When All Defenses Fail: Internal Audit Lessons From the HealthCare.gov Debacle

Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession. 

 
A lot has been said and written over the past couple of years about the Three Lines of Defense Model — a tool that is often used to illustrate the interrelationship and roles/responsibilities of the board, management, internal oversight functions, and internal audit in ensuring that risks are adequately assessed and effective controls are in place. The IIA published a position paper on the model earlier this year that outlines the roles and responsibilities of each player — with emphasis on internal audit.  
 
Theoretically, if all players execute their role correctly, there should never be a complete failure of all three lines of defense. But when they do fail, especially in a high-profile and high-risk program or initiative, the results can be spectacular. Over the past few weeks, we have been witnessing such a failure with the rollout of the U.S. Affordable Care Act website: www.HealthCare.gov. Without a doubt, there is ample blame to go around for the website debacle. Obviously management did not adequately assess the risks and design and implement the appropriate plans and controls. It is also obvious that U.S. Department of Health and Human Services (DHHS) internal oversight functions failed to detect the looming disaster. Moreover, it is becoming evident that the DHHS Office of Inspector General (OIG) did nothing proactively to warn agency officials of the failures to come.
 
I mention the healthcare.gov website debacle not to assign blame. Rather, I offer up this case as a timely example of the value internal auditors add when we are able to anticipate and successfully mitigate risk. Very public reputational damage can occur when management does not do its job properly and we somehow don’t catch it.
 
If you have spent significant time in corporate or government auditing, you have no doubt experienced that sickening feeling when something major slips through the cracks. Your heart sinks when your company or agency finds itself splashed across the front page of the mainstream media. You ask yourself, how did we miss this? Why didn’t we see this coming? You brace for the inevitable question: Where were the internal auditors (or in the case of the federal government — where was the OIG)? As hard as we try, we’re only human.
 
Having spent a significant portion of my career in the public sector, including stints as Inspector General of the Tennessee Valley Authority and Deputy Inspector General for the U.S. Postal Service, I can empathize with the DHHS IG and his team as they sift through the reputational wreckage and craft a mitigation strategy against future risks.
 
Although operating management and the internal oversight functions are the first two lines of defense in any organization, there is sometimes a perception, when something really bad happens, that the internal auditors missed it. So how do we, as internal auditors, protect ourselves and the organizations we serve? It all comes down to the three words I utter most often: “Follow the risks.”
 
A growing number of surveys are identifying reputational risk as the top risk concern of boards and senior management — with good reason. Reputational risk is actually a super-risk affected by one or more sub-risks. And the bigger the brand, the bigger the reputational risk.
 
In other words, an organization’s reputation can be damaged by an almost infinite number of causal factors. And while, historically, we may have evaluated risk in terms of impact and likelihood, in today’s highly connected world, we have to also consider velocity.
 
Jonathan Copulsky, a principal with Deloitte Consulting and author of Brand Resilience: Managing Risk and Recovery in a High-Speed World, provides an excellent overview of the complexities and implications of reputational risk in “Risk Angles: Five Questions About Reputational Risk,” a thought leadership brief from Deloitte, published in 2012.
 
This isn’t just a western phenomenon. A 2013 survey of top operations, finance, and risk officers in the Middle East, Europe, and Africa by insurer ACE Group found reputational risk to be both the most important and most difficult risk to manage. It suggests that awareness is half the battle. The ACE report offers the following 10 steps to managing reputational risk:
 
  1. Put the CEO in charge. The chief executive, together with the board, needs to drive the risk culture and demonstrate the right behavior by example.
  2. Reward diligence. Employees are the eyes and ears of an organization. Leading companies are already making an awareness of reputational risk part of their performance management.
  3. Develop an “outside-in” perspective. Apply a “reputational lens” to traditional risk categories, consider how reputational damage might result, and take steps to close any gaps.
  4. Value your reputational capital. Although methods of placing a financial value against reputation are still in their infancy, getting experts to review the impact of various reputational issues and communicating this widely across the company can certainly help drive the message home.
  5. Monitor your reputation. Actively listen to stakeholders on the issues that affect your reputation, and learn how to use tools such as social media to monitor external perceptions more systematically.
  6. Create transparency and accountability. Encourage a sense of ownership for the brand among your employees, and ensure that information is not kept from senior management.
  7. Communicate your values, then live by them. Reputations are managed through positive actions, not just through defensive measures. Make sure there is clear, common understanding about the company’s values throughout the organization and measure personal performance against them.
  8. Plan for the next crisis. The cause of a reputational event may be hard to predict, but identifying the right team and processes to address these issues will help your company handle a crisis faster and more effectively.
  9. Develop a multi-disciplinary approach to reputational management. The CRO has expertise in risk management, but must work with PR experts and other stakeholder-facing business functions to protect and enhance something as broad as the company’s reputation.
  10. Learn from others’ mistakes. Many of the major corporate reputational disasters of recent years provide textbook examples, and there are many lessons and best practices that can be adopted from their analysis.
In the case of healthcare.gov, the biggest risk was always reputational. So many political battles had been fought and won just to get to the point of launch. All eyes were watching, and all pens were poised to document the historic occasion. A failure would obviously garner more attention than a mundane, successful rollout. There was extraordinary reputational risk at stake for the program, the agency, and all of those responsible in the event of a disaster.
 
Have you been through a reputational crisis? Is your organization actively working to mitigate reputational risk? What has worked for you? Please share your best practices. 

Posted on Nov 25, 2013 by Richard Chambers

Share This Article:    

  1.  Great insight into the audit as an anticipatory tool.  Reputation truly is the bottom line ... if it goes south, the multiplier effect is likely off the chart.

  1. Richard,

    What appears to have occurred here is not just a failure in the three lines of defense, but of equal if not more importance from a strategic perspective, it was also a failure by the Board and Executive Management in their oversight roles. While I support the notion of a Lines of Defense oversight approach, one difficulty I have is that the three lines of defense model excludes the Board and Executive Management as additional lines of defense. In reality from a strategic perspective these are perhaps the most critical lines of defense.  My preference is therefore for an extended  "five lines of defense" model which specifically includes the Board and Executive Management in order to help ensure they are both active and clear in their oversight responsibilities. As you may be aware I have addressed this issue in my corporate defense management (CDM) model, see link to short video:

    http://www.youtube.com/watch?v=vLoA8U0GZHI

    From a startegic perspective both the Board and Executive Management need to be actively involves in their oversight responsibilities in order to help avoid similar occurrences going forward.  

    My 2 cents

    Sean

  1. Reposting:

    Up to 18% of shareholder value can be attributed to reputational risk management. 

    Here are some good/best practices: We partner with a firm in the industry and use reputational metrics deployed by the insurance industry to underwrite policies and by hedge funds to identify stakeholder behavorial changes. We develop trending KPI's and KRI's for reputational risk management programs. We also help design programs, assess capabilities and maturities and investigate weaknesses and threats.  We also bring reputational risk insurance as a risk response which as an industry is experiencing tremendous interest.

    Mike Corcoran

    Head of Enterprise Risk and Value Management

     

  1. Richard: Thanks for elevating this important topic. We have been working with our clients as part of their ERM programs to complete formal risk assets on the objective of "Safeguard and enhance the company's reputation". The approach we recommend requires it be assigned an "OWNER/SPONSOR". This is often the CEO. The CEO is then responsible for deciding on the level of risk assessment rigor that will be applied to the risk assessment ranging from "quick and dirty" to very detailed and rigorous. There is some excellent material available to help ERM specialists and IA that are asked to assist or complete risk assessments on this objective. One of the best I have found is HBR article "Reputation and Its Risks". There is a small fee for the full article for non-subscribers but it is well worth the money. Unfortunately I suspect few risk centric ERM programs or IA functions have done assessments on this key objective or use objective centric methods for audits and/or ERM work. Boards need to demand that senior management complete formal assessments with the support of either their ERM function if one exists, or their internal audit function.

Leave a Reply