One of the persistent challenges internal auditors face is
finding alignment with stakeholders on the risks that most threaten their organizations.
For many years, I have written about the importance of building relationships
with those we work for and with to nurture communications that support alignment.
Indeed, the most common advice I’ve offered to chief audit executives (CAEs) over
the years is “know what is keeping our stakeholders up at night” and “follow
A recently published report from Protiviti and the North
Carolina State University ERM Initiative helps shed light on that alignment (or
Perspectives on Top Risks: Key Issues Being Discussed in the Boardroom and
C-suite (PDF) examines risks facing organizations in 2021 and beyond as seen by a
wide variety of respondents, from board members to every position that makes up
the C-suite, including CAEs.
Two key takeaways from the report offer a good news/bad news
scenario. First the good news: There is encouraging uniformity across the
respondent mix about the No. 1 risk facing organizations in 2021 — the impact
of COVID-19-related policies and regulations on business performance. The bad
news: That’s where the consensus ends. While this is not ideal from an ERM
perspective, it is useful in building awareness of the critical need for
For example, the second-highest-rated risk as identified by
CAEs — managing cyber threats — does not show up in any of the top five risks
for CEOs, chief financial officers (CFOs), or chief risk officers (CROs). That
is not to say cyber doesn’t continue to be a top risk, coming in at sixth
overall. However, it is significant that, among C-suite respondents, only CAEs view
it among the top five risks in 2021.
CAEs’ focus on cybersecurity also is reflected in the upcoming
2021 North American Pulse of Internal Audit report. Cybersecurity, in fact, has
ranked as the highest-rated risk among Pulse respondents every year from 2016 through
2020. It is important to note that the survey for this year’s Pulse report was conducted
in October/November, reflecting the significant influence of the pandemic on
CAEs’ overall risk assessments. Yet, the Pulse data also shows that
cybersecurity as a percentage of audit plan allocation remains a lower
priority, ranging from 6% to 8% over the same five-year period.
So, what are the more significant risks on the minds of our
stakeholders? Two additional risks made the top five for boards, CEOs, and CFOs
in the Protiviti/NC State report: Economic conditions in markets may
significantly restrict growth opportunities, and market conditions imposed by
the pandemic may impact customer demand for products and services.
I should note that the survey grouped the 36 risks rated by
respondents into three broad categories: macroeconomic, operational, and
strategic. That also offers insights into how each respondent group views risk.
For example, CEOs and CFOs rated three macroeconomic risks among their top five,
while three of the top five CAE-rated risks were operational. Additionally,
both CEOs and CFOs included one strategic risk — risk involving the pandemic’s impact
on consumers’ demand for products and services. CAEs did not include any
strategic risks in their top five.
However, we should take heart in that the three nonstrategic
risks that show up in the boards’ top five matched those of CAEs, although not
in the same order.
The Protiviti/NC State report is rich with data and provides
voluminous analysis. In addition to the comparison of risk views for 2021,
respondents also were asked for their longer term risk views (2030). What’s
more, the report provides analysis by organization size, industry, geographic
region, and public versus nonpublic. I encourage all my readers to download the
free report and delve into the details.
One of the report’s key observations offers an important insight
that all risk management players should understand and take to heart:
“The results reflect how different
roles assess risks differently in different environments and economic periods,
and emphasize the critical importance of bringing numerous stakeholder
viewpoints to bear in risk discussions. It is of paramount importance that both
the board and the management team engage in dialogue regarding the critical
enterprise risks, given the different perspectives each brings to the table and
the potential for a lack of consensus. Without clarity of focus, the executive
team may not be aligned with the board on what the top risks are. Worse, they
may not be appropriately addressing the most important risks facing the
organization, thereby leaving the organization potentially vulnerable to
certain risk events.”
The still-raging global pandemic provides two important
lessons in relation to risk management: It has alerted most organizations to
weaknesses in controls and crisis management planning, and it has heightened
awareness of the value of risk alignment. CAEs would be well-served to examine
the views of stakeholders in the Protiviti/NC State report and leverage the
insights to improve risk alignment in their own organizations.
While all of this information provides valuable insight into
the state of alignment in how internal audit and its stakeholders view risks,
it doesn’t really help with one of the most significant challenges internal
auditors face: How are we to follow the risks if everyone is pointing in a
different direction? I believe there are three keys: communicate, communicate,
communicate. When internal auditors see disparity in how risks are being rated
by internal audit’s stakeholders, we should speak up and speak out. We must be
courageous enough to alert board members and management when their perspectives
on risks facing the organization diverge.
We may not have all the answers, but we are ideally
positioned to ask the questions. To blindly undertake our own risk assessments
and craft our own audit plans without questioning why we see risks where others
don’t is a perilous course. We must be the voice our organizations need to
Once we have highlighted the differences in views, we should
offer an audit plan that addresses the risks most crucial to our organizations.
There will be risks addressed on the audit plan that may not be high on the
board’s or management’s radar. But such areas of focus should be clearly
understood and not the product of silence or miscommunication.
As always, I look forward to your comments.