An interesting question came up today during the COSO Workshop. This session (ably led by James Roth and Don Esperson [who always ably lead anything they lead]) focused on the new COSO Internal Control – Integrated Framework. (Quick aside. I've now been exposed to two different presentations the IIA has to offer on this subject – the three-hour and two-day versions. They are both extremely valuable, providing guidance on how your organization can either get started or help ensure the adequate implementation of the COSO Internal Control approach. This has been an unpaid, unsolicited endorsement. Honest, I just like what I've seen so far.)
Each table was given 1 minute and 47 seconds (I may have the actual amount of seconds incorrect, but it was close to this) to answer two questions. One: Identify a significant risk to organizations that didn't even exist five to ten years ago. Two: Identify a risk that, while barely apparent at this point, might be significant in the next five years.
Well, predicting the future can be a fool's game, and this exercise proved it once again. No, not that we shouldn't be trying to figure out the next great risk, but just how difficult it is to do so.
However, I noticed another interesting thing. When it came to the risk that wasn't apparent five to ten years ago, people were able to come up with clean, concise, limited-word answers – social media, big data, increased regulatory scrutiny. Phrases that, within a few words, conveyed a significant new risk all organizations were learning to grapple with.
The second question was a little trickier. As I said, it is often difficult to figure out what the future is, but I also noticed that such a future cannot be expressed in a few words. I don't remember the exact responses individuals provided but, in every instance, the answer was more of an explanation than a pithy phrase.
And there's the difference – the known versus the unknown. If five to ten years ago we had been asked what new risks might be coming, then the phrases "social media" and "big data" would not have rolled so liltingly off our tongues. (Okay, increased regulatory scrutiny might have been there, but let's not get too picky.)
Let me give you a quick example. In 2010 when I gave my first presentation about potential risks related to social media, the title of the presentation was "Social Networking: Risks for the Company; Opportunities for Internal Audit". The concepts, the issues, the risks were still being developed and we were using the phrase "social networking" where the phrase "social media" would soon take hold.
Similarly, we do not have an agreed upon vocabulary to discuss the future risks.
And I think that is a key point about trying to play that fool's game. Unless we are willing to talk about those future risks – stumbling around what we are trying to say and manufacturing phrases as we speak – we will have trouble coming up with the necessary, new vocabulary. By having those conversations, by being willing to stumble and stutter towards revelation, we gain a better understanding of that risk. And, eventually, that new risk will have a name we can all agree on.
And by then we should be talking about the next new risk – all in an effort to keep ahead of the curve.
And there you have the challenges that we face in determining the unknown risks of the future. Battle one is trying to understand what they might be. Battle two is coming up with quick, concise ways for us to describe them. And battle three is ensuring the receivers of our message understand that new vocabulary – understand the risk we are talking about.
Then again, is this any different than anything else we face in internal audit – trying to get people to understand our message?