By Laurent Grosse-Kozlowski and Nils Vösgen, INTOSAI Development Initiative.
Risk and crisis management for SAIs: heightened resilience forincreased performance
Source: INTOSAI Development Initiative (https://www.idi.no/)
The global COVID‑19 crisis has forced many supreme audit institutions to face how well – or how poorly – they are able to work in crisis mode. This measure of their resilience applies just as well to their internal functioning as to their ability to address government functioning in times of crisis. The INTOSAI Development Initiative (IDI), part of the global umbrella organisation of SAIs, has identified resilience as a common challenge for SAIs and developed Crisis and Risk Management (CRISP) for SAI Performance. Laurent Grosse-Kozlowski, Manager for SAI Governance in IDI, is leading the development and implementation of the CRISP initiative, and Nils Vösgen, also a Manager for SAI Governance in IDI, is part of his team. In this article they explain what CRISP is about, how it can help SAIs to face future disruption, and what it offers concretely in the form of practice-sharing, guidance and training.
Disruptive times, and public auditors are not immune
The years 2020 and 2021 have meant unforeseen disruption and challenges for the community of supreme audit institutions (SAIs), as for all other institutions of society. While most of them have adapted to the situation, the ongoing COVID‑19 crisis has revealed that many SAIs are ill-prepared to deal with large-scale disruption and crises.
The INTOSAI Development Initiative Global SAI Stocktaking Report 2020 shows evidence of this: ‘Globally, 53 % of SAIs have an emergency preparedness and continuity plan. Lower income countries are significantly lagging behind the higher income countries.’ Indeed, while SAIs routinely evaluate changing and emerging risks in the audit environment1, it appears that a substantial proportion of them do not do this for their own strategy and operations.
What is resilience and why is it important for SAIs?
The COVID‑19 crisis has heightened the need for SAIs to show that they have organisational attributes that have become buzzwords very quickly: agility, foresight, and organisational resilience. The concept of resilience can be defined as the ability to anticipate and absorb threats or shocks – i.e. large‑scale adverse events – and recover from them. This entails internal resilience, or the ability to perform work as planned when
faced with disruption, as well as external resilience, the ability to remain relevant during crises by addressing and adjusting to them. For a SAI, the core of being resilient means being able to deliver value and benefits to citizens as defined by INTOSAI Principle 12 even under different and challenging circumstances.
In recent years, a shift in strategic management has meant an increasing focus on outcomes, or on achieving results beyond the SAI’s direct sphere of control. While this shift ensures that SAIs produce meaningful results, it also strengthens their bond with the institutional environment, making their strategy dependent on the environment. By focusing on outcomes, SAIs make a value proposition to their stakeholders that they should seek to fulfil even when times get tough. Resilience will allow them to continue achieving those outcomes by changing internal practices and processes as necessary.
A further crucial factor for SAIs is their commitment to be leading by example. SAIs have traditionally strived for excellence in the areas they audit, such as compliance with laws and regulations and resource efficiency. The impetus of leading by example has also spread to areas like gender equality, staff welfare and digitalisation. As institutional resilience becomes an increasingly meaningful attribute of public sector entities – and SAIs audit other entities’ risk management and crisis preparedness plans – leading by example should also refer to SAI resilience.
The overall accountability system of which SAIs are a part is confronted by risks. While some of these risks may not be directed at SAIs per se, they will affect them indirectly. For example, there is the risk of corruption in audited entities. While this does not directly threaten the SAI, it will have an impact on audit content, the meaningfulness of audit reports, and the likelihood that recommendations will be implemented. Equally, any significant disruption to the work of audited entities will endanger audit timeliness. While a SAI can only influence these external events to a limited extent, it will benefit from anticipating and preparing for them.
Risk and crisis management as pillars of resilience
From this perspective, risk management and crisis management form two pillars that SAIs need to construct to strengthen their resilience, alongside others such as technology, leadership and strategic management. Although risk and crisis management can appear to be distinct, it is only when both are present that the organisation can take decisive steps towards resilience. Indeed, doing one without the other would result in incomplete work, as the two subjects are not only linked but largely interdependent (see Figure 1).
Figure 1 – Risk and crisis management are inherently interlinked
Risk management and crisis management use similar tools to assess risks, but from different perspectives. Managing crises is about imagining the impact that the realisation of a risk will have on the SAI, and how the SAI will react to contain and ultimately eliminate the consequences of that risk. While risk management is about reducing or even avoiding risk, crisis management is about a risk that has been realised; it is about managing consequences. In this sense, there is a clear continuum between risk and crisis management, essentially making both part of a single system that contributes to SAIs’ resilience.
The CRISP initiative: how IDI addresses risk and crisis management to assist SAIs
Given these considerations regarding resilience and the changing needs of SAIs during the pandemic, IDI has launched several new initiatives (see Figure 2). Among them is CRISP (Crisis and Risk Management for SAI Performance), which was presented in September 2021 and aims to help SAIs focus on setting up and improving risk and crisis management processes that will enable them to face future disruption and strengthen their position in the accountability system of their home countries. While there are international standards on risk management, such as ISO 310002, and some INTOSAI organisations have worked on guidance for SAIs in the area of crisis management3, IDI found a lack of guidance that is both specific to the SAI environment and general enough for different models, sizes and development levels of SAIs.
Figure 2 – IDI’s well-governed SAIs workstream and initiatives
The first activity of the CRISP initiative was to conduct sensitisation webinars in English and French at which representatives of the SAIs of Bulgaria, Canada, Fiji and Ukraine, as well as the ECA, shared their experiences of setting up and updating their risk and crisis management routines, with specific reference to the pandemic. The ensuing discussion with participants from around 50 different SAIs brought out some main points that will further inform the rollout of this initiative.
While many SAIs have some risk management routines in place, weaknesses were exposed. Many SAIs have not so far considered risk management beyond the realm of internal control, for example looking at IT risks and the link between risk management and their strategic and operational plans. Some SAIs also struggle to quantify risks, and smaller SAIs in particular are easily overwhelmed by extensive procedures. In the area of crisis management, most SAIs have improvised when facing crises, including COVID‑19. Although some SAIs have plans in place, these have not always proved easy to implement and often focus on the immediate response to emergencies (such as a fire in the building) while remaining silent on business continuity during a prolonged disruption. The current challenges for most SAIs are the perceived lack of concrete guidance and support on developing improved crisis management routines, and formalising the lessons they have learned over the past two years.
What next for CRISP?
The CRISP initiative will produce guidance for SAIs on how to manage risk and crisis. This guidance will refer to established standards, such as COSO4, regional tools such as the AFROSAI-E Crisis, Emergency & Risk Communication for SAIs, and good practices from SAIs, and it will also propose a specific IDI approach to guide and ease implementation by SAIs. The guidance is now being drafted and will take account of the feedback received from SAIs during the sensitisation webinars. The next step will be to circulate the draft widely for additional feedback from the SAI community before it is finalised.
Following this, IDI will conduct training sessions in 2022 and 2023 to help SAIs familiarise themselves with the proposed methodology and associated tools that they can use to implement good practices in risk and crisis management (see Box 1). IDI will also work directly with a few SAIs through close coaching and on-site support to develop with them the necessary organisational set-up and tools for risk and crisis management.
IDI is convinced that CRISP will equip SAIs better to face future crises and to anticipate and manage risks that are not only inherent to their work but affect their very existence. It will make them more resilient and able to deliver better results.
Box 1 – Interested in CRISP?
1 See INTOSAI-P 12, The Value and Benefits of Supreme Audit Institutions – making a difference to the lives of citizens, Principle 5.
2 See at www.iso.org/iso-31000-risk-management.html.
3 See for example, INTOSAI’s Capacity Building Committee: Disaster Risk Reduction – Business Continuity Planning, accessible at www.intosaicbc.org/download/business-continuity-planning-2/.
4 Commission of Sponsoring Organizations of the Treadway Commission – Enterprise Risk Management – Integrated Framework (see www.coso.org).
To read more go to : https://www.eca.europa.eu/en/Pages/Journal.aspx