From the BP oil spill to Hurricane Katrina to the tsunamis in Japan, crises of enormous proportions may strike at any time and have devastating effects on life and economy. Some might say, “It won’t happen to us.” But without a thorough plan for responding to a multitude of potential events, organisations are leaving themselves wide open to the risks of poor crisis management.
The Institute of Internal Auditors (IIA) Audit Executive Center has put forth three imperatives for crisis management that every organization and chief audit executive should make a priority: 1) be the catalyst for a focus on the importance of crisis management; 2) define a crisis management role for internal auditing and commit to it; and 3) ensure crisis management is on your radar for 2012 and beyond.
“It’s not what goes wrong at a company that results in reputational damage. It is how a company and the marketplace respond to the event that can damage or change the organization’s overall image,” says IIA Vice President of North American Services Hal Garyn, CIA.
After events such as the BP oil disaster in the Gulf of Mexico last year, organisations refocus their attention on crisis management.
Chief audit executives (CAEs) have been at the forefront in evaluating their respective organisation’s crisis management plans and ensuring their internal auditors are aware of the guidelines.
A survey conducted late last year by The IIA’s Audit Executive Center found that 40 percent of respondents work in organisations with informal or nonexistent crisis management procedures or policies. What’s more staggering is that over a quarter have not tested their crisis management plans.
To expedite the crisis management planning process, it is crucial that senior management become active crisis management program participants.
The company’s CAE can recommend that senior managers from the highest level of their organisation become part of the crisis management team and that the crisis management plan is tested on an ongoing basis.
Furthermore, internal auditors can conduct risk assessments that include all business units and processes. The risk assessment can provide valuable information to senior management on the importance of using an organisation-wide approach to crisis management, in addition to identifying the different events that could damage an organisation’s reputation.
The Center found that many internal auditors do not play a role in their organization’s crisis management team, as indicated by 53 percent of survey respondents.
However, internal auditors can play a valuable role before, during, and after a crisis. For example, internal auditors can assist the organization in performing risk assessments or evaluating policies and procedures already in place to identify risks.
Internal auditors also can conduct a complete audit of the crisis management process. Should a crisis occur, internal auditors can monitor and assess the organization’s response to the crisis event and be active on the crisis management team. And after a crisis has occurred, internal auditors can evaluate and report the effectiveness of the recovery effort and continue to assess risk, consult management, and help with improvement efforts.
Finally, the organisation needs to ensure that crisis management is on their agenda for 2012 and beyond. It is imperative that crisis management plans be tested and receive the appropriate amount of attention in terms of audit coverage to improve crisis management practices.
“Organisations without a crisis management plan can suffer tremendous reputational and financial losses,” states Charles McDonald, vice president of crisis management services for Atlanta-based consulting firm Crisis Management International. “CAEs should find an advocate or sponsor who agrees on the importance of having a crisis management process and is able to identify the risks facing the organisation without it.”
MORE ARTICLES ON INTERNAL AUDIT