A lot has been said and written over the past couple of years about the Three Lines of Defense Model — a tool that is often used to illustrate the interrelationship and roles/responsibilities of the board, management, internal oversight functions, and internal audit in ensuring that risks are adequately assessed and effective controls are in place. The IIA published a position paper on the model earlier this year that outlines the roles and responsibilities of each player — with emphasis on internal audit.
Theoretically, if all players execute their role correctly, there should never be a complete failure of all three lines of defense. But when they do fail, especially in a high-profile and high-risk program or initiative, the results can be spectacular. Over the past few weeks, we have been witnessing such a failure with the rollout of the U.S. Affordable Care Act website: www.HealthCare.gov. Without a doubt, there is ample blame to go around for the website debacle. Obviously management did not adequately assess the risks and design and implement the appropriate plans and controls. It is also obvious that U.S. Department of Health and Human Services (DHHS) internal oversight functions failed to detect the looming disaster. Moreover, it is becoming evident that the DHHS Office of Inspector General (OIG) did nothing proactively to warn agency officials of the failures to come.
I mention the healthcare.gov website debacle not to assign blame. Rather, I offer up this case as a timely example of the value internal auditors add when we are able to anticipate and successfully mitigate risk. Very public reputational damage can occur when management does not do its job properly and we somehow don’t catch it.
If you have spent significant time in corporate or government auditing, you have no doubt experienced that sickening feeling when something major slips through the cracks. Your heart sinks when your company or agency finds itself splashed across the front page of the mainstream media. You ask yourself, how did we miss this? Why didn’t we see this coming? You brace for the inevitable question: Where were the internal auditors (or in the case of the federal government — where was the OIG)? As hard as we try, we’re only human.
Having spent a significant portion of my career in the public sector, including stints as Inspector General of the Tennessee Valley Authority and Deputy Inspector General for the U.S. Postal Service, I can empathize with the DHHS IG and his team as they sift through the reputational wreckage and craft a mitigation strategy against future risks.
Although operating management and the internal oversight functions are the first two lines of defense in any organization, there is sometimes a perception, when something really bad happens, that the internal auditors missed it. So how do we, as internal auditors, protect ourselves and the organizations we serve? It all comes down to the three words I utter most often: “Follow the risks.”
A growing number of surveys are identifying reputational risk as the top risk concern of boards and senior management — with good reason. Reputational risk is actually a super-risk affected by one or more sub-risks. And the bigger the brand, the bigger the reputational risk.
In other words, an organization’s reputation can be damaged by an almost infinite number of causal factors. And while, historically, we may have evaluated risk in terms of impact and likelihood, in today’s highly connected world, we have to also consider velocity.
Jonathan Copulsky, a principal with Deloitte Consulting and author of Brand Resilience: Managing Risk and Recovery in a High-Speed World, provides an excellent overview of the complexities and implications of reputational risk in “Risk Angles: Five Questions About Reputational Risk,” a thought leadership brief from Deloitte, published in 2012.
This isn’t just a western phenomenon. A 2013 survey of top operations, finance, and risk officers in the Middle East, Europe, and Africa by insurer ACE Group found reputational risk to be both the most important and most difficult risk to manage. It suggests that awareness is half the battle. The ACE report offers the following 10 steps to managing reputational risk:
In the case of healthcare.gov, the biggest risk was always reputational. So many political battles had been fought and won just to get to the point of launch. All eyes were watching, and all pens were poised to document the historic occasion. A failure would obviously garner more attention than a mundane, successful rollout. There was extraordinary reputational risk at stake for the program, the agency, and all of those responsible in the event of a disaster.
Have you been through a reputational crisis? Is your organization actively working to mitigate reputational risk? What has worked for you? Please share your best practices.