On April 20, 2010, an explosion at the Deepwater Horizon drilling rig started what is commonly referred to as the BP oil spill. Eleven people died and from four to five billion barrels of oil leaked into the Gulf of Mexico. During the ensuing public relations nightmare, BP took several questionable actions in terms of its accountability, acknowledgment of the accident's seriousness, and release of information to the public. The organization's negative perception was reinforced by CEO Tony Hayward's famous comment "You know, I'd like my life back." Over the course of this industrial disaster, BP suffered considerable reputational, legal, and financial damage.
Virtually every organization, regardless of size, geography, or industry, will face a crisis at some point. The chances are it will not be as significant as that faced by BP. But it's not a matter of if a crisis will occur, but when--and to what extent it will impact the business. The ability to recover--the resiliency to rebound from financial and reputational fallout--depends on steps taken well ahead of time to manage the event and, most importantly, the associated communications.
Internal audit can play an essential role in crisis preparedness. With the risks inherent in crisis management, an audit of the process may be a given. But internal audit can also provide invaluable assistance by remaining proactively involved throughout the development and implementation of any crisis management plans, and by participating in post-crisis analysis.
The key to an organization's ability to recover from the impact of a crisis is preparation. To ensure the organization is prepared, a crisis team should be established with responsibility for identifying potential crises, developing crisis plans, and educating and training all employees on how the plan will work.
As with any group responsible for identifying potential risks and related actions, the team will require individuals with the skill to methodically work through potential issues and resolutions. However, because the team will be actively involved during crisis management, members should also be fast thinkers who can make quick, realtime decisions.
The crisis team should be cross-functional, with representation from each major organizational division. Because crisis management is about communication, the organization's public relations group--whether in house or outsourced--will play an important role, as will the group responsible for brand management (usually the marketing department). And, while the team does not need to include the full executive management suite, it should have at least some executive-level representation. The team should also include representation from areas such as legal and compliance, to ensure regulatory and legal issues are considered.
Internal audit should also be part of the team. Although the auditors will have to ensure they are not directly involved in decision-making, which could negatively impact their independence, they can provide input to help ensure the team is addressing the appropriate issues.
The team's first responsibility is identifying potential crises. To understand the circumstances that might lead to a crisis, team members should conduct a thorough review of external and internal influences that includes interviews with employees and other stakeholders. Based on its analysis, the team can develop a set of scenarios to serve as the foundation for crisis planning.
This is an area where internal audit's expertise can be invaluable. Auditors can provide insights from prior audits and work completed in enterprise risk assessments. Moreover, internal audit's interviewing and process analysis skills can play an important role in crisis identification and...