The role of audit in crisis readiness
By Kevin Cardiff, KBC Bank Ireland and former ECA Member
How can an auditor be of use for crisis managers? When to step in to assess the handling of a crisis without disturbing or slowing down solving the crisis? What to focus on in view of a crisis’s potential unique character? Questions relevant for crisis managers and auditors alike. Kevin Cardiff experienced a crisis from within, working as senior official in Ireland’s Department of Finance during the worst periods of the global financial crisis that started in 2007 and serving as Secretary-General of that Department from 2010 onwards. While it was a financial breakdown, the sense of urgency was no less than in another crisis, to stop the financial fallout. Kevin Cardiff published the book RECAP — Inside Ireland’s Financial Crisis in 2016, providing an account of the pressures, the key incidents, the big questions and the difficult choices that had to be made in 2008 and beyond. He also served as ECA Member from 2012 to 2018, responsible for a range of audit products relating to EU’s financial governance issues. With his experiences of being in the executive during a crisis and as public auditor looking at its aftermath he shares his reflections and insights and where auditors can provide most added value.
Crisis eruption and response
As a public official, I have been involved in my fair share of crises, big and small. They are in concept a bit like volcanic eruptions: tensions in the ground build up over a long period of time, there may be more and more evidence of these tensions in the period ahead of the eruption or the building tensions may be unnoticed. Sometimes, often perhaps, signs of activity do not actually lead to an eruption, as tensions dissipate some other way. But where it does occur, the actual eruption is then followed by an immediate response, and a much longer period of often frenzied follow-up action, reaction to inevitable but unpredictable after-shocks, remediation and a determination never to get caught unawares again, by this particular volcano or perhaps any like it.
Also in the aftermath, there is the period of both accountability and recrimination. ‘How could this happen?,’ ‘Why was it not prevented?,’ ‘Why did we assume that we were safe?’ and so forth. Proper and important questions that deserve a considered answer.
At the European Court of Auditors, where I was a Member from 2012 to 2018, there was much debate about our role in relation to the financial and economic crisis, and to the avoidance or management of future crises. A special Financial and Economic Governance team was set up and audits were performed that sometimes went further than auditees expected from us, in relation to the European Union reactions to the crisis. But in some instances we went further still, to look explicitly at systems for managing future crises. Of course, at the same time, other teams looked into other types of crises — responses to natural disasters, to migration etc. Box 1 lists some of the audits performed by this special team.
Auditing a crisis while it happens has risks.
Auditors have extensive, but far from unlimited, powers to examine public bodies, which can be made available to examine the role of these bodies in a crisis situation. But audit institutions should give careful consideration to the balance of public interest in deciding whether to use their generally extensive prerogatives in mid-crisis. After all, audit is a retrospective examination of past events, or at best, a snapshot of current conditions.
An audit team is not going to add much immediate value to the handling of an ongoing crisis, and in many cases trying to audit the crisis response of a government or EU institution or public body in mid-crisis will be counterproductive, diverting resources and attention from the immediate task of crisis management. The presence of auditors in the mix might stifle imagination and have a chilling effect on the actions of those who are supposed to cope with the fast changing crisis conditions. So generally, auditors should stay out of crises, or at least the initial reaction phase of crises, and generally be circumspect in how they insert themselves into crisis situations.
… but may be essential in certain circumstances
I think there must be exceptions to this general approach. Firstly and most importantly, routine financial audit is a substantial underpinning for financial accountability in all democratic systems, and is so important to the underpinning of democratic trust that it should be set aside only very rarely. Even in the recent COVID-19 crisis, public audit institutions throughout Europe were able to continue their work, and this was all the more important in the context of huge temporary or permanent increases in public expenditures.
Secondly, of course, is when the issues giving rise to the crisis are centered on financial misdealing or arise from a serious breakdown of trust in institutions. In those circumstances, it is precisely the role of independent external audit to establish facts and report them thoroughly and accurately. A crisis of trust cannot be addressed without establishing facts and providing assurance — the central roles of auditors.
But even in circumstances where the auditor ought not to intervene in the crisis itself, the audit process can provide real added value in crisis preparation, crisis response, public assurance and ex post accountability. During the economic and financial crisis period in Ireland, the Comptroller and Auditor General’s (C&AG) Annual Report on the Accounts of the Public Services, sometimes went beyond a simple opinion on the banking support and related measures, by providing a chapter reviewing the Government’s intervention measures. In a landscape that was changing sometimes week to week, and for which the dry presentation of the public accounts was never designed, the C&AG provided an independent and authoritative presentation of complex facts, greatly assisting the accountability process.
But perhaps an area where auditors can add real value is in the examination of schemes and structures designed by public authorities to prepare for crises. It seems to me that while every crisis is different, there are some characteristic traits, each of which is common to many of the kinds of crises that are faced by public institutions. See Βox 2. (1)
It also seems to me that auditors can make a very significant contribution to crisis management by examining these and other characteristics of pre-crisis situations and looking for them within the overall management, and particularly within the risk or crisis management functions, of public bodies.
Let us take just three of these issues — the failure to trigger countermeasures, communication failures and system design weaknesses — and consider the role of auditors.
Example one — failure to trigger countermeasures
Failure to trigger countermeasures is very common in financial stability or financial market crises of one kind or another, and it is a good example of something that looks very like a sort of somnolent inaction, but is not that. Consider the position of a Council, Committee, Minister, official or institution which is facing a crisis in a financial institution, or indeed a sovereign nation. Let’s assume that they have, perhaps belatedly, come to understand and are aware of risks, and they have a plan that says in the event of a particular indicator of, say, moderate signs of withdrawal of investors from the market in the bonds of this institution or country, a crisis prevention conference will be called and a new set of conditions will be applied to the entity facing the crisis. But they know that as soon as they intervene, financial markets will react. The fact that the public authorities are preparing for a potential crisis could accelerate the development of the crisis as markets react to that signal, and the moderate withdrawals of capital could well turn into a fully-fledged flight, for which the parties are not yet ready, because after all, they have not even talked to each other fully yet.
Some discussions of course, can happen in secret, and resources to deal with a crisis can be gathered together quietly. However, governments and institutions are often legally bound to publicise events that might affect the market in their stocks, and it is very difficult to gather large amounts of resources without attracting attention. Thus, there is a very strong, inbuilt incentive to put off some of the key reactions to a building crisis until it seems clear that the crisis is almost upon us. When the Irish parliament, the Oireachtas, examined the period of the eruption of the Irish banking crisis at the end of September 2008, there were many questions, among them why had the reaction occurred so late. But also whether some of the initial reactions could not have been put off a short while longer.
This incentive to wait, to avoid panic, to seek better information, to get better prepared, to involve more players, is not restricted to financial crises. I imagine that many of the COVID‑19 Councils around Europe had to ponder deeply on the question of whether and how fast to react to the COVID‑19 breakouts, knowing that in triggering early countermeasures, at a time of uncertainty about the likely direction and severity of the epidemic, they put whole industries, and even some of the fundamental freedoms underpinning the European Union, at risk. The courage of those who made (and sometimes were criticised for) those decisions should be acknowledged.
Example two — communication
A Taoiseach (Prime Minister) of Ireland once remarked to me that there were some crises which seemed to occur although — and possibly even because — each of the institutions concerned was busily and properly doing its own job. Public agencies are aligned to individual mandates, and their combined and faithful operation of these mandates does not always add up to the optimum public interest approach.
The European Union has shown at least some recognition of this and it operates in part on the basis of the wonderful concept of ‘loyal cooperation’ between the institutions of the Union and those of the Member States. It is not enough that these institutions fulfil their own mandates, they must also act in recognition of and cooperation with the mandates of other institutions. And that requires open cooperation, and therefore communication, between institutions. Sometimes that happens with seamless ease. At other times the incentives for siloed thinking, even inter-institutional jealousy or past misunderstandings, or legal constraints, can hamper the mutual communication that allows institutions to cooperate to fulfil their mandates in a way that protects the public interest. In crises, poor cooperation and rigid or narrow interpretation of public mandates can seriously hamper a holistic response.
Example three — system design weakness
But even if there are not problems of mandate, and even if cooperation is good, public systems may not be adequately designed for the crises they might face. As the economic and financial crisis developed there was a huge and highly accelerated development of new institutions, new legislation, new governance arrangements, new European competencies, to cope with the crisis, and address the weaknesses that had become evident (see Figure 1).
In relation to financial stability alone, there were new regulatory agencies like the EBA, ESMA, EIOPA (2), the three new regulatory agencies, for banking, securities/markets and insurance. There was a new and much more highly integrated supervisory system, the Single Supervisory Mechanism. A Single Resolution Board was planned and established to take care of the position of banks which were failing. And borrowing and lending functions were gathered together, first in the EFSM and EFSF, then in the ESM (3), to help countries deal with their fiscal and financial system difficulties. All of these new bodies were put in place in large part as a result of the experience of the financial crisis. And every one of them functionally independent from each other, with different responsibilities, obligations, powers and accountability structures.
Taken together, the pre-existing institutional structure, with these various new authorities and agencies, represent an enormous pool of expertise and experience and a staggering amount of financial ‘firepower.’ They are the result of a great deal of consideration, debate and development in the light of the experiences of the financial crisis. And there is a wide and welcome acknowledgement that the development process is not complete.
However, the development of all these new agencies and functions is in itself also a recognition of the pre-crisis systems weaknesses that existed. An interdependent European financial system was not matched then by a sufficiently powerful and well integrated crisis prevention system.
National institutional structures were also exposed as insufficiently developed. In many countries, this was not for the want of effort. The 10 or 15 years prior to the financial crisis were characterised by a real trend for experimentation, development and institutional reform in relation to financial regulation and financial stability, in a number of the Member States. But when the crisis came, it was clear that these were in some cases insufficiently well integrated at the national level and also that there was no structure explicitly tasked with preventing financial crises at the European level, notwithstanding the many bright people and powerful institutions who each had a ‘piece of the pie.’
Finally, it was clear during the early part of the crisis that both at national level and at European and international level there were countervailing institutional incentives. Member states authorities rushed to protect national liquidity pools in competition with their neighbours, information about stressed credit institutions was incompletely shared because secrecy seemed essential, public institutions struggled internally with conflicting objectives and legal mandates that were not always designed for the situation at hand.
In truth, given the circumstances, things could have been a lot worse. Europe did take some time to develop its suite of measures. They came slowly at first, then more quickly and the scale of European interventions was finally large enough to reflect the scale of the issues, after enormous political and institutional effort by individuals and institutions, which understood the need to act.
Role of the auditor in relation to crisis readiness
When the European Court of Auditors was working on special reports on the crisis management arrangements of the Single Supervisory Mechanism (SSM), and at the setting up of the Single Resolution Board (SRB and whose whole raison d’être is the management of crises) (4), for which I was the reporting Member, we were particularly aware that although these were two separate audit tasks, the two institutions were themselves expected to work together as part of a system. Among other things, we looked at the system itself, how the elements of the system were resourced and developed to meet their mandate, and at the communication mechanisms, and questioned how they were working, and how they might work in a crisis.
We were conscious of the danger that crisis interventions in the case of a failing bank might only be formally triggered by the SSM quite late (for good reasons explained earlier), giving very little time to the SRB to ready itself. So it seemed essential that the SRB would be an integral part of the crisis communication going on in the SSM. Work was already in train between the institutions on these points, but we made recommendations about the triggering of pre-crisis reactions within the SSM and about the communication between SSM and SRB, and between European and national bodies, while remaining within our own mandate that precluded us from making certain types of observations. Most importantly, we wanted to stress that these two organisations needed to operate as a system, not as single bodies.
Making our formal recommendations to address these issues (and in our own informal communications) before the new institutions had settled into fixed ways of working together was important. I like to think that this is an example of how auditors can add value: understanding some of the key lessons of previous crises in the same and other fields and checking whether they have been addressed in new risk or crisis management systems.
Lessons for public audit institutions
A volcano exploding on a remote uninhabited island is not a real crisis, though the local wildlife might disagree. It is the interaction of the volcano, with the lives of people, with the economic and geographic factors that led them to want to live near it, with the planning rules that allowed habitation there, with the public choices about investing in mitigating measures, with the early warning and evacuation systems, and with the character and behaviour of individuals who played their part in preparing for and managing the crisis as it happens that determine the impact of the event (see also Box 3 for some personal reflections on crisis management). So public auditors, according to their various mandates, can best add value by understanding and emphasizing the role of each part of the system, and auditing in that light.
Meanwhile, each audit institution is independent, and within these institutions (5) we stress the need for independence of thought and strength of character of each individual auditor. That is especially appropriate in our roles as independent external auditors of individual public bodies and institutions. And when we audit, we do so to a carefully defined and by definition limited scope, within our audit mandate. Each public auditor therefore assesses risks and audit requirements within its own remit, and that is quite proper.
But who audits a crisis preparedness system — like the one we now have for major banking crises — which is composed of literally hundreds of interacting public bodies and institutions, and 27 different national legal systems (excluding all the possible extra-EU international interactions)? No-one? Or everyone? In practice, depending on the priorities and mandate of many individual public auditors, many elements of that system may go unaudited or unevaluated for very long periods of time. Has nobody got the task of providing an overall independent external assurance to the public and their representatives on the interoperability of the system as a whole? The ECA is perhaps the most likely candidate, but its mandate does not go nearly that far.
It is not an original suggestion, but maybe auditors, too, need to develop their role as part of a European system, and ask that their legal remit is adjusted to allow for that. Not to take away their independence of thought or action, but to ensure that they can and — and in relation to the most important Europe wide systems — they do act in a concerted way. For a very small number of the most important European issues, could loyal cooperation be extended to the point of real co-ordination? There are more crises to come…
(1) Incidentally, an interesting exercise would be to evaluate public authority and political preparedness for the potential climate change crisis against this list of characteristics.
(2) EBA standing for European Banking Authority, ESMA is the European Securities and Markets Authority, and EIOPA stands for European Insurance and Occupational Pensions Authority.
(3) EFSM is the acronym for European financial Stabilisation Mechanism, EFSF is the European Financial Stability Facility and ESM the European Stability Mechanism.
(4) See special report 02/2018: The operational efficiency of the ECB’s crisis management for banks, published in January 2018, and special report 23/2017: Single Resolution Board: Work on a challenging Banking Union task started, but still a long way to go, published in December 2017, as well as special report 29/2016: Single Supervisory Mechanism — Good start but further improvements needed, published in November 2016.
(5) See for example the publication Public Audit in the European Union on the ECA website.
This article was first published on the 3/2021 issue of the ECA Journal. The contents of the interviews and the articles are the sole responsibility of the interviewees and authors and do not necessarily reflect the opinion of the European Court of Auditors.