I have written several blog posts on high-profile risk, control, and governance failures over the past few years, from Volkswagen to Toshiba to Wells Fargo. Some posts looked at lessons learned while others explored internal audit’s role or absence in those corporate stumbles.
Public scandal makes easy fodder for critics, and pundits have made an industry of commenting on failure. But I’d like to focus on the thoughts of one of the most quoted and inspirational leaders of the 20th century, Winston Churchill. The U.K. prime minister, celebrated as bold, brave, resolute, and tireless in his leadership during World War II, also had his share of political and military failures.
Throughout his storied political career, he learned that success and failure are intimately intertwined. The Churchill quote that best captures this is, “Success is not final, failure is not fatal. It is the courage to continue that counts.”
With this as inspiration, let us explore how internal audit can contribute to an organization’s recovery from ignominious scandal or high-profile risk and control failures.
Ride-sharing innovator Uber was hit by multiple scandals, from driver revolts and revelations of its use of software to circumventing rules in cities where it operates to the company’s alleged indifference to sexual harassment and lack of diversity. The fallout seriously bruised the company’s reputation and led to the ouster of its hard-charging CEO, Travis Kalanick.
Its new CEO’s approach to rehabilitating Uber’s reputation amounts to a high-profile listening tour followed by decisive action. Under Dara Khosrowshahi’s leadership, Uber is responding to long-simmering issues of culture at the root of many of its problems. App changes have introduced a tipping option for drivers and a new 9-1-1 feature for passengers who feel threatened. The new leadership also has placed an emphasis on diversity and inclusion.
Facebook and Wells Fargo, which suffered significant reputational harm from a series of scandals, have taken a different approach. The public face of rehabilitation for these two companies — one relatively young and the other more than 150 years old — are expensive and sophisticated multimedia ad campaigns. But they are not stopping there.
Wells Fargo, which was hit with regulatory fines in the hundreds of millions of U.S. dollars for its fake-account scandal, announced an overhaul of its risk management process and changed its incentive pay plan for tellers and other bank employees. It recently agreed to settle a customer class-action suit for $142 million.
Weak controls at Facebook allowed Cambridge Analytica to illegally gather information on more than 87 million users. The scandal that erupted when details of the operation came to light drew typically reclusive Facebook founder Mark Zuckerberg out to publicly defend the social media giant at U.S. congressional hearings.
Zuckerberg testified that the company is looking at every app on its site with access to large amounts of user data, and vowed that any using data inappropriately would be banned and that affected users would be informed.
In all three examples, the high-profile failures and ensuing reputational damage were fueled at least in part by unanticipated risks from efforts to boost revenue. Management’s zeal to secure new business, overtake a competitor, or meet unrealistic sales goals create risks that can “come home to roost.” They can make the organization more susceptible to known risks and expose it to previously unknown or unanticipated risks.
Internal auditors can play a role in making the board and audit committee aware when management may not be effectively managing risks or may be straying beyond the risk appetite previously agreed with the board. In past blog posts, I’ve described the setting of risk appetite as the board painting lanes on a highway. The board essentially says to management, “Here are the lanes outside of which we don’t want to venture. Stay within these lanes.” It is internal audit’s job to alert the board when management veers outside those lanes.
But what is internal audit’s role when the organization is picking up the pieces of a significant risk management failure? The circumstances of each debacle dictate the particular role internal audit plays, but here are a few preventive or reactive roles to consider:
These are just a few examples of internal audit’s role in the aftermath of scandal. I’d be interested in hearing your thoughts, as well.