First line of defence – are you ready for the cuts?
It seems inevitable that Brexit will result in cuts and these are most likely to impact the first line of defence. How can internal audit prepare for these cuts?
In this article I examine an approach that grew from the germ of an idea at a time when many well-known brands and organisations were suffering the trauma of necessary cuts. It was developed with the support of an enlightened, progressive and very supportive CEO and enthusiastic board members.
If it’s not Brexit it’s recession, and I’m long enough in the tooth to recall the early ‘80s and early ‘90s recessions before the 2008 great recession. The common thread for internal audit? Seeing corporate services’ budgets, including the internal audit department’s budget, significantly reduced, with the added threat of internal audit closure…
The ‘90s recession was no different, and as CAE of a global FTSE company I saw the CEO make internal audit an offer that couldn’t be refused – the CEO, and board, wanted to be convinced that they should have the services internal audit could offer, or they’d live without. It was clear that the clichéd ‘don’t work harder, work smarter’, or cutting the service to fit the reduced budget, wouldn’t deliver. It meant totally, profoundly rethinking internal audit as an enabler to economy, efficiency and effectiveness of corporate outcome delivery, understanding that business is dynamic. It meant recognising everyone in the business as our clients, paying our salaries in the final analysis, and needing something from internal audit that was of real use to them.
We were critically aware that internal audit’s sphere of work was ever limited to a small proportion of the audit universe at any one time (even if our audit plans were ‘risk based’ in those early days), with binary, backward looking reports that were never well-received by managers, however positively constructed, because of implied criticism of their operations. Of course, internal audit was ever wise after the event, and who were we to say what an ‘effective control’ was? Nobody was persuaded that just because internal audit was IIA Standards compliant we must be doing what was of value to the business.
Possible extinction readily focuses the mind! We embarked on a hugely radical rethink as to what the stakeholders in the business really needed assuring and how. Our solution? A multi-dimensional, fully integrated approach to assuring strategic outcomes being delivered that connected all the assurance dots together, with a clear picture of causality to predict success. And all this inside a wrapper of assistance, common sense and professionalism.
How did we go about it?
With the CEO and board behind us we focused on what the company was really about, the corporate strategy, mapping the business’ principal, strategic outcomes into the balanced scorecard and giving clarity to their connectivity and inter-dependencies. The map summarised the company’s strategic plan, which ran to 60-plus pages, in one slide, and identified the causal relationships between the strategic objectives, which increased the likelihood of accomplishing the strategy.
We focused on outcomes because it was agreed that they are the result and benefit of achieving an objective, a desired future state, what the business wants to achieve, as well as being permanent, long-term and independent of the organisational structure. (Objectives are what deliver the outcomes and are specific to a particular organisational structure.) It provided the company with the building blocks of the future picture of the organisation against which we could benchmark the present, rather than focusing on costs and processes:
linked every outcome, activity and resource in a dynamic network, increasing understanding and accountability
integrated all management processes into a single process and system, facilitating leadership and reducing cost
encouraged people to challenge current deliverables, ways of working, initiatives and resourcing, simplifying processes and removing bureaucracy
showed what everyone was doing and what was likely to happen, improving governance and preventing problems
let people apply for any opportunity to contribute, fulfilling aspirations and increasing productivity
created self-managing teams, empowering people and releasing managers to lead.
We’d recognised from the start that the complexity of what we were building with the business needed a digital solution, and nothing on the market met our requirements. Consequently, in parallel with our work on the outcomes, we also developed a unique digital platform to provide a single joined-up view of everything the business was aiming and likely to achieve, do and employ.
The platform brought an immediate and far-reaching solution to the challenge. The business leaders used the platform to define the organisation’s purpose as connected strategic outcomes. The CEO asked everyone else (and that included internal audit) to use the platform to say what they could contribute to the strategic outcomes. The end result was a shared purpose and enterprise. The connectivity, flexibility, transparency, predictability, inclusivity and meritocracy provided by the platform enabled collaboration and agility, improved behaviour, motivation and control, and increased productivity and profitability.
‘Risk’ and assurance was owned by everyone in the business with obvious benefits - by definition, ‘risk’ (ie what will prevent or cause deviation from success in outcome delivery) was made clear, visible and transparent. ‘Risk’ was an integral element in the delivery of any outcome at any level of contribution; the activities undertaken in delivering an outcome managed the risk to a level acceptable to the business’ leaders, or were modified if necessary.
The platform told everyone what was likely to happen, so that, for example, if it showed that we were currently achieving a particular outcome but predicted that we were unlikely to continue doing so because all the outcomes enabling it had not been delivered, appropriate remedial action was identified and instigated quickly.
Difficulties at any level in the hierarchy of outcomes meant that subsequent outcomes through the chain of causality may not be delivered. One of the principles of the platform was to remove the root cause of problems rather than fire-fighting its symptoms.
The platform contained all the information needed to achieve the outcomes. Any stakeholder could inspect the platform at any time and volunteer to help to deliver any outcome, which engaged everyone in creating the organisation’s future, motivated delivery and used unknown talents. The board members, too, had full access, providing them with the means to be assured of outcome delivery at any time (outcomes that they had shared in shaping and measuring) and effectively and robustly meeting their governance responsibilities.
Internal audit’s approach was two-pronged: focused on providing support and guidance on using the platform (for example, helping define the achievement measures and predictor indicators for any given outcome, and helping managers define the risk against any outcome in their ownership); and, real-time assurance that data used by managers for gauging delivery status against agreed targets, both the predictor and the achievement targets, for outcomes was evidence-based.
Major derivatives of the approach were the removal of audit and risk management silos and demarcation (no need for a risk management department), dissolution of the ‘what risk? - that’s owned by the CRO, not me!’ syndrome, and the removal of arcane ‘risk vocabulary’, and complex, bureaucratic ‘risk management tools and techniques’ (the workshops on brainstorming ‘risks’, the likelihood, impact, weighting, proximity, heat maps and so on), all of which we’d seen cause antipathy for so long. This, alone, saved thousands of person hours and rapidly turned the antipathy around to keen support.
Furthermore, as the model of ‘three lines of defence’ developed over time (subsequently mandated by financial services regulators and promoted by IIA), with the ‘first line of defence’ being indicated as responsible for risk management, the board and CEO saw it at best as irrelevant, and at worst as damaging, to a modern, dynamic, commercial organisation. They stated that the company is in business to take risk, go on the offensive, not be defensive in competitive markets, make money and provide stakeholders with a return.
Did it work? The CEO presented at an IoD national event. He explained the approach and stated that not only had it got the business through the recession with hardly a hiccup, but also it had fuelled success for the company, propelling it from the bottom end of a UK-based FTSE250 business, to be a global operator at the higher end of the FTSE100 in three years. It’s continued to be developed and used successfully across the commercial, public and social enterprise sectors.
Neville de Spretter FCCA CPFA – director, AdLibero2 Ltd