Mary Poppins had it right: Impossible things are happening every day. Or at the least, extremely improbable things are happening all around us. In these uncertain times, the unexpected has become the status quo, and we go through our days knowing that the next super-catastrophe might be just around the corner. We’re not just dealing with fires and floods — we’re at risk from terrorism, pandemic disease, mega-earthquakes, tsunamis, super-sized volcanic eruptions, or perhaps the decade’s largest industrial accident, just to name a few.
It’s easy to ignore the threat of a million-to-one event such as a terrorist attack, but with an uncounted number of potential catastrophes in the making every day, the only certainty is that, sooner or later, another catastrophe will strike. The law of averages tells us that if there are enough unforeseen risks, some will shortly become seen. Sooner or later, every organization will face a potentially devastating crisis.
We can afford to ignore a risk when we know we can deal successfully with its consequences. But some events are not the everyday, garden-variety bad things that happen to all organizations. A few are the truly catastrophic events that can devastate companies or even entire countries. In these cases, there is no alternative but to take action. The only choice is whether to prepare and take action now, or to wait and depend on luck to determine our paths.
Regardless of whether the magnitude of the crisis is large or small, some organizations will weather the storm while others will not survive. A lucky few will even bounce back stronger than ever. But what makes some organizations more resilient than others? Why exactly do some organizations pass through unforeseen events so much more successfully than others?
Obviously many factors are at play. Companies such as Enron, Arthur Anderson, and Union Carbide all had respected senior management teams, and each had a bevy of risk management experts. Yet they never recovered after their respective crises, while organizations such as Exxon, MCI (WorldCom), and Johnson & Johnson (Tylenol) survived. Each organization had brilliant strategists, respected boards of directors, and specific disaster recovery plans. Yet some were successful while others are now history.
I believe that one factor in particular can help organizations to navigate rough waters successfully: It is essential to have a vigilant internal audit function with a proactive vision of crisis management. Internal audit needs to help management envision just what its risks and potential consequences are — before the risks become reality. We need to help ensure our organizations’ disaster preparedness plans are flexible enough to handle any type of sudden catastrophe but robust and detailed enough to give sufficient guidance. We need to look for the early warning signs of smoldering crises that begin as minor issues but, if ignored, can balloon to major crises. And we need to help look for the silver lining in the cloud, to help identify the fleeting moment when crisis can be turned to opportunity.
In particular, we need to help ensure that our organizations don’t ignore risks we can’t afford to take, even when the likelihood is remote. We need to help assure that all potential crisis scenarios are explored without being tossed out as preposterous.
Most of all, we need to take action now. In the current times of uncertainty, it is more important than ever to remember the motto of the Boy Scouts of America: “Be prepared.” For when it comes to catastrophic events, the biggest catastrophe of all can be a catastrophic failure to prepare in advance.
At most of our organizations, we have already helped to enhance organizational security and preparedness; yet there is obviously more to be done. While we can offer no foolproof security, we know that future success requires ongoing preparation for future crises. We need to protect ourselves against those people and extreme events that could do us harm, remembering that a catastrophe we can prevent is almost always preferable to a catastrophe we can mitigate.
Earlier this week, I spoke to an audience of professional internal auditors in Beijing. I reminded them that unlikely or unanticipated risks are often referred to as “black swans.” I pointed out that black swans are not nearly as rare as once believed. I also emphasized that black swans can be deadly!
Visit The IIA’s Audit Executive Center to download a free copy of the center’s recent white paper, Three Crisis Management Imperatives for CAEs.