Research Article |
Corresponding author: Isabel van Maaren ( isabel.vanmaaren@mazars.nl ) Academic editor: Annemarie Oord
© 2022 Isabel van Maaren.
This is an open access article distributed under the terms of the Creative Commons Attribution License (CC BY-NC-ND 4.0), which permits to copy and distribute the article for non-commercial purposes, provided that the article is not altered or modified and the original author and source are credited.
Citation:
van Maaren I (2022) A reference model for auditing organisational resilience. Maandblad voor Accountancy en Bedrijfseconomie 96(7/8): 201-211. https://doi.org/10.5117/mab.96.89573
|
There is a growing interest in the organisational resilience. The internal audit function can contribute to growing and maintaining organisational resilience by including the topic in the internal audit plan. Auditing it requires a reference model. The study described used a mixed methods approach to develop a reference model for auditing organisational resilience. Six relevant hard and soft (behavioural) elements of resilience are determined: people, culture, strategy, processes, governance and regulation. The internal audit function can use the tool to assess attention areas to include in the audit scope and formulate a specific reference framework for the organisation.
Organisational resilience, internal audit function, auditing
The internal audit function can use the reference model as a starting point and tool of risk analysis for auditing the resilience of their organisation.
The last few years have presented extraordinary challenging times to all types of organisations worldwide. The outbreak of the COVID-19 pandemic incited a global economic and health-crisis that put our lives on hold for two years, only to be followed by another period of uncertainty and unrest caused by the war in the Ukraine. These crises affect society as a whole including many companies and organisations in all sectors. In response to the growing volatility, uncertainty, complexity and ambiguity in recent years, there is a growing interest for the concept of organisational resilience.
Organisational resilience is the continued ability to adjust under challenging circumstances and the potential to emerge from these circumstances even stronger and more resourceful (Sutcliffe and Vogus 2003, as cited in
The Institute of Internal Auditors (IIA) has included resilience and generally related terms such as business continuity, crisis response and disaster recovery in the top ten risks amongst Chief Audit Executives (CAE’s) for the last few years (
The IAF should “provide objective and independent assurance, advice and insights on the efficiency of the organisation’s operations and should help an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes” (
This research aimed to determine the most relevant elements to include in a reference model that can be used by the IAF when auditing organisational resilience. The next paragraph presents the literature review, followed by the research method and results – the reference model. Finally, some conclusions and recommendations are presented.
A resilient organisation is able to anticipate, avoid, prepare for and adjust to disruptions and shocks that could present an incremental change to the organisation’s environment (
On the topic of resilience,
A widely used and referenced model for organisational resilience is the herringbone resilience model by
The activities and capabilities in the resilience model represent, to some extent, measurable elements and therefore one can argue that this spectrum of the model can be considered as the more tangible or ‘hard’ side of resilience. These activities and capabilities will most likely be present in many types of organisations. Nevertheless, the way in which they effectively take into account times of uncertainty and unrest is what could ultimately contribute to the resilience of the organisation.
A resilient organisation can effectively align its strategy, management systems, operations, governance structures and decision making capabilities in such a way that the organisation can adjust to changing risks and circumstances and can survive disruptions and use them to create advantages (
BCM is a strategic management process used to identify potential threats to an organisation and provides a systematic process for mitigating the effects of crises, incidents and interruptions (
Several other activities and capabilities are included in the model, such as infrastructure and technology capability, relationship management, compliance and financial management. According to
In short, organisational resilience can be influenced by many measurable factors which
The other side of the herringbone resilience model can be seen as the ‘softer’ and more intangible, behavioural side of organisational resilience. Many characteristics inherent in an organisation can impact the manner in which the organisation performs under both routine and non-routine situations.
Furthermore clear leadership, tone at the top and acts based on shared priorities and values are detrimental in order to execute the plans for risk management, BCM and CM that organisations often have in place (
Especially non-routine circumstances demand for an organisation to have a strong and united purpose, strategic surety and a level of stress coping (
In sum,
A qualitative approach was used to identify patterns and themes to build a conceptual reference model that could be compared to the reference model resulting from the literature review. Although the literature review presented a comprehensive resilience reference model, the practical research was based on inductive reasoning in order to validate whether the practical research would provide the same answers compared to the theoretical framework. Inductive reasoning was used in order to prevent steering the respondents in the qualitative research into a specific direction. It was the assumption that this would help prevent bias in the research. The goal was to create a reference model that internal auditors can use as a starting point for auditing their organisational resilience.
The results from the interviews conducted were coded, analysed and summarised into a preliminary reference model. This model was then compared and contrasted to the herringbone resilience model in a fit-gap analysis, after which a new version of the model was created. This model was validated by the respondents in the qualitative research, followed by an additional validation by three experts on organisational resilience. Semi-structured interviews were held on the practical view of internal auditors and experts on organisational resilience, including opinions on the most relevant elements of resilience to be included in a reference model. Respondents were asked to provide their definition of resilience, in addition to a number of questions related to the way to measure and audit resilience. Finally, respondents were asked to provide a list of elements of organisational resilience they would include in a reference model or audit scope.
In total, eleven internal auditors and CAE’s from several industries – including retail, publishing, airports, telecom, storage of dangerous goods, ship warehousing, pension funds and consultancy – were interviewed as part of the qualitative research. It was the assumption that the respondents’ backgrounds and experience collectively would provide a sufficient and representative basis for different types of organisations and industries in the Netherlands. In addition to the internal auditors and CAE’s, one expert from the field of organisational resilience was interviewed in order to retrieve preliminary insights into organisational resilience. Finally, two additional experts on organisational resilience were asked to validate the results of the qualitative research – the reference model – in addition to the other research respondents.
This chapter presents the reference model that was created based on the herringbone resilience model by
Based on the practical research, a reference model was formed that internal auditors can use as a starting point for auditing the resilience of their organisations. As with the herringbone resilience model by
The reference model is divided into six categories: people, culture and strategy, processes/facilities, governance and regulation. The remainder of this paragraph briefly discusses each of the elements in the reference model. The full reference model is included in the appendix. Figure
The majority of the respondents in the practical research indicated that the ‘human aspect’ of people and employees should be considered a significant part of organisational resilience. An organisation can function by virtue of its employees and therefore not only the organisation itself, but the people within it should be resilient as well. Within a resilient organisation, staff is aware of both their impact and limitations, experience the freedom to make their own decisions and feel involved and aware of their roles and responsibilities.
Table
People |
---|
Resilience is twofold in that it concerns both the resilience of the organisation and the resilience of the people working for the organisation. The commitment, involvement and loyalty of employees have a direct effect on the resilience of an organisation. Are your employees able to cope during a crisis? Consider the following questions when looking at the People aspect of resilience. |
How involved and satisfied are your employees? Can you measure their vitality/health? |
Do your employees understand their (critical) position in the organisation and are they able to learn from it? How proactive are your employees towards preventing incidents? |
What is the employee’s perception and experience of work pressure in your organisation? |
To what extent is your organisation controlled: what is the level of individual decision room and authority? |
Closely linked to the element of people is culture. All respondents in the qualitative research proposed that the culture of an organisation is a significant determinant for the resilience of that organisation. Part of this culture is leadership and tone at the top. This view by the respondents in the qualitative research is in line with the proposed views by
Table
Culture |
---|
Part of the resilience is the culture within your organisation. A closed, controlled and formalised organisation might be less resilient than an open, transparent and flexible organisation. Consider the following questions when looking at the Culture aspect of resilience. |
Does your organisation have a thorough understanding of its purpose, its role in the market and impact on its surroundings? |
To what extent is your organisation open, transparent, formalised, structured, static or flexible? Is it risk aware, risk avoidant? Is your organisation willing to change and how fast can it change/adapt? |
What is the style of leadership and tone at the top? |
Can your organisation learn from past wins and losses, incidents and disruptions, and even those of your competitors? |
The last aspect of the soft side of organisational resilience concerns the organisation’s strategy.
Other elements of strategy include having a financial buffer, incorporating sustainability/ESG into the strategy and the ability to be innovative and change in adjusting markets and environments.
Table
Strategy |
---|
Is strategy part of resilience or should resilience be part of your strategy? Consider the following questions when looking at the Strategy aspect of resilience. |
Which elements of strategy impact your resilience? What are your core products/services and what are the threats to them? |
What is your reputation risk? Which events or disruptions could badly/positively impact your reputation? |
How innovative and sustainable are you and your products or services? How important are innovation and sustainability to your organisation? If you don’t innovate, what will your place in the market be in 5 years? Does your focus on sustainability contribute to ensuring your continuity? |
Do you have any buffers, funds set aside for worse times? How is your cashflow controlled? How long can you survive financially should your business be disrupted? |
Having discussed the soft and intangible side of the resilience model, the remainder of this chapter will examine the harder and tangible side of resilience. Firstly, the qualitative research proposed a number of processes and systems closely related to resilience. These include BCM, CM and Back-up and recovery. Organisational resilience is seen to be strongly related to BCM and CM.
Table
Processes |
---|
Part of resilience is having place the necessary (management) systems, plans and programs in your end-to-end processes, in order to stay in business. Consider the following questions when looking at the Process aspect of resilience. |
Is there a BCM program (including Crisis Management)? How often is the crisis plan tested, updated? Are roles and responsibilities in the plan clear to all relevant stakeholders? Do you have a BCP (including back-up and recovery)? |
How is organisational resilience incorporated in your risk management processes? |
Is there enough insight into the critical suppliers, relations, outsourcing partners? Have you analysed the impact of one of the suppliers being disrupted? And how about your own critical (ICT) systems and technologies? |
Are scenarios for disruption of the business identified? Which measures have you identified for these scenarios? |
The second element listed on the tangible side of resilience is that of governance. The practical research indicated that many governance-related aspects contribute and are inherent to resilience. One of the most important aspects is having such a governance structure that it is possible to get resilience on the agenda at board or management level. It was believed that this would be a challenge for any organisation. Respondents argued that the IAF would actually be able to play a significant role in this. They argued that there should be clear roles and responsibilities and that these should be designated effectively within the organisation.
Table
Governance |
---|
Part of resilience is having the right governance in place. The way your organisation is structured, the way in which ownership and responsibility (for example for processes such as BCM and crisis management) is distributed is an important contributor to resilience. Consider the following questions when looking at the Governance aspect of resilience. |
Is resilience a topic at board level? |
Is it clear how and what type of decisions are made, by whom and why? What is the speed of decision-making at board level? Can your organisation make the right decisions under pressure? |
Are roles and responsibilities clear throughout the organisation? |
Is there insight into end-to-end processes and have critical function holders been identified within these processes? Is your internal control framework tailored to these processes? |
How is your organisation structured, do you take a holistic approach, or do you work in silos? In case of the latter, are these silos able to communicate in times of crisis? |
The final element of resilience included in the model is regulation. Respondents in the practical research noted that for some organisations in specific sectors, such as the financial sector, there is a legal obligation to have BCM plans in place. Other organisations choose to get external accreditation on resilience. These are, however, mainly focussed on the financial sector. Therefore, this element of resilience might not be applicable or relevant for all organisations in all sectors. Especially given the increased attention on resilience in general, there could be a shift towards more regulation on this topic in the future and therefore should not be forgotten altogether.
Table
Regulation |
---|
Your external supervisor, accountant or even the law might ask for specific procedures on resilience to be embedded into your organisation. Consider the following questions when looking at the Regulation aspect of resilience. |
Are you familiar with the rules and regulations your organisation has to comply with in general? Can/will you still comply in times of crisis? Are there any rules or regulations on organisational resilience applicable to your organisation? |
Does your external accountant include resilience/BCM in its going concern topics? |
What does your external supervisor (for example DNB or AFM) require regarding resilience? |
Have you received or considered any external accreditation, for example ISO 22301 for BCM? |
The main aim of this research was to create a reference model for auditing organisational resilience. A mixed methods approach consisting of literature review and qualitative research was used to form a basis for a resilience model. The model resulting from both phases of the research was validated by respondents in the qualitative research (internal auditors and chief audit executives) and experts on organisational resilience. This resulted in a final reference model for auditing organisational resilience consisting of three ‘soft’, intangible elements and three ‘hard’, tangible elements.
The IAF can audit organisational resilience by using the proposed reference model, which requires tailoring to the specifics of the organisation. Specific areas of the model could be more important to one type of organisation or sector than others. Perhaps the organisation has recently audited a specific aspect of the model, making it unnecessary to include in the audit on resilience. By tailoring the model to the specific needs of the organisation, its relevance grows in practice.
The IAF should focus on certain tangible and intangible aspects of the organisation such as the people, culture, strategy, processes, governance and regulations. With regards to the element of regulation, it should be noted that this might not be as relevant in any given sector and will most likely – at this moment – be applicable predominantly in the financial services sector.
The proposed reference model can be used as a tool of risk analysis to make a first assessment of the level of resilience within the organisation. Based on this first assessment, the IAF can decide which specific themes and elements within the model present risk to the organisation, after which a specific reference framework can be formulated. In this way, the IAF can audit organisational resilience by providing the relevant and necessary insights into the extent to which the organisation has the right people, culture, strategy, processes, governance and compliance to regulations in place to become and remain a resilient organisation.
The reference model includes the aspect of ‘getting resilience on the agenda’ as one of the questions discussed during the qualitative research was whether resilience is a topic on the agenda at board level. One way to get this topic on the agenda is to plan for an audit on organisational resilience. Therefore, the first recommendation for the IAF is to include this topic in their next audit plan. The IAF should emphasise the need and relevance for auditing this topic, making it specific to the organisation. There is a growing interest for the concept and the concept covers the entire organisation. The IAF has an all-encompassing view of the organisation, making resilience an excellent topic to include in the audit plan.
Subsequently, as this research was based on input from the IAF and experts on organisational resilience, it would be interesting to also investigate which topics senior management and, for example, external supervisors and regulators would include in a reference model for auditing organisational resilience. These stakeholders might provide a different perspective on the relevance of resilience and the way to audit it within specific organisations that could be incorporated in the existing reference models Nevertheless, any reference model and audit plan should be aligned with stakeholders’ and auditees expectations. Therefore ensuring that the model is aligned with senior management expectations, should be part of the regular audit process.
Isabel van Maaren is Senior Consultant in the Risk consulting team at Mazars Netherlands. She completed the Executive MSc of Internal Auditing at University of Amsterdam and has completed the MSc in Risk Management at Glasgow Caledonian University in Scotland. Isabel is co-president of the Young Professionals committee of the Institute of Internal Auditing in the Netherlands.
AUDITING ORGANISATIONAL RESILIENCE Introduction The financial crisis of 2008, COVID-19, a major product recall, a reputational disaster, a small incident or even not being able to innovate and grow along with changes times and environments. These are all examples that could potentially hinder an organisation, stop its growth or even disrupt operations and continuity altogether. Especially in times of crises, there is a growing interest for the concept of organisational resilience. In this reference guide, resilience is defined as an organisation’s ability to continue, bounce back from and respond to setbacks, incidents, crises and times of disruption, in addition to being flexible enough to adjust to changing markets and environments and being ready for the future. Resilience is an all-encompassing topic within an organisation. Internal auditors have an allencompassing view of the organisation. In other words, Internal Audit can provide insights and/or assurance on the extent to which the organisation has the right people, culture, strategy, processes and governance in place to become a resilient organisation. In this way, Internal Audit can provide the organisation with the necessary insights into their preparedness for, and ability to continue through hard times, their level of flexibility and readiness for the future. |
How to use this guide |
Use this reference guide to create your own reference framework tailored to your organisation. At first the elements of organisational resilience are represented*. Followed by some direction on the questions to ask in your organisation. |
*All the information in this reference guide is based on a qualitative research among several members of the Internal Audit profession, and experts on Organisational Resilience. |
PEOPLE |
Resilience is twofold in that it concerns both the resilience of the organisation and the resilience of the people working in the organisation. The commitment, involvement and loyalty of employees have a direct effect on the resilience of an organisation. Are your employees able to cope during a crisis? Consider the following questions when looking at the People aspect of resilience. |
How involved and satisfied are your employees? Can you measure their vitality/health? |
Do your employees understand their (critical) position in the organisation and are they able to learn from it? How proactive are your employees towards preventing incidents? |
What is the perception of work pressure in your organisation? |
To what extent is your organisation controlled, what is the level of individual decision room and authority? |
CULTURE |
Part of your resilience is the culture within your organisation. A closed, controlled and formalised organisation might be less resilient than an open, transparent and flexible organisation. Consider the following questions when looking at the Culture aspect of resilience. |
Does your organisation have a thorough understanding of itself, its role in the market and impact on its surroundings? |
To what extent is your organisation open, transparent, formalised, structured, static or flexible? Is it risk aware, risk avoidant? Is your organisation willing to change and how fast can it change/adapt? |
What is the style of leadership and tone at the top? |
Can your organisation learn from past wins and losses, incidents and disruptions, and even those of your competitors? |
STRATEGY |
Is strategy part of resilience or should resilience be part of your strategy? Consider the following questions when looking at the Strategy aspect of resilience. |
Which elements of strategy impact your resilience? What are your core products/services and what are the threats to them? |
What is your reputation risk? Which events or disruptions could badly impact your reputation? Which could influence them positively? |
How innovative and sustainable are you and your products or services? How important are innovation and sustainability to your organisation? If you don’t innovate, what will your place in the market be in 5 years? Does your focus on sustainability contribute to ensuring your continuity? |
Do you have any buffers, funds set aside for worse times? How is your cashflow controlled? How long can you survive financially should your business be disrupted? |
BUSINESS PROCESSES / SYSTEMS |
Part of resilience is having put in place the necessary (management) systems, plans and programs in your end-to-end processes, in order to stay in business. Consider the following questions when looking at the Process aspect of resilience. |
Is there a BCM program (including Crisis Management)? How often is the crisis plan tested, updated? Are roles and responsibilities in the plan clear to all relevant stakeholders? Do you have a BCP (including back-up and recovery)? |
How is organisational resilience incorporated in your risk management processes? |
Is there enough insight into the critical suppliers, relations, outsourcing partners? Have you analysed the impact of one of the suppliers being disrupted? And how about your own critical (ICT) systems and technologies? |
Have you identified scenarios for disruption of your business? Which measures have you identified for these scenarios? |
GOVERNANCE |
Part of resilience is having the right governance in place. The way your organisation is structured, the way in which ownership and responsibility (for example for processes such as BCM and crisis management) is distributed is an important contributor to resilience. Consider the following questions when looking at the Governance aspect of resilience. |
Is resilience a topic at board level? |
Is it clear how and what type of decisions are made, by whom and why? What is the speed of decision-making at board level? Can your organisation make the right decisions under pressure? |
Are roles and responsibilities clear throughout the organisation? |
Is there insight into end-to-end processes and have critical function holders been identified within these processes? Is your internal control framework tailored to these processes? |
REGULATION |
Your external supervisor, accountant or even the law might ask for specific procedures on resilience to be embedded into your organisation. Consider the following questions when looking at the Regulation aspect of resilience. |
Are you familiar with the rules and regulations your organisation has to comply with in general? Can/will you still comply in times of crisis? Are there any rules or regulations on organisational resilience applicable to your organisation? |
Does your external accountant include resilience/BCM in its going concern topics? |
What does your external supervisor (for example DNB or AFM) require regarding resilience? |
Have you received or considered any external accreditation, for example ISO 22301 for BCM? |
What is organisational resilience ? |
An organisation’s ability to continue, bounce back from and respond to setbacks, incidents, crises and times of disruption in addition to being flexible enough to adjust to changing markets and environments and being ready for the future. |
Why audit organisational resilience ? |
Internal auditors have an all-encompassing view of the organisation. Resilience is an all-encompassing topic within an organisation. Internal Audit can provide assurance – and communicate this to internal and external stakeholders – on the extent to which the organisation has the right people, culture, strategy, processes and governance in place to become sufficiently resilient. Provide the organisation with the necessary insights into their preparedness for, and ability to continue through hard times, their level of flexibility and readiness for the future. |
How to use this reference model ? |
Resilience is a broad topic and is specific to the organisation. Therefore, it’s difficult to make a one size fits all reference framework. This reference guide contains an elaboration of the elements of organisational resilience (page 3) and the questions to ask your organisation when auditing organisational resilience (page 4 and 5). Use these elements and questions to create a reference framework tailored to your organisation. For specific reference frameworks on auditing Business Continuity Management and Crisis Management, consider using, for example, the IPPF Practice Guide on Business Continuity and/or the NBA Guideline for auditing BCM and CM. |