This article is a follow on from ‘Auditing Operational Resilience’ feature which was posted to https://www.jcbfl.co.uk/ in March 2021.
Business resilience builds on the principles of business continuity but extends much further to help enhance an organisation’s ability to alter operations in the face of changing business conditions. Regulators have a key interest in this topic given that operational disruptions to the products and services that firms provide have the potential to cause harm to consumers, threaten the viability of firms and cause instability in the financial system.
The Financial Conduct Authority recently updated its guidance about the importance of operational resilience and the requirements for firms, in February 2023; “Operational resilience is the ability of firms, financial market infrastructures and the financial sector as a whole to prevent, adapt and respond to, recover and learn from operational disruption. With the first policy milestone having passed on 31 March 2022, firms now have until no later than 31 March 2025 to be able to operate within their impact tolerances”. The guidance is found at https://www.fca.org.uk/firms/operational-resilience.
Internal Audit is ideally placed to audit the effectiveness of an operational resilience framework at mitigating the associated risk.
A comprehensive analysis, and indicative internal audit program, is provided by the Institute of Chartered Accountants England & Wales (ICAEW) at https://www.icaew.com/technical/internal-audit-community/internal-audit-resource-centre/how-to-audit-operational-resilience. In summary,
Looking out for red flags
When assessing risk, internal audit should consider potential red flags that could indicate weaknesses. These include:
Focus areas for audit
If you need assistance with any aspect of your internal or delegated authority auditing, JCBFL can help.