal control framework tailored to these processes? |
|
|
Are you familiar with the rules and regulations your organisation has to comply with in general? Can/will you still comply in times of crisis? Are there any rules or regulations on organisational resilience applicable to your organisation? |
Does your external accountant include resilience/ |
What does your external supervisor (for example DNB or AFM) require regarding resilience? |
Have you received or considered any external accreditation, for example ISO 22301 for |
Recap.
An organisation’s ability to continue, bounce back from and respond to setbacks, incidents, crises and times of disruption in addition to being flexible enough to adjust to changing markets and environments and being ready for the future. |
Internal auditors have an all-encompassing view of the organisation. Resilience is an all-encompassing topic within an organisation. Internal Audit can provide assurance – and communicate this to internal and external stakeholders – on the extent to which the organisation has the right people, culture, strategy, processes and governance in place to become sufficiently resilient. Provide the organisation with the necessary insights into their preparedness for, and ability to continue through hard times, their level of flexibility and readiness for the future. |
Resilience is a broad topic and is specific to the organisation. Therefore, it’s difficult to make a one size fits all reference framework. This reference guide contains an elaboration of the elements of organisational resilience (page 3) and the questions to ask your organisation when auditing organisational resilience (page 4 and 5). Use these elements and questions to create a reference framework tailored to your organisation. For specific reference frameworks on auditing Business Continuity Management and Crisis Management, consider using, for example, the IPPF Practice Guide on Business Continuity and/or the NBA Guideline for auditing |