Somewhere around 2009, when the “Great Recession” had
reached its nadir, the most-high muckety-mucks that oversaw global internal audit
operations for our parent company determined it was an excellent time to
complete a focused risk assessment. Properly executed, a focused risk
assessment can be a very good thing. However, this particular focused risk
assessment was focused on the potential impacts of (wait for it) a recession. More
than a year after the recession had started, they felt it was important to work
through the various operations and functions within the organization and determine
the risks and potential impacts that could occur as part of a recession.
I am not making this up.
It seemed to us to be a
little like closing the barn door after the horse had left the stable, the
stable had burned down, and the farm had been repossessed. (In fact, we suggested
a better risk worth pursuing was determining if the organization was prepared
for the turnaround that had to occur at some point. But deaf ears prevailed.) The
mandate had come down that it be completed. So, we added it to the ever-growing
list of projects completed for no earthly reason and completed the work that
was required. I have no idea how (or if) the information was ever used.
I believe audit departments are currently facing a somewhat
similar situation related to cybersecurity. That is not to say that cybersecurity
is no longer a significant risk, nor that an evaluation of cybersecurity is not
an important part of any risk exercise. But I am afraid that we have become so
enamored, enchanted, and enraptured by the siren call of cybersecurity that we
are forgetting there are new risks coming over the horizon that may well
blindside our organizations and our profession.
In hockey, there is a phenomenon called “getting caught puck
watching.” (And, yes, I’m from Arizona. And, yes, it is a desert. And, yes,
there are a large number of us desert rats that are rabid hockey fans. The
toughest part is trying to remember to wear a coat to the rink when it is 90
degrees outside.) “Puck watching” occurs when the team on the offense is storming
the net. Everyone on defense is so focused on ensuring the puck does not enter
the net (the current threat/risk) that they lose sight of another player from
the offense (the new threat/risk) coming in on open ice. The puck is passed back
to the new attacker who shoots a one-timer and buries the puck in the net.
Cybersecurity represents a likely opportunity for us to be
caught puck watching. Yes, we have to be aware of cybersecurity risks and help defend
against them. But we also have to be ready for that other player — that new
risk — that is sneaking in while we are distracted.
What types of risks? Well, I am not the best at prognostication
(I once predicted that the internet was a fad and would never catch on … oops), but
let me throw out a couple of risks I think may be coming down the pike — areas that
may or may not be the next big risks, but could blindside us if we keep
focusing on the risks we already know about.
The first one, interestingly, is related to the story I told
at the top. What steps is your organization taking to be prepared for the next
economic downturn? Now, I only ever learned enough economics and finance to get
me through the classes that got me my accounting degree (and don’t even ask about
grade point averages), but I do know that, no matter who is in power, there is
a cycle to these things. And I also know we are starting to see indications of
a slowdown. Ignoring those risks is why so many organizations took so many
baths back in the Great Recession. And, while I do not believe the next
downturn will be as significant, the organization that is not prepared — the
organization that is not considering and taking precautions against such an
eventuality — will find their outcome to be just as detrimental as those
experienced by long-lost organizations from the late 2000s.
The second issue is climate change. Let me start by saying
that the world is not flat, man landed on the moon, and climate change is real.
I am not here to argue that point. There can be some debate as to true cause,
but change is happening. Yet, I have seen next to nothing regarding the way
organizations will handle the risks associated with this potentially
It is going to be a big deal. Even here in the states, where
for the last couple of years many in charge have cast stones at anyone who would
suggest climate change is real, the government’s own U.S. Global Change Research
Program released an assessment of impact, risks, and assessments related to
climate change. And it had a lot of nasty warnings. (I won’t go into all the
details; you can read that report here.)
From a risk perspective, it is unconscionable for anyone
whose responsibilities include risk assessment and management to ignore the
potential impacts of climate change on their organizations. Even if you don’t “believe
in” climate change (and I’m not going to go into a debate regarding those who
say they don’t “believe in” scientific facts), there is enough smoke associated
with this particular fire to make it almost mandatory for anyone in risk
management to become involved.
And, related to the climate change issue, someone charged
with assessing and managing risk should also be looking into what the organization
is doing, in a broader context, about climate change. Reputation and brand risk
continue to be at the forefront of any executive's watch list. And, as the
potential impacts of climate change become reality, all stakeholders will begin
asking what the organization was and is doing. For the organization that sits
back and does nothing in this arena, there may be consequences.
Cybersecurity is a big risk. But we have spent so much time responding
to that gardyloo that we may have quit looking toward the future. Boards want
us to look at cybersecurity. Executives want us to look at cybersecurity. Stakeholders
want us to look at cybersecurity. And part of our job is keeping up on that
But part of our job is also helping them see where the next attack
might come from.