When All Defenses Fail: Internal Audit Lessons From the HealthCare.gov Debacle

A lot has been said and written over the past couple of years about the Three Lines of Defense Model — a tool that is often used to illustrate the interrelationship and roles/responsibilities of the board, management, internal oversight functions, and internal audit in ensuring that risks are adequately assessed and effective controls are in place. The IIA published a position paper on the model earlier this year that outlines the roles and responsibilities of each player — with emphasis on internal audit.  

Theoretically, if all players execute their role correctly, there should never be a complete failure of all three lines of defense. But when they do fail, especially in a high-profile and high-risk program or initiative, the results can be spectacular. Over the past few weeks, we have been witnessing such a failure with the rollout of the U.S. Affordable Care Act website: www.HealthCare.gov. Without a doubt, there is ample blame to go around for the website debacle. Obviously management did not adequately assess the risks and design and implement the appropriate plans and controls. It is also obvious that U.S. Department of Health and Human Services (DHHS) internal oversight functions failed to detect the looming disaster. Moreover, it is becoming evident that the DHHS Office of Inspector General (OIG) did nothing proactively to warn agency officials of the failures to come.

I mention the healthcare.gov website debacle not to assign blame. Rather, I offer up this case as a timely example of the value internal auditors add when we are able to anticipate and successfully mitigate risk. Very public reputational damage can occur when management does not do its job properly and we somehow don’t catch it.

 If you have spent significant time in corporate or government auditing, you have no doubt experienced that sickening feeling when something major slips through the cracks. Your heart sinks when your company or agency finds itself splashed across the front page of the mainstream media. You ask yourself, how did we miss this? Why didn’t we see this coming? You brace for the inevitable question: Where were the internal auditors (or in the case of the federal government — where was the OIG)? As hard as we try, we’re only human.

 Having spent a significant portion of my career in the public sector, including stints as Inspector General of the Tennessee Valley Authority and Deputy Inspector General for the U.S. Postal Service, I can empathize with the DHHS IG and his team as they sift through the reputational wreckage and craft a mitigation strategy against future risks.

Although operating management and the internal oversight functions are the first two lines of defense in any organization, there is sometimes a perception, when something really bad happens, that the internal auditors missed it. So how do we, as internal auditors, protect ourselves and the organizations we serve? It all comes down to the three words I utter most often: “Follow the risks.”

A growing number of surveys are identifying reputational risk as the top risk concern of boards and senior management — with good reason. Reputational risk is actually a super-risk affected by one or more sub-risks. And the bigger the brand, the bigger the reputational risk.

In other words, an organization’s reputation can be damaged by an almost infinite number of causal factors. And while, historically, we may have evaluated risk in terms of impact and likelihood, in today’s highly connected world, we have to also consider velocity.

Jonathan Copulsky, a principal with Deloitte Consulting and author of Brand Resilience: Managing Risk and Recovery in a High-Speed World, provides an excellent overview of the complexities and implications of reputational risk in “Risk Angles: Five Questions About Reputational Risk,” a thought leadership brief from Deloitte, published in 2012.

This isn’t just a western phenomenon. A 2013 survey of top operations, finance, and risk officers in the Middle East, Europe, and Africa by insurer ACE Group found reputational risk to be both the most important and most difficult risk to manage. It suggests that awareness is half the battle. The ACE report offers the following 10 steps to managing reputational risk:​

1. Put the CEO in charge. The chief executive, together with the board, needs to drive the risk culture and demonstrate the right behavior by example.
2. Reward diligence. Employees are the eyes and ears of an organization. Leading companies are already making an awareness of reputational risk part of their performance management.
3. Develop an “outside-in” perspective. Apply a “reputational lens” to traditional risk categories, consider how reputational damage might result, and take steps to close any gaps.
4. Value your reputational capital. Although methods of placing a financial value against reputation are still in their infancy, getting experts to review the impact of various reputational issues and communicating this widely across the company can certainly help drive the message home.
5. Monitor your reputation. Actively listen to stakeholders on the issues that affect your reputation, and learn how to use tools such as social media to monitor external perceptions more systematically.
6. Create transparency and accountability. Encourage a sense of ownership for the brand among your employees, and ensure that information is not kept from senior management.
7. Communicate your values, then live by them. Reputations are managed through positive actions, not just through defensive measures. Make sure there is clear, common understanding about the company’s values throughout the organization and measure personal performance against them.
8. Plan for the next crisis. The cause of a reputational event may be hard to predict, but identifying the right team and processes to address these issues will help your company handle a crisis faster and more effectively.
9. Develop a multi-disciplinary approach to reputational management. The CRO has expertise in risk management, but must work with PR experts and other stakeholder-facing business functions to protect and enhance something as broad as the company’s reputation.
10. Learn from others’ mistakes. Many of the major corporate reputational disasters of recent years provide textbook examples, and there are many lessons and best practices that can be adopted from their analysis.

In the case of healthcare.gov, the biggest risk was always reputational. So many political battles had been fought and won just to get to the point of launch. All eyes were watching, and all pens were poised to document the historic occasion. A failure would obviously garner more attention than a mundane, successful rollout. There was extraordinary reputational risk at stake for the program, the agency, and all of those responsible in the event of a disaster.

Have you been through a reputational crisis? Is your organization actively working to mitigate reputational risk? What has worked for you? Please share your best practices.