Over the past several decades, the spotlight on corporate governance has intensified as organizations realize the criticality of managing risk and making well-informed, strategic decisions. But despite widespread adoption and implementation of corporate governance models, the health of corporate governance isn’t where it should be, according to a recent study from The IIA.
OnRisk 2020: A Guide to Understanding, Aligning, and Optimizing Risk investigates how far the three main pillars of corporate governance — executive management, the board, and internal audit — are aligned when it comes to understanding and managing risk. The report uncovers a pervasive lack of communication and coordination among those groups in key risk areas organizations are likely to face in 2020 and beyond (see “Key Findings” below right).
Boards were found to be more confident than executive management that their businesses are capable of addressing threats in nearly every one of the 11 risks examined. Moreover, internal audit and the board share similar views on their organizations’ level of risk management maturity, generally rating those capabilities higher than executive management in most areas. And while the findings highlight a troubling disconnect among the three groups surveyed, they also point to opportunities for internal auditors to help bridge knowledge gaps among the organization’s key decision-makers.
Lack of Alignment
Worryingly, most businesses lack alignment around the knowledge and capabilities needed to address risk. Jim Pelletier, The IIA’s vice president, Professional Standards and Knowledge, says that finding should be ringing alarm bells across corporate America. Given that the C-suite is responsible for the day-to-day management of risk and for setting a strategy to cope with those threats, their consistently more pessimistic view of their organization’s capacity to do so effectively is likely to be in touch with the realities on the ground.
“What the report really points out is that internal audit is not playing the critical role it ought to play,” Pelletier says. “Boards should, of course, rely heavily on management, but relying on management alone is incomplete. Boards need to turn to a source independent from management — internal audit — for assurance that the information they are receiving is complete, accurate, and reliable.” While failure to do so could indicate lack of maturity of the internal audit function’s role — the survey found one-third of organizations have no systematic approach to risk management — it also suggests the benefits an independent audit function can bring are not understood by the board.
While IIA surveys confirm that most internal audit functions report administratively to the audit committee, the reality, according to Pelletier, is that many audit committees are shirking their oversight responsibilities and pushing internal audit down in the organization. Boards that allow this to happen, he adds, are missing the critical perspective that a correctly placed, well-resourced audit function can provide.
The OnRisk 2020 report identifies seven key findings that provide insight on respondents’ understanding of risk and their perceptions of how those risks are managed:
- Boards are overconfident because they consistently view the organization’s capability to manage risks higher than executive management.
- Boards generally perceive higher levels of maturity in risk management practices than executive management and chief audit executives.
- “Acceptable misalignment” on risk is a prevalent and dangerous mindset, with some respondents describing such misalignment as “healthy.”
- Some industries are lagging in adopting systematic approaches to risk — particularly in the health-care, retail/wholesale, and public sectors.
- Cybersecurity, data, and new technologies represent critical knowledge deficits.
- Data and new technologies, data ethics, and sustainability risks are expected to grow in relevance.
- Talent management and retention is at the center of future concerns, with the inability to attract and retain business-critical skills emerging as a key risk.
“When the board is clear that it wants a strong, independent internal audit function that can look across the organization and ensure it is getting all of the information it needs for good decision-making, it won’t get that from an audit function that is simply there to take care of complying with the requirements of the U.S. Sarbanes-Oxley Act of 2002,” Pelletier says. “Boards are missing out on the opportunity to leverage internal audit as a tool to help them become stronger.”
Many survey respondents played down the significance of a misalignment in understanding risk among the three groups — often saying it was a healthy state of affairs. The respondents’ ratings of their personal knowledge of each risk were, in fact, closely aligned. But in many areas, their reported understanding of how well the organization could manage risk varied widely.
“I believe it is healthy to look at something through different lenses and assess risk through those different lenses,” says Mark Carawan, chief compliance officer and former chief auditor at Citigroup in New York. Geography, product sets, and legal entities, for instance, can all provide useful constructs through which to consider risk. “But if it is real misalignment, that points to a lack of a proper risk governance framework, common risk taxonomies, a well-articulated risk appetite, and agreed and consistently applied key risk indicators — so you can identify, measure, monitor, report, and control risks in a way that everyone understands,” he says.
Carawan adds that without an effective risk management framework, clear communication among the three groups surveyed is impossible. CAEs can readily assess the state of their organizations’ risk governance framework and its relation to the articulation and measurement of risk through an audit. But the task of understanding how well the whole gamut of risks the business faces is linked to a well-articulated risk appetite is problematic — the world’s business landscape is dynamic and complex, producing new risks regularly. Audit reports must articulate whether the business is on track to meet its strategic goals within the risk appetite.
“That is one of the tough things for an auditor to achieve, because what one does is very focused on the tactical execution of different audit procedures and on producing an audit report,” Carawan says. “The output of the audit doesn’t have anywhere near the impact that it should if it is not linked to the outcome for the organization, the client, and the success of the firm and how it manages risk — particularly in stress scenarios.” Even in audit planning, internal auditors need to make sure they are looking at key risks rather than at the key processes — strategic issues, not tactical ones.
For instance, OnRisk 2020 identifies regulatory change as one of the areas of greatest misalignment in terms of perceived organizational risk management capacity. Only one-third of C-suite respondents feel confident they are doing well in this area, whereas two-thirds of CAEs rate their capability as good.
“The volume of regulatory change can present challenges for many organizations,” Carawan says. “But it’s critical to make sure that it is well-monitored, measured, and reported. In many cases, this is a significant risk area that has been underexplored by the third line of defense.” Boards should have available for review an inventory of regulations mapped onto the organization’s processes and controls, as well as clear metrics for the rate of regulatory change, he says. While government officials announce planned new legislation well in advance, such as Europe’s General Data Protection Regulation (GDPR), the detailed requirements may only appear near, or even after, the legislation actually goes into effect. That means key risk areas likely have not been identified and are not subject to adequate, timely risk management oversight and control — unless the CAE strives to stay on top of regulatory developments.
CAEs surveyed by The IIA predict that, by 2024, the top three most relevant risk areas will be technological (see “Present and Future Risks” below right). It cites data and new technology, and data ethics, as the fastest rising risks — leaping 18 and 15 percentage points, respectively, in the next five years. “Technology and digital innovation are evolving at a rapid pace — much faster than ever before,” says Christa Steele, a California-based board director on both New York Stock Exchange listed companies and privately owned businesses. “This is a game changer for tried and true business models — it is no longer business as usual. A lot of boardrooms are not current on the pace of industry change, and the same can be said about some C-suites. Yet, all industries are being disrupted.”
In many sectors, competition and technology are changing so quickly that boards simply do not understand what questions to ask, Steele says. The report says this knowledge gap stems in part from a lack of board education, as well as insufficient communication among the three groups surveyed.
“One thing that would be highly valuable for the board to ask the CAE in executive session is to give an overview of his or her thoughts on what the risks look like in the company,” she says. “The CAE has the best visibility with the largest number of boots on the ground to surveil risk. I think the CAE is underutilized right now.” Now that she is working as a board member, Steele adds, she has a greater appreciation for what a pivotal role the CAE can play — not just in overseeing and communicating on risk, but in setting up educational sessions with the board to talk about the wider risk landscape and to use recent news headlines involving poor company decision-making that might provide useful lessons. But her enthusiasm is tempered by a caveat.
“The CAE needs to have a shift in mindset, which is to move away from just reporting past findings and, instead, interpret, predict, and prevent risk,” she says. “If we can get that mindset at the CAE level, at the C-suite level, and at the board level, then we create better alignment.”
For its part, the board also has to step up and make sure the CAE and internal audit have the right people and budget dollars allocated to innovation and the transitional risk oversight caused by new innovation in the business. She agrees with Pelletier that too many boards — and specifically audit committees — are heavily driven by Sarbanes-Oxley in the way they use the internal audit function. To broaden board thinking, Steele says board members need to get educated on the uses of artificial intelligence, data aggregation, predictive analytics, and blockchain and to understand how these technologies impact their company business models. Only then can board oversight encompass the right kind of key performance indicators and key risk indicators.
“I’ve spent a significant amount of time in Silicon Valley working with early- to late-stage startups across a variety of industries,” she says. “This time in my life has forever changed how I think with regard to business operations and digital disruption — I encourage the C-suite, the CAE, and the board to do the same. Communication and transparency are key. Better communication comes from better education and dialogue.”
Cybersecurity ranks as the most relevant risk to tackle by all groups both now and in the future, according to the report. Yet while cyber breaches are a prevalent reality in business life, the threat is as old as the internet itself — so why do businesses say they find it so hard to deal with? The OnRisk survey suggests that, due to a lack of knowledge within the internal audit team, some CAEs rely too much on assurance from the chief information security officer that controls around cyber risk are sound. It is an explanation that Dominique Vincenti, global head of internal audit–chief audit executive at Uber in San Francisco does not accept.
“Knowing what to do in this field has been understood for years,” she says. “CAEs are well-equipped with lots of robust frameworks — such as the [U.S. National Institute of Standards and Technology (NIST)] Cybersecurity Framework and the Sender Policy Framework for email — to help them ask the right questions. It is the topic most written about with the most guidance available, so there is really no excuse. That’s why I call it negligence.”
Cyber-risk expertise should be no less difficult to understand than legal risk, for Vincenti, because she does not see it as the CAE’s job to be a subject-matter expert in anything other than risk management. As risks evolve and become more complex, it is up to the CAE to continually restructure his or her team with the right skills and expertise needed. For the CAE, she says, the question should be, “Am I building the team I need to do the job in today’s context?” Addressing the talent management issue identified by the survey requires internal audit leaders to think more laterally about the staff they hire.
Like Steele, Vincenti says the crux of the problem is that many boards, C-suite executives, and CAEs have not caught up with the fundamental structural change digitalization implies — especially in areas such as third-party risk where problems need to be reframed. “For me, when people talk about third-party risks, it shows me that they are already 10 years in the past,” she says. “We are not dealing with third parties anymore — we are working in ecosystems and on platforms where we are interconnected and interdependent. The problem is we are often employing old tools to deal with these new constructs, which makes it very difficult to manage today’s risks effectively.”
She accepts it is not always easy to get such messages across and has had personal experience failing to convince boards and C-suites to act on emerging issues in previous roles. In one organization, she repeatedly told management that it needed to care more about data privacy and was repeatedly ignored. Later, when preparing for GDPR, the company found its data privacy processes to be relatively poor. She jokes that she felt like the ancient Greek seer Cassandra who warned the Trojans not to accept the gift of a giant wooden horse — it was secretly packed with heavily armed Greek warriors — because it would lead to the sacking of the city of Troy. But she sees providing foresight as a critical role for internal audit to play and devotes one-third of every executive meeting to emerging issues — often repeating the same material if she thinks inadequate action has been taken.
Time to Act
The world may have changed radically over the last few decades, but the need for effective risk management has not. If the corporate governance model is to work well, CAEs need to play their part more effectively. They not only need to understand today’s business environment, build the right audit teams, and use cutting-edge tools to deal with complex and interconnected risks, but they also must be outspoken and resilient enough to press their organizations to act on the emerging threats on the horizon.
While there is work to do, the paths that each of the three groups surveyed in the report must follow are relatively clear, according to those interviewed. Communication on risk must be clear and unambiguous, underpinned by an effective risk governance framework. The C-suite needs to bring the CAE’s team in early on key strategic issues. The board needs to make sure the internal audit function is well-resourced to deal with strategic risks and innovation, rather than relegating the department to play only a compliance role. Perhaps many people in corporate America already thought the way business leaders communicate and act on risk within their organizations was out of kilter. The OnRisk 2020 survey provides the objective evidence that such misalignment on risk is real. It is time to act on that knowledge.