Last year’s inaugural OnRisk report from The IIA — A Guide to Understanding, Aligning, and Optimizing Risk — compared and contrasted the perspectives of boards, management, and chief audit executives (CAEs). It was designed to show how well-aligned their attitudes and thinking are in their assessment of top risks, and how they rank their knowledge of these risks and their organizations’ capability to manage them. The recently released OnRisk 2021 includes views on risk relevance as a factor in measuring alignment among the three stakeholder groups. And it has produced some interesting findings.
Qualitative interviews with 30 board members, 30 executives, and 30 CAEs from 90 organizations, plus an additional 348 responses from quantitative surveys of CAEs, identified key risks ranging from cybersecurity to business continuity, and include third-party risk management, organizational management, data governance, disruptive innovation, culture, and talent management.
On the plus side, this year’s survey shows improved alignment regarding the knowledge and capability in understanding and managing these key risks. This was due in no small part to organizational responses to COVID-19, which required renewed risk assessments and more frequent communication and collaboration among risk management players.
“This report gives a very good indication of the key risks that are on every board’s risk agenda — or ought to be,” says Raquel Marin, deputy controller of internal controls and compliance at Columbia University Irving Medical Center in New York.
Out of Sync
Expectedly, due to the pandemic, more than 80% of respondents say business continuity and crisis management is the most relevant risk for 2021, but only around 55% are highly confident in their organization’s capabilities to handle the risk, based on a 7-point scale where 7 is “extremely capable.” Just half ranked their personal knowledge of the risk near or at the top of the scale. Sharper differences appear when the responses from the three groups are broken down: While close to nine out of 10 board members and CAEs ranked business continuity and crisis management as highly or extremely relevant, only six out of 10 C-suite members identified it as such.
There are similar disparities regarding other key risks. For example, while 80% of respondents identify cybersecurity as the most relevant risk to their organizations, just 45% ranked their organization’s capabilities at or near the top of the 7-point scale. What’s more, only 30% gave themselves similar marks for having the necessary knowledge to mitigate it.
Management sees organizational governance as a less relevant risk than boards and internal audit. Data governance, economic and political volatility, and sustainability also show wide gaps. Furthermore, CAEs say these are the risk areas where they are least likely to provide assurance going into 2021.
Talent management and disruptive innovation also emerged among the most relevant risks, yet C-suite respondents gave their lowest ratings to personal knowledge and organizational capabilities related to those risks. Collectively, knowledge of how to manage talent management risks is rated at just over 40%, and capability sinks to 30%, with the percentage based on the number of respondents who assigned a 6 or 7 rating on the 7-point scale.
Generally, C-suite respondents assigned lower relevance rankings to all risks examined in the report, demonstrating that their views are not in sync with those of their CAEs or their boards. In fact, the only risk areas where relevance, knowledge, and capability are broadly aligned relate to board information and third-party risk management.
Findings also suggest some worrying shifts. Both qualitative and quantitative data compiled as part of the survey suggests that truly independent assurance often is lacking, and that the sources of assurance are typically inconsistent. Leaders generally say the level of assurance they get is satisfactory, regardless of where it comes from or how independent it is.
While internal audit coverage of key risks is considerable, it is far from complete, the survey finds. Although CAEs report that they provide assurance for each of the 11 key risks examined, the level of assurance provided drops dramatically beyond cybersecurity, third-party risk management, business continuity/crisis management, and data governance. CAEs report minimal assurance services in the areas of economic and political volatility and disruptive innovation, both of which are rated higher in relevance by the group.
While the key risks raised in the report might be the right ones, commentators also point out that no organization planned for the risks to have the impact they have had or predicted the way in which they have occurred. For example, with cybersecurity, organizations thought they would suffer hacks or data breaches — not have to ensure that everyone could work safely from home. Similarly, the risk of business disruption probably related more to immediate shocks such as power outages and flash floods, rather than total supply chain failure for weeks and months due to regional lockdowns. Economic and political volatility, meanwhile, probably related more to Brexit and trade wars with China than a looming global recession that could last years. In short, organizations prioritized the right risks but failed to plan or recognize their impact. And the fact that there is a divergence in thinking between management on one hand, and CAEs and the board on the other, could spell trouble for some organizations.
The nature of some key risks is evolving to such an extent that they do not resemble what they looked like just a few years ago, says Jason Stepnoski, internal audit manager at vision care health insurance company VSP Global in Rancho Cordova, Calif. Cybersecurity has been a key risk for organizations for more than a decade, but it does not mean that auditors are dealing with the same aspect of cyber risk year after year, he says. “There are a lot of different aspects to these particular risks. The pandemic, for example, raises new risks and challenges in terms of managing cybersecurity, not least the security issues around employees working from home on their own, nonauthorized devices.”
Christa Steele, San Francisco Bay area-based board member at Brainchip Holdings, OFG Bancorp, Recology, and Tanimura & Antle, says the latest survey highlights that organizations may have these risks high on their agendas, but that no one can plan for everything even when these risks occur. “No one thought that the nature of technology risks would relate to a pandemic that has seen companies change their IT infrastructure to facilitate remote working, or that cybersecurity risks would occur around forced home working instead of hacks and accidental or malicious breaches,” she says.
Organizations’ assessments of the key risks they face are only half right, according to Houston-based Marcela Donadio, a board member of Marathon Oil Corp., National Oilwell Varco Inc., and Norfolk Southern Corp. While companies have identified the risks that are most likely to affect them, they have undervalued their potential impact both in the short and long term. For example, she says, while the survey underscores that business disruption, as well as economic volatility, are deemed to be major risks, she adds that the events this year have shown how calamitous these risks can be. She also says that the scale of the effect of these particular risks on organizations this year is much larger than almost any business could have anticipated.
“Business disruption or a global recession due to a pandemic is unlikely to have been on anyone’s risk register before March,” Donadio says. “No one thought that we would be facing persistent lockdowns in multiple countries or jurisdictions at the same time for over a year.” As a result, she says, organizations now need to consider not just which risks are the most critical, but how disruptive they could be, how long they could last, how much they could cost, and in what scenarios they could occur.
The Roots of Misalignment
The risk management process is less than perfect, Donadio says, especially when it comes to identifying how probable high-risk events might be and what their impact could be. “I don’t believe that the risk management process has been proven to be successful in either predicting these kinds of high-risk/low-probability events or particularly good in suggesting measures to mitigate them,” she says. “The survey finding that management takes a different view from the CAE and the board about risk relevance makes this a particularly troubling issue.”
Several other experts also have raised concerns over the misalignment between management on the one hand and the more in sync boards and CAEs on the other.
Mark Carawan, former chief compliance officer at Citigroup and a senior fellow at the New York University School of Law’s Program for Corporate Compliance and Enforcement, says it is alarming that management in the study is not as aligned as it could be with boards and CAEs on their perceptions of risks.
“You have to question the effectiveness of the governance process when risk perceptions are dramatically divergent between boards and internal audit on one side, and management on the other,” Carawan says.
Chief among the questions that internal auditors need to ask, says Carawan, are whether internal audit is communicating the risks to the business and the board consistently, especially if management persists with very different views about how serious these risks are, and what actions should be taken. He also says that internal audit needs to ask if boards are being clear regarding the risk appetite, and whether they are doing enough to hold management accountable over how they manage risks in light of the agreed risk appetite.
Janne Farias, vice president, enterprise risk management, at asset management firm Beutel Goodman in Toronto, says that misalignment may stem from the problem that boards don’t always ask the right questions of management. “Some board members are reluctant to put managers on the spot, especially if they don’t have the relevant industry experience,” she says. “But if they don’t challenge management, how are boards going to get the necessary level of assurance?”
Stepnoski says the reason behind this level of misalignment is that each of these three groups sees risk from different perspectives. However, he acknowledges that misalignment is a problem and that CAEs need to address it. “Internal audit needs to check where there may be areas of misalignment and review the processes about how risk information is generated and how it is communicated to management and the board,” he says. “Are they receiving the same information at the same time? Do they need more context? Is the information incomplete? All of these questions need to be explored.”
Because the pandemic may have changed the risk landscape going into 2021, some experts have concerns about which risks do not appear in the list of key risks. For example, Liz Sandwith, chief professional practices advisor at the Chartered Institute of Internal Auditors–UK and Ireland, says climate change may come under the banner of sustainability and even business disruption, but it is too big an issue not to be talked about in its own right.
Another risk that is going to become much more important in early 2021 is regulatory oversight, she says. “By and large, regulators have scaled back their monitoring and have indicated that they will take a more pragmatic approach to enforcement, but that is not going to go on forever. There are likely to be many examples of poor corporate governance that are going to catch the eyes of regulators in the coming months, and internal auditors need to be prepared for that,” she says.
Carawan says the one risk that should be added to the list is whether the pre-COVID-19 business models are financially viable and sustainable. “It seems impossible as we look ahead to a post-COVID world to not consider whether an organization can actually stay in business under its previous business model,” Carawan says. “All over the world, jurisdictions are going back into some form of restrictive measures that naturally affect the workforce and supply chains and production, slowing economic recovery.”
In addition, Carawan says organizations also need to ask whether there is a possibility that the current business model could fail and whether the way the organization does business can survive another year of similar restrictions.
Minding the Gap
There is no doubt that COVID-19 has changed the risk landscape for organizations. It is likely to make the impact of most of these key risks more deeply felt, so it is paramount that CAEs examine why boards and management are coming away with very different views on the risks to the business from the assurance they are providing, and work out ways to address such misalignment before the gap further widens.