Hurricanes, terrorism, technology change, hacking, supply chain disruption… being resilient is a lot tougher than it used to be. We need a new mindset – in the business and in internal audit – to keep things safe, argues Rohitesh Dhawan.

VUCA – volatility, uncertainty, complexity, ambiguity – might be a decade or two old as an idea, but the acronym is more apt than ever in describing today’s world. “What has changed is the approach businesses now need to handle VUCA”, says Rohitesh Dhawan, Global Lead for Brexit & Geopolitics at KPMG.

“The old mindset sees things are calculable, ‘analysable’. But that analysis seems to come up with the wrong answers so often now – on Trump or Brexit, for example.”

Can an orthodox, legal or procedural approach to business resilience offer real protection against risk? Will a tick box exercise put in place the rapid response required if areas like reputation or supply chain – more vital than ever – are threatened?

It sits with internal audit (IA) in particular to ask the right questions – using new mental models of what threatens resilience.

For Dhawan it’s vital we need to acknowledge the emergence of four fundamental contradictions to help change the way business manages risk:

1. The divide between physical and digital: “We’re creating new physical barriers within, and between, countries and people as digital ones fall,” he says. “This is often driven by short-termist realpolitik.”
2. Politics vs. Economics: “Economic logic no longer trumps political expediency. We need to change our planning assumptions as a result.”
3. Generalists and experts invert: “Anyone’s opinion has become valid. It’s much less clear who has authority and why.”
4. Individual power is rising; institutional power is waning: “Trump, Xi, Erdogan, Modi and many others are symptomatic of a shift of power to ‘the person’. Previously important bodies such as IMF, G20, OPEC and the World Bank are declining in voice and influence.”

“Debating these new contradictions is a good way to start developing internal conversations about aspects of VUCA that ought to be on risk registers, but aren’t right now.”
 

The upshot is this: if you manage risk or report on business resilience, you now need to consider even outlier scenarios.

“We’re seeing major corporations put in place outline plans to leave South Korea within days, given the risk of a war on the peninsula,” says Dhawan.

This isn’t paranoia or scaremongering. It’s about developing a mindset in IA that recognises harsh realities – no matter how unpalatable or unthinkable they are.

“That’s also why IA needs to be hyper-alert about confirmation bias,” Dhawan adds. “Even in a world of big data and analytics, it’s too easy to select evidence that confirms existing world-views – personal or corporate. Smart boards and audit committees are seeking different outlooks to guard against group-think. It can make decisions harder work – but it’s vital.”

Empathy – using all mental faculties to see the full nature or context of a problem – is essential. Managers, strategists, auditors and leaders must go beyond just checking policies, and immerse themselves in other people’s thinking to become more alive to the full variety of threats to resilience.

That extends to getting into the minds of leaders in other businesses and other sectors – not just because industries are converging, but also to discover alternative risk sensitivities.

“This is a moment of truth for IA,” Dhawan says. “If IA helps the business shift mind-set, it can become indispensible as leaders wake up to the sheer variety of challenges. But if it’s just static risk registers being ticked off to satisfy obvious threats – then you’re on the road to irrelevance.”

For 2018, then, here are three resilience projects for IA:
 

1. Equip others to ask the right questions. VUCA is hard work – and few frontline staff or even compliance officers have much time to consider these complex risks. “Help management and non-exec directors cut through the fatigue,” says Dhawan. “Create a two-page board document on the key resilience issues – five or six questions any NED should be asking – using what IA knows.”
2. Be an integrator. IA can take a theme like ‘a breakdown of trust in institutions’ and look at all the different ways that might affect operations. It also applies to sector convergence – IA can be a voice looking at how different models and practices might threaten existing operations.
3. Challenge the echo-chamber. There’s a growing sense of the importance of contrarian viewpoints – on cyber, environmental risks, reputation and more. “IA has a role that gives practitioners permission to challenge orthodoxies and highlight those edge risks,” says Dhawan.
    

Ultimately, business resilience today depends on people with open minds asking the right questions and accepting a range of possible outcomes in a highly unpredictable world. And any organisation that wakes up to this fact will treat internal audit as a brilliant tool to shape and contextualise those questions to protect the business effectively.

“IA has to be a little cunning to get those messages out to NEDs and even management,” Dhawan concludes. “This isn’t a call for IA to do a whole raft of extra things. But it does have to be creative. How about getting guest speakers for the next audit committee event who can help redefine thinking about risk? Bring in audit professionals with new skills and experiences from other businesses. Even just the anecdotes that come with someone from an entirely different background can have a big impact with decision-makers.”