In a previous podcast, Protiviti Managing Director Risk Magliozzi discussed key themes from the SIFMA IAS conference, which took place in late October in Miami. In this follow-up segment, managing directors Doug Wilbert and Carl Hatfield, who presented at the conference, focus on the role of internal audit, and what first- and second-line functions can do to facilitate internal audit’s role in an operational resilience program. Full transcript below.
SIFMA Conference Recap with Carl Hatfield and Doug Wilbert
November 6, 2019
Kevin Donahue: Hello, this is Kevin Donahue with Protiviti, welcoming you to a new edition of Powerful Insights. I’m pleased to be talking today with Carl Hatfield and Doug Wilbert, and they were attending recently the SIFMA Internal Auditors Society Annual Conference where they not only spoke with many of the attendees about some of the different issues happening within financial services and in audit and such, but also delivered a presentation on business resilience. So, I wanted to speak with them, just get a few of their takeaways from the event and from their presentation.
Carl is a managing director with our IT audit practice based in Boston, while Doug is a managing director with Protiviti with our Risk and Compliance group, and he’s based out of New York.
Carl, it’s great to speak with you today.
Carl Hatfield: Hi, thanks, Kevin.
Kevin Donahue: And Doug, great to speak with you as well.
Doug Wilbert: Same here. Good to talk to you, Kevin.
Kevin Donahue: Great. So, Carl, as I mentioned, you attended the conference, you delivered your presentation. Why don’t you tell me a little bit about the event and some of your takeaways from that, as well as your presentation?
Carl Hatfield: Great. Sounds good. So, yes, we had a great event with SIFMA’s Internal Audit Conference. We had the opportunity, Doug and I, to sit on a panel with a few of our colleagues from a couple of industry clients to discuss operational resiliency and how organizations are addressing operational resiliency.
We had a nice mix of panelists. We had some first-line folks, Doug, representing the first line, and then from a third-line perspective and how audit is taking a look at it, myself as well as one of our clients presented on that.
From an audit perspective in operational resiliency, some of the key areas – really partnering with the first and second-line to understanding how the organization is structuring operational resiliency programs: things like who’s going to be responsible and accountable for the program, is there a Chief Resiliency Officer, audit taking a look at kind of the methodologies and reporting metrics – so, how is an institution determining critical business services and impact tolerances and offering some of those effective challenges. So, those are probably some of the new kind of areas that audit would be covering.
And then from a maybe an expanded scope or just a refocus on what kind of audit has been doing over the last several years is, what is the organization doing for cyber, what protections do we have in place, what responses and recovery mechanisms do we have, looking at areas like obsolete technology and how an institution is managing that technology out of its organization and/or how it could potentially recover in the event that those types of technologies are impacted.
So, there’s some of the new stuff related to governance and some of the new – maybe not necessarily new but kind of refocused kind of terms, like critical business services and impact tolerances and there’s a little bit of “Hey, let’s refocus on some of the existing areas like cyber, like third-party risk management, like obsolete technology.”
Kevin Donahue: That’s great. Thanks, Carl. Doug, I’d like to hear your insights as well, especially because you’re deep into this world of business and operational resilience and maybe looking at it through a little bit of a different lens coming to the event, so what were some of your observations and takeaways?
Doug Wilbert: Yes, I think my one, I guess, large takeaway is the influence that the first- and second-line structure will have on effective auditing and how it needs to be integrated at the setup level. With audit, for example, we spoke a lot about how are we going to audit the RTO (recovery time objective) of a business service versus an application? And if you think about all the setup that goes into this, if the resilience office is not synced up with or developed around the ability to effectively audit and test the outcomes of the service level RTO, it makes audit’s life very challenging.
So, I think the big takeaway for me from hearing a lot more of the audit perspective is that in building your office, include the ability of audit to effectively do their work in your organizational structure and design. Otherwise, we’re just going to run into challenges where, at the end of all this, audit will not have the ability to effectively or easily understand how quickly a business service can recover from an event.
Kevin Donahue: Carl, Doug, great information today. Thank you for sharing your insights.
Doug Wilbert: Pleasure.
Carl Hatfield: Great. Glad to be here. Thanks.