Research Article
Print
Research Article
A reference model for auditing organisational resilience
expand article infoIsabel van Maaren
‡ Mazars, Utrecht, Netherlands

Corresponding author: Isabel van Maaren ( isabel.vanmaaren@mazars.nl )

Academic editor: Annemarie Oord
© 2022 Isabel van Maaren.
This is an open access article distributed under the terms of the Creative Commons Attribution License (CC BY-NC-ND 4.0), which permits to copy and distribute the article for non-commercial purposes, provided that the article is not altered or modified and the original author and source are credited.
Citation: van Maaren I (2022) A reference model for auditing organisational resilience. Maandblad voor Accountancy en Bedrijfseconomie 96(7/8): 201-211. https://doi.org/10.5117/mab.96.89573
Open Access

Abstract

There is a growing interest in the organisational resilience. The internal audit function can contribute to growing and maintaining organisational resilience by including the topic in the internal audit plan. Auditing it requires a reference model. The study described used a mixed methods approach to develop a reference model for auditing organisational resilience. Six relevant hard and soft (behavioural) elements of resilience are determined: people, culture, strategy, processes, governance and regulation. The internal audit function can use the tool to assess attention areas to include in the audit scope and formulate a specific reference framework for the organisation.

Keywords

Organisational resilience, internal audit function, auditing

Relevance to practice

The internal audit function can use the reference model as a starting point and tool of risk analysis for auditing the resilience of their organisation.

1. Introduction

The last few years have presented extraordinary challenging times to all types of organisations worldwide. The outbreak of the COVID-19 pandemic incited a global economic and health-crisis that put our lives on hold for two years, only to be followed by another period of uncertainty and unrest caused by the war in the Ukraine. These crises affect society as a whole including many companies and organisations in all sectors. In response to the growing volatility, uncertainty, complexity and ambiguity in recent years, there is a growing interest for the concept of organisational resilience.

Organisational resilience is the continued ability to adjust under challenging circumstances and the potential to emerge from these circumstances even stronger and more resourceful (Sutcliffe and Vogus 2003, as cited in Brueller et al. 2009). There is ample research on organisational resilience as a concept, including the main contributing aspects and attributes. The role of the Internal Audit Function (IAF) in organisational resilience, however, appears under-represented in the academic field as there is little theory available regarding the way the IAF should audit organisational resilience.

The Institute of Internal Auditors (IIA) has included resilience and generally related terms such as business continuity, crisis response and disaster recovery in the top ten risks amongst Chief Audit Executives (CAE’s) for the last few years (IIA 2020, 2021). In fact, one of the central themes of the 2022 IIA congress included resilience, further stressing that it is currently perceived as an important topic for the internal auditor.

The IAF should “provide objective and independent assurance, advice and insights on the efficiency of the organisation’s operations and should help an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes” (Driessen and Molenkamp 2012, p.87; IIA 2022). Internal auditors have unique and all-encompassing views of the organisations in which they work, meaning that they should be able to evaluate and improve the plans and structures in place to improve organisational resilience (Soh and Martinov-Bennie 2011; Trollope et al. 2017).

This research aimed to determine the most relevant elements to include in a reference model that can be used by the IAF when auditing organisational resilience. The next paragraph presents the literature review, followed by the research method and results – the reference model. Finally, some conclusions and recommendations are presented.

2. Definitions and frameworks

2.1. Definitions

A resilient organisation is able to anticipate, avoid, prepare for and adjust to disruptions and shocks that could present an incremental change to the organisation’s environment (Ortiz de Mandojana and Bansal 2016; Denyer 2017; Duchek (2019)). The organisation is able to adjust itself in challenging times, is capable of ‘bouncing back’ and is able to emerge from the situation stronger and increasingly resourceful (Sutcliffe and Vogus 2003, as cited in Brueller et al. 2009; Boin and Van Eeten 2013).

On the topic of resilience, Weick (2015) states: “The essence of resilience is the intrinsic ability of an organisation (system) to maintain or regain a dynamically stable state, which allows it to continue operations after a major mishap and/or in the presence of a continuous stress” (p. 12). Organisational resilience as a concept is considered twofold as it concerns both the individual within an organisation and the organisational itself (Burnard and Bhamra 2011, 2018).

2.2. Herringbone resilience model

A widely used and referenced model for organisational resilience is the herringbone resilience model by Gibson and Tarrant (2010). In their model, Gibson and Tarrant (2010) present a specific range of capabilities that a resilient organisation possesses, including the relevant activities an organisation should execute in order to further improve their resilience. In addition to these capabilities and activities, Gibson and Tarrant (2010) believe that a number of specific characteristics are inherent to a re­silient organisation. The herringbone resilience model is presented in Figure 1.

Figure 1.

Herringbone resilience model by Gibson and Tarrant (2010).

2.2.1. Measuring activities and capabilities

The activities and capabilities in the resilience model represent, to some extent, measurable elements and therefore one can argue that this spectrum of the model can be considered as the more tangible or ‘hard’ side of resilience. These activities and capabilities will most likely be present in many types of organisations. Nevertheless, the way in which they effectively take into account times of uncertainty and unrest is what could ultimately contribute to the resilience of the organisation.

A resilient organisation can effectively align its strategy, management systems, operations, governance structures and decision making capabilities in such a way that the organisation can adjust to changing risks and circumstances and can survive disruptions and use them to create advantages (Starr et al. 2007; Parsons 2010). Activities such as Business Continuity Management (BCM) and Crisis Management (CM) – concerning the handling of crises, including emergency management – are extremely important for organisations operating in non-routine environments such as crises and are generally seen as important contributors to organisational resilience (Cerullo and Cerullo 2004; Herbane et al. 2004; Elliot et al. 2010; Speight 2011 as cited in Tracey et al. 2017).

BCM is a strategic management process used to identify potential threats to an organisation and provides a systematic process for mitigating the effects of crises, incidents and interruptions (Herbane et al. 2004; Elliot et al. 2010). Bhamra et al. (2011) argue that the extent to which an organisation has sufficiently implemented BCM is directly related to the resilience of that organisation.

Several other activities and capabilities are included in the model, such as infrastructure and technology capability, relationship management, compliance and financial management. According to Parsons (2010) it is vital that an organisation has ample knowledge of the interdependency with stakeholders and regulators and how to comply with rules and regulations concerning them. Furthermore, having secure financial management – for example a financial or continuity reserve – is considered to be an important contributor to resilience (Gibson and Tarrant 2010).

In short, organisational resilience can be influenced by many measurable factors which Gibson and Tarrant (2010) describe as activities and capabilities. An organisation should be able to perform these activities and use these capabilities in both routine and non-routine environments and circumstances in order to become more resilient.

2.2.2. Importance of characteristics

The other side of the herringbone resilience model can be seen as the ‘softer’ and more intangible, behavioural side of organisational resilience. Many characteristics inherent in an organisation can impact the manner in which the organisation performs under both routine and non-routine situations.

Seville et al. (2006) stress the importance of an organisation’s characteristics and argue that issues with resilience are often linked to the soft and less tangible side of the organisations, including an organisation’s culture, leadership and vision. Good communication and solid relationships both internally and externally – with key customers and stakeholders – are essential to an organisation’s resilience, as well as trust, a shared vision and organisation-wide priorities (Seville et al. 2006).

Furthermore clear leadership, tone at the top and acts based on shared priorities and values are detrimental in order to execute the plans for risk management, BCM and CM that organisations often have in place (Seville et al. 2006; Gibson and Tarrant 2010). This supports the assumption that the characteristics inherent in an organisation can largely impact the performance of activities and capabilities, all contributors to organisational resilience.

Especially non-routine circumstances demand for an organisation to have a strong and united purpose, strategic surety and a level of stress coping (Gibson and Tarrant 2010; Parsons 2010). Subsequently, it is believed that there should be ample room for creativity and agility at both management- and operational level to allow the organisation to operate in new, innovative ways (Gibson and Tarrant 2010). In addition, it is argued that an organisation should possess a certain level of ‘learnability’ in order to use their own experiences and lessons learned – and perhaps those of other (competitor) organisations – to learn from and improve in the long run (Gibson and Tarrant 2010).

In sum, Gibson and Tarrant (2010) propose a number of characteristics that should be present in a resilient organisation. These characteristics present the more soft, intangible side of an organisation and are an important contributor to resilience. In fact, these characteristics are directly linked to the activities and capabilities discussed in section 2.2.1.

3. Designing by interviewing

A qualitative approach was used to identify patterns and themes to build a conceptual reference model that could be compared to the reference model resulting from the literature review. Although the literature review presented a comprehensive resilience reference model, the practical research was based on inductive reasoning in order to validate whether the practical research would provide the same answers compared to the theoretical framework. Inductive reasoning was used in order to prevent steering the respondents in the qualitative research into a specific direction. It was the assumption that this would help prevent bias in the research. The goal was to create a reference model that internal auditors can use as a starting point for auditing their organisational resilience.

The results from the interviews conducted were coded, analysed and summarised into a preliminary reference model. This model was then compared and contrasted to the herringbone resilience model in a fit-gap analysis, after which a new version of the model was created. This model was validated by the respondents in the qualitative research, followed by an additional validation by three experts on organisational resilience. Semi-structured interviews were held on the practical view of internal auditors and experts on organisational resilience, including opinions on the most relevant elements of resilience to be included in a reference model. Respondents were asked to provide their definition of resilience, in addition to a number of questions related to the way to measure and audit resilience. Finally, respondents were asked to provide a list of elements of organisational resilience they would include in a reference model or audit scope.

In total, eleven internal auditors and CAE’s from several industries – including retail, publishing, airports, telecom, storage of dangerous goods, ship warehousing, pension funds and consultancy – were interviewed as part of the qualitative research. It was the assumption that the respondents’ backgrounds and experience collectively would provide a sufficient and representative basis for different types of organisations and industries in the Netherlands. In addition to the internal auditors and CAE’s, one expert from the field of organisational resilience was interviewed in order to retrieve preliminary insights into organisational resilience. Finally, two additional experts on organisational resilience were asked to validate the results of the qualitative research – the reference model – in addition to the other research respondents.

4. Auditing organisational resilience

This chapter presents the reference model that was created based on the herringbone resilience model by Gibson and Tarrant (2010) and the results from the qualitative research.

Based on the practical research, a reference model was formed that internal auditors can use as a starting point for auditing the resilience of their organisations. As with the herringbone resilience model by Gibson and Tarrant (2010) the reference model also contains two sides to resilience: the softer (behavioural), intangible elements as well as the harder, more tangible elements. Analysis of both the Gibson and Tarrant model and the model resulting from the practical research, indicated only minor differences existed between the two. Therefore, the practical research, in a sense, confirmed the usability of the Gibson and Tarrant model as a starting point for internal audit.

The reference model is divided into six categories: people, culture and strategy, processes/facilities, governance and regulation. The remainder of this paragraph briefly discusses each of the elements in the reference model. The full reference model is included in the appendix. Figure 2 presents the six main elements of the reference model.

Figure 2.

Elements of resilience.

4.1. Behavioural elements of resilience

The majority of the respondents in the practical research indicated that the ‘human aspect’ of people and employees should be considered a significant part of organisational resilience. An organisation can function by virtue of its employees and therefore not only the organisation itself, but the people within it should be resilient as well. Within a resilient organisation, staff is aware of both their impact and limitations, experience the freedom to make their own decisions and feel involved and aware of their roles and responsibilities. Gibson and Tarrant (2010) also argue that people that operate in a resilient organisation feel ample room for creativity and agility. Those organisations are also able to operate in new and innovative ways (Gibson and Tarrant 2010). In this sense, Burnard and Bhamra (2011) state that organisational resilience is twofold as it resides with both the individual and the organisation itself.

Table 1 presents an overview of relevant questions to ask when looking into the ‘people’ aspect of an organisation. These questions were based on the input by the respondents in the qualitative research. The internal auditor can use these questions as a starting point and tailor specific questions to the organisation.

Table 1.
Download as
CSV
XLSX

Element of organisational resilience ‘People’.

People
Resilience is twofold in that it concerns both the resilience of the organisation and the resilience of the people working for the organisation. The commitment, involvement and loyalty of employees have a direct effect on the resilience of an organisation. Are your employees able to cope during a crisis? Consider the following questions when looking at the People aspect of resilience.
How involved and satisfied are your employees? Can you measure their vitality/health?
Do your employees understand their (critical) position in the organisation and are they able to learn from it? How proactive are your employees towards preventing incidents?
What is the employee’s perception and experience of work pressure in your organisation?
To what extent is your organisation controlled: what is the level of individual decision room and authority?

Closely linked to the element of people is culture. All respondents in the qualitative research proposed that the culture of an organisation is a significant determinant for the resilience of that organisation. Part of this culture is leadership and tone at the top. This view by the respondents in the qualitative research is in line with the proposed views by Gibson and Tarrant (2010), Seville et. al (2006) and Parsons (2010). They all believe that resilience is both tangible and intangible with elements such as culture, leadership, vision, communication and having trust, a shared vision and values within an organisation.

Table 2 presents an overview of relevant questions, to ask when looking into the ‘culture’ aspect of an organisation.

Table 2.
Download as
CSV
XLSX

Element of organisational resilience ‘Culture’.

Culture
Part of the resilience is the culture within your organisation. A closed, controlled and formalised organisation might be less resilient than an open, transparent and flexible organisation. Consider the following questions when looking at the Culture aspect of resilience.
Does your organisation have a thorough understanding of its purpose, its role in the market and impact on its surroundings?
To what extent is your organisation open, transparent, formalised, structured, static or flexible? Is it risk aware, risk avoidant? Is your organisation willing to change and how fast can it change/adapt?
What is the style of leadership and tone at the top?
Can your organisation learn from past wins and losses, incidents and disruptions, and even those of your competitors?

The last aspect of the soft side of organisational resilience concerns the organisation’s strategy. Gibson and Tarrant (2010) also discuss strategic surety in their model. The results from the qualitative research also distinguished strategy as one of the most important elements of resilience. Respondents stated that a resilient organisation starts with a value proposition and strategy, identifies what the organisation aims to achieve and what could be threats or risk to preventing the organisation from fulfilling this strategy. During the qualitative research, it was also noted that strategy is not only part of resilience, yet that resilience should also be part of strategy.

Other elements of strategy include having a financial buffer, incorporating sustainability/ESG into the strategy and the ability to be innovative and change in adjusting markets and environments. Duchek (2019) also argues that a resilient organisation possesses a number of capabilities that enable them to “adapt, integrate and reconfigure internal and external resources and competences to match the requirements of changing conditions” (p.219).

Table 3 presents an overview of relevant questions to ask when looking into the ‘strategy’ aspect of an organisation.

Table 3.
Download as
CSV
XLSX

Element of organisational resilience ‘Strategy’.

Strategy
Is strategy part of resilience or should resilience be part of your strategy? Consider the following questions when looking at the Strategy aspect of resilience.
Which elements of strategy impact your resilience? What are your core products/services and what are the threats to them?
What is your reputation risk? Which events or disruptions could badly/positively impact your reputation?
How innovative and sustainable are you and your products or services? How important are innovation and sustainability to your organisation? If you don’t innovate, what will your place in the market be in 5 years? Does your focus on sustainability contribute to ensuring your continuity?
Do you have any buffers, funds set aside for worse times? How is your cashflow controlled? How long can you survive financially should your business be disrupted?

4.2. Tangible elements of resilience

Having discussed the soft and intangible side of the resilience model, the remainder of this chapter will examine the harder and tangible side of resilience. Firstly, the qualitative research proposed a number of processes and systems closely related to resilience. These include BCM, CM and Back-up and recovery. Organisational resilience is seen to be strongly related to BCM and CM. Gibson and Tarrant (2010) also argue that BCM, CM and emergency management are essential activities and capabilities within a resilient organisation. Apart from BCM and CM, Parsons (2010) states that it is important that the organisation has sufficient knowledge and insights into the interdependencies with regulators, suppliers and other stakeholders. Respondents in the qualitative research added other processes such as supply chain management and risk management and the protection of (IT) systems and facilities.

Table 4 presents an overview of relevant questions to ask when looking into the ‘processes’ aspect of an organisation.

Table 4.
Download as
CSV
XLSX

Element of organisational resilience ‘Processes’.

Processes
Part of resilience is having place the necessary (management) systems, plans and programs in your end-to-end processes, in order to stay in business. Consider the following questions when looking at the Process aspect of resilience.
Is there a BCM program (including Crisis Management)? How often is the crisis plan tested, updated? Are roles and responsibilities in the plan clear to all relevant stakeholders? Do you have a BCP (including back-up and recovery)?
How is organisational resilience incorporated in your risk management processes?
Is there enough insight into the critical suppliers, relations, outsourcing partners? Have you analysed the impact of one of the suppliers being disrupted? And how about your own critical (ICT) systems and technologies?
Are scenarios for disruption of the business identified? Which measures have you identified for these scenarios?

The second element listed on the tangible side of resilience is that of governance. The practical research indicated that many governance-related aspects contribute and are inherent to resilience. One of the most important aspects is having such a governance structure that it is possible to get resilience on the agenda at board or management level. It was believed that this would be a challenge for any organisation. Respondents argued that the IAF would actually be able to play a significant role in this. They argued that there should be clear roles and responsibilities and that these should be designated effectively within the organisation. Gibson and Tarrant (2010) also note the element of governance in their herringbone resilience model.

Table 5 presents an overview of relevant questions when looking into the ‘governance’ aspect of an organisation.

Table 5.
Download as
CSV
XLSX

Element of organisational resilience ‘Governance’.

Governance
Part of resilience is having the right governance in place. The way your organisation is structured, the way in which ownership and responsibility (for example for processes such as BCM and crisis management) is distributed is an important contributor to resilience. Consider the following questions when looking at the Governance aspect of resilience.
Is resilience a topic at board level?
Is it clear how and what type of decisions are made, by whom and why? What is the speed of decision-making at board level? Can your organisation make the right decisions under pressure?
Are roles and responsibilities clear throughout the organisation?
Is there insight into end-to-end processes and have critical function holders been identified within these processes? Is your internal control framework tailored to these processes?
How is your organisation structured, do you take a holistic approach, or do you work in silos? In case of the latter, are these silos able to communicate in times of crisis?

The final element of resilience included in the model is regulation. Respondents in the practical research noted that for some organisations in specific sectors, such as the financial sector, there is a legal obligation to have BCM plans in place. Other organisations choose to get external accreditation on resilience. These are, however, mainly focussed on the financial sector. Therefore, this element of resilience might not be applicable or relevant for all organisations in all sectors. Especially given the increased attention on resilience in general, there could be a shift towards more regulation on this topic in the future and therefore should not be forgotten altogether. Gibson and Tarrant (2010) also include compliance in their model and Parsons (2010) also indicate that organisations should be able to comply with rules and regulations in their environments, also regarding resilience.

Table 6 presents an overview of relevant questions when looking into the ‘regulation’ aspect of an organisation.

Table 6.
Download as
CSV
XLSX

Element of organisational resilience ‘Regulation’.

Regulation
Your external supervisor, accountant or even the law might ask for specific procedures on resilience to be embedded into your organisation. Consider the following questions when looking at the Regulation aspect of resilience.
Are you familiar with the rules and regulations your organisation has to comply with in general? Can/will you still comply in times of crisis? Are there any rules or regulations on organisational resilience applicable to your organisation?
Does your external accountant include resilience/BCM in its going concern topics?
What does your external supervisor (for example DNB or AFM) require regarding resilience?
Have you received or considered any external accreditation, for example ISO 22301 for BCM?

5. Conclusion and recommendations

5.1. Conclusion and applicability

The main aim of this research was to create a reference model for auditing organisational resilience. A mixed methods approach consisting of literature review and qualitative research was used to form a basis for a resilience model. The model resulting from both phases of the research was validated by respondents in the qualitative research (internal auditors and chief audit executives) and experts on organisational resilience. This resulted in a final reference model for auditing organisational resilience consisting of three ‘soft’, intangible elements and three ‘hard’, tangible elements.

The IAF can audit organisational resilience by using the proposed reference model, which requires tailoring to the specifics of the organisation. Specific areas of the model could be more important to one type of organisation or sector than others. Perhaps the organisation has recently audited a specific aspect of the model, making it unnecessary to include in the audit on resilience. By tailoring the model to the specific needs of the organisation, its relevance grows in practice.

The IAF should focus on certain tangible and intangible aspects of the organisation such as the people, culture, strategy, processes, governance and regulations. With regards to the element of regulation, it should be noted that this might not be as relevant in any given sector and will most likely – at this moment – be applicable predominantly in the financial services sector.

The proposed reference model can be used as a tool of risk analysis to make a first assessment of the level of resilience within the organisation. Based on this first assessment, the IAF can decide which specific themes and elements within the model present risk to the organisation, after which a specific reference framework can be formulated. In this way, the IAF can audit organisational resilience by providing the relevant and necessary insights into the extent to which the organisation has the right people, culture, strategy, processes, governance and compliance to regulations in place to become and remain a resilient organisation.

5.2. Recommendations for the IAF and future research

The reference model includes the aspect of ‘getting resilience on the agenda’ as one of the questions discussed during the qualitative research was whether resilience is a topic on the agenda at board level. One way to get this topic on the agenda is to plan for an audit on organisational resilience. Therefore, the first recommendation for the IAF is to include this topic in their next audit plan. The IAF should emphasise the need and relevance for auditing this topic, making it specific to the organisation. There is a growing interest for the concept and the concept covers the entire organisation. The IAF has an all-encompassing view of the organisation, making resilience an excellent topic to include in the audit plan.

Subsequently, as this research was based on input from the IAF and experts on organisational resilience, it would be interesting to also investigate which topics senior management and, for example, external supervisors and regulators would include in a reference model for auditing organisational resilience. These stakeholders might provide a different perspective on the relevance of resilience and the way to audit it within specific organisations that could be incorporated in the existing reference models Nevertheless, any reference model and audit plan should be aligned with stakeholders’ and auditees expectations. Therefore ensuring that the model is aligned with senior management expectations, should be part of the regular audit process.

Isabel van Maaren is Senior Consultant in the Risk consulting team at Mazars Netherlands. She completed the Executive MSc of Internal Auditing at University of Amsterdam and has completed the MSc in Risk Management at Glasgow Caledonian University in Scotland. Isabel is co-president of the Young Professionals committee of the Institute of Internal Auditing in the Netherlands.

Literatuur

  • Brueller D, Brueller NN, Brueller R, Carmeli A (2009) Interorganisational Relationships in Times of Decline: Implications for Organisational Resilience. Applied Psychology 68(4): 719–758. https://doi.org/10.1111/apps.12185
  • Burnard K, Bhamra R (2011) Organisational resilience: development of a conceptual framework for organisational responses. International Journal of Production Research 49(18): 5581–5599. https://doi.org/10.1080/00207543.2011.563827
  • Burnard K, Bhamra R, Tsinopoulos C (2018) Building Organizational Resilience: Four Configurations. IEEE transactions on engineering management 65. (2018): 351–362. [Web] https://doi.org/10.1109/TEM.2018.2796181
  • Denyer D (2017) Organizational Resilience: A summary of academic evidence, business insights and new thinking. BSI and Cranfield School of Management.
  • Driessen AJG, Molenkamp A (2012) Internal auditing een managementkundige benadering. Kluwer, Deventer.
  • Gibson CA, Tarrant M (2010) A’conceptual models’ approach to organisational resilience. Australian Journal of Emergency Management 25(2): 6–12.
  • Ortiz-De-Mandojana N, Bansal P (2015) The long-term benefits of organizational resilience through sustainable business practices. Strategic Management Journal 37(8): 1615–1631. https://doi.org/10.1002/smj.2410
  • Parsons D (2010) Organisational resilience. Australian Journal of Emergency Management 25(2): 18–20.
  • Seville E, Brunsdon D, Dantas A, Le Masurier J, Wilkinson S, Vargo J (2006) Building organisational resilience: A summary of key research findings.
  • Starr R, Newfrock J, Delaney M (2007) Enterprise Resilience: Managing Risk in the Networked Economy.
  • Tracey S, O’Sullivan TL, Lane DE, Guy E, Courtemanche J (2017) Promoting Resilience Using an Asset-Based Approach to Business Continuity Planning. SAGE Open 7(2): 215824401770671. https://doi.org/10.1177/2158244017706712

Appendix 1

Figure A1.

Full reference guide for auditing organisational resilience.

Box A1.
Download as
CSV
XLSX

Auditing organisational resilience: Introduction.

AUDITING ORGANISATIONAL RESILIENCE Introduction The financial crisis of 2008, COVID-19, a major product recall, a reputational disaster, a small incident or even not being able to innovate and grow along with changes times and environments. These are all examples that could potentially hinder an organisation, stop its growth or even disrupt operations and continuity altogether. Especially in times of crises, there is a growing interest for the concept of organisational resilience. In this reference guide, resilience is defined as an organisation’s ability to continue, bounce back from and respond to setbacks, incidents, crises and times of disruption, in addition to being flexible enough to adjust to changing markets and environments and being ready for the future. Resilience is an all-encompassing topic within an organisation. Internal auditors have an allencompassing view of the organisation. In other words, Internal Audit can provide insights and/or assurance on the extent to which the organisation has the right people, culture, strategy, processes and governance in place to become a resilient organisation. In this way, Internal Audit can provide the organisation with the necessary insights into their preparedness for, and ability to continue through hard times, their level of flexibility and readiness for the future.
How to use this guide
Use this reference guide to create your own reference framework tailored to your organisation. At first the elements of organisational resilience are represented*. Followed by some direction on the questions to ask in your organisation.
*All the information in this reference guide is based on a qualitative research among several members of the Internal Audit profession, and experts on Organisational Resilience.
Figure A2.

Auditing organisational resilience.

Table A1.
Download as
CSV
XLSX

Auditing organisational resilience. Asking the right questions.

PEOPLE
Resilience is twofold in that it concerns both the resilience of the organisation and the resilience of the people working in the organisation. The commitment, involvement and loyalty of employees have a direct effect on the resilience of an organisation. Are your employees able to cope during a crisis? Consider the following questions when looking at the People aspect of resilience.
How involved and satisfied are your employees? Can you measure their vitality/health?
Do your employees understand their (critical) position in the organisation and are they able to learn from it? How proactive are your employees towards preventing incidents?
What is the perception of work pressure in your organisation?
To what extent is your organisation controlled, what is the level of individual decision room and authority?
CULTURE
Part of your resilience is the culture within your organisation. A closed, controlled and formalised organisation might be less resilient than an open, transparent and flexible organisation. Consider the following questions when looking at the Culture aspect of resilience.
Does your organisation have a thorough understanding of itself, its role in the market and impact on its surroundings?
To what extent is your organisation open, transparent, formalised, structured, static or flexible? Is it risk aware, risk avoidant? Is your organisation willing to change and how fast can it change/adapt?
What is the style of leadership and tone at the top?
Can your organisation learn from past wins and losses, incidents and disruptions, and even those of your competitors?
STRATEGY
Is strategy part of resilience or should resilience be part of your strategy? Consider the following questions when looking at the Strategy aspect of resilience.
Which elements of strategy impact your resilience? What are your core products/services and what are the threats to them?
What is your reputation risk? Which events or disruptions could badly impact your reputation? Which could influence them positively?
How innovative and sustainable are you and your products or services? How important are innovation and sustainability to your organisation? If you don’t innovate, what will your place in the market be in 5 years? Does your focus on sustainability contribute to ensuring your continuity?
Do you have any buffers, funds set aside for worse times? How is your cashflow controlled? How long can you survive financially should your business be disrupted?
BUSINESS PROCESSES / SYSTEMS
Part of resilience is having put in place the necessary (management) systems, plans and programs in your end-to-end processes, in order to stay in business. Consider the following questions when looking at the Process aspect of resilience.
Is there a BCM program (including Crisis Management)? How often is the crisis plan tested, updated? Are roles and responsibilities in the plan clear to all relevant stakeholders? Do you have a BCP (including back-up and recovery)?
How is organisational resilience incorporated in your risk management processes?
Is there enough insight into the critical suppliers, relations, outsourcing partners? Have you analysed the impact of one of the suppliers being disrupted? And how about your own critical (ICT) systems and technologies?
Have you identified scenarios for disruption of your business? Which measures have you identified for these scenarios?
GOVERNANCE
Part of resilience is having the right governance in place. The way your organisation is structured, the way in which ownership and responsibility (for example for processes such as BCM and crisis management) is distributed is an important contributor to resilience. Consider the following questions when looking at the Governance aspect of resilience.
Is resilience a topic at board level?
Is it clear how and what type of decisions are made, by whom and why? What is the speed of decision-making at board level? Can your organisation make the right decisions under pressure?
Are roles and responsibilities clear throughout the organisation?
Is there insight into end-to-end processes and have critical function holders been identified within these processes? Is your internal control framework tailored to these processes?
REGULATION
Your external supervisor, accountant or even the law might ask for specific procedures on resilience to be embedded into your organisation. Consider the following questions when looking at the Regulation aspect of resilience.
Are you familiar with the rules and regulations your organisation has to comply with in general? Can/will you still comply in times of crisis? Are there any rules or regulations on organisational resilience applicable to your organisation?
Does your external accountant include resilience/BCM in its going concern topics?
What does your external supervisor (for example DNB or AFM) require regarding resilience?
Have you received or considered any external accreditation, for example ISO 22301 for BCM?
Box A2.
Download as
CSV
XLSX

Recap.

What is organisational resilience ?
An organisation’s ability to continue, bounce back from and respond to setbacks, incidents, crises and times of disruption in addition to being flexible enough to adjust to changing markets and environments and being ready for the future.
Why audit organisational resilience ?
Internal auditors have an all-encompassing view of the organisation. Resilience is an all-encompassing topic within an organisation. Internal Audit can provide assurance – and communicate this to internal and external stakeholders – on the extent to which the organisation has the right people, culture, strategy, processes and governance in place to become sufficiently resilient. Provide the organisation with the necessary insights into their preparedness for, and ability to continue through hard times, their level of flexibility and readiness for the future.
How to use this reference model ?
Resilience is a broad topic and is specific to the organisation. Therefore, it’s difficult to make a one size fits all reference framework. This reference guide contains an elaboration of the elements of organisational resilience (page 3) and the questions to ask your organisation when auditing organisational resilience (page 4 and 5). Use these elements and questions to create a reference framework tailored to your organisation. For specific reference frameworks on auditing Business Continuity Management and Crisis Management, consider using, for example, the IPPF Practice Guide on Business Continuity and/or the NBA Guideline for auditing BCM and CM.
login to comment