As we enter the fourth quarter of a historically difficult and disruptive year, internal audit leaders around the world are looking to next year with some degree of trepidation. If the COVID-19 pandemic has taught us anything, it is that new risks can emerge at lightning speed and have profound impacts on our organizations and lives.
Finding some perspective on what the risk landscape will look like in 2021 poses a challenge, particularly because the pandemic continues to rage in many areas of the world, and there are continuing warnings about a second and possibly third wave of the deadly virus. Happily, Risk in Focus 2021: Hot Topics for Internal Auditors provides some valuable insights to lead us into the coming year. The annual report was published last month by the European Confederation of Institutes of Internal Auditors (ECIIA).
Not surprisingly, the ECIIA report addresses the expansive impact of the pandemic on numerous risk areas, from health and safety to cybersecurity to sustaining going concerns. Yet, internal audit leaders, audit committee chairs, and subject matter experts interviewed and surveyed for the report rated the top two risks for 2021 — cyber and data security, and regulatory change and compliance — the same as for 2020.
This is not to say the pandemic hasn't altered the risk landscape. Indeed, data showed a sharp increase in the number of respondents who identified health and safety; financial, capital, and liquidity; climate change and environmental sustainability; and human capital and talent management, as top risks.
While ranked as a top-five risk by a comparatively smaller percentage of chief audit executives (CAEs) surveyed, health and safety still rose dramatically, from 10% in 2020 to 17% in 2021. I believe this suggests respondents are worried about the uncertainty of the pandemic's lingering effects as well as the safety challenges of trying to bring part or all of the workforce back to traditional work sites.
The work-from-home phenomenon also contributed new wrinkles to talent management risks, as it has fundamentally changed how organizations and workers view the employment contract. As the report notes:
"New ways of working and organising personnel were already underway in recent years, with a trend towards more flexible working arrangements and greater autonomy as generational attitudes to work shifted. By forcing remote working almost instantaneously, the pandemic accelerated that gradual evolution.
Among the other major business trends fast-tracked by the health crisis is the competitive advantage afforded to companies with exemplary digital capabilities, heightening pressure on competitors to raise their game. This will mean hiring from an already highly competitive digital talent pool. Meanwhile, social equality and diversity issues were at the centre of public debate in 2020, which has brought companies' ethics, staffing policies and racial and gender representation into sharper focus than ever."
The complexity of this risk and its intersecting impacts on strategic priorities, such as digital transformation, disruptive innovation, and diversity, will make it particularly perplexing moving forward.
The pandemic's calamitous impact on the global economy boosted concern about financial, capital, and liquidity risks to near the top of the list. The number of audit leaders who listed it as a top-five risk jumped from 30% in 2020 to 42% in 2021 — the largest increase of any of the risks examined. This promises to continue to be a particularly thorny issue as economic instability and the distinct possibility of global recession threaten the financial viability of many organizations.
While not as dramatic, climate change and environmental sustainability also saw a sharp increase, with the number of respondents rating it as a top-five risk growing from 14% in 2020 to 22% in 2021. Only 8% of CAEs saw it as a top-five risk in 2019.
Another powerful insight provided by ECIIA's Risk in Focus 2021 is how top-five risks relate to where internal audit is focusing its efforts. The data points to some potential trouble spots. While internal audit spends considerable time focused on the top two risks — cyber and data security and regulatory change and compliance — it also spends significant time on corporate governance and reporting as well as bribery, fraud and other financial crime.
As the COVID-19 marathon continues to reshape the risk landscape, internal auditors must be keen to the changing needs of the organization and pivot to address those quickly and effectively. Reports such as Risk in Focus 2021 provide valuable and timely insights to help us remain focused on how best to serve our stakeholders and add value to our organizations.
As always, I look forward to your comments.