For Clients, Drive-by Audits Feel Like a “Hit-and-Run”
September 12, 2023New PwC Report Offers Insights and Optimism for Internal Audit’s Future
September 20, 2023In a recent blog for AuditBoard, I observed that the world has seemingly entered “a state of persistent crisis, with no sense of how we’ll escape.” Some call it a “permacrisis,” an “extended period of instability and insecurity.” For internal auditors and risk managers, a permacrisis means we can no longer simply assess and monitor the clear-and-present risks facing our organizations. We must constantly scan the horizon for risks that seem to emerge out of thin air.
Such emerging risks are potential threats or challenges that may be evolving or are apparent but not yet fully materialized or widely recognized. They have the potential to impact businesses, industries, governments, and society as a whole. As the Institute of Risk Management (IRM) noted in the report An Introduction to Emerging Risks and How to Identify Them:
“Emerging risks may arise and evolve quickly, unexpectedly, or both. The emerging risk may never happen at all. Emerging risks may have a massive economic loss potential at a macro level for society and subsequently may impact charities (and other organizations) directly or indirectly. . . .
“A new risk in a known context: Risks that emerge in the external environment and impact the organization’s existing activities. For example, you were aware that regulations relating to your activities will change next year.
“A known risk in a new context: The management of a risk may need to change if you venture into a new activity. For example, your charity already works with vulnerable adults and decides to start running a crèche for the children of employees and volunteers by the end of their current strategy.
“A new risk in a new context: Risks not previously considered because the risk is new to the organization.”
Over the past two years, I have lectured on a number of approaches to identify emerging risks. Recently, I began sharing the PESTLE model, which leverages a systematic, strategic, and collaborative approach to identifying potential emerging risks. It can be used to analyze and evaluate external macro-environmental factors that can impact operations and decision-making.
PESTLE stands for Political, Economic, Social, Technological, Legal and Environmental factors, and it helps organizations identify and understand various forces and trends, including:
Political Factors: This may include the political landscape and government actions that may affect your organization. Look for emerging regulations, changes in leadership, geopolitical tensions and other political developments that could pose risks or opportunities.
Economic Factors: Economic conditions will almost certainly impact your business. Look for emerging economic trends, inflation or recession, currency fluctuations, trade policies, and other factors that could affect your industry or market.
Social Factors: Societal and demographic changes may influence your business. Consider emerging consumer preferences, cultural shifts, social trends and issues related to health, education and lifestyle.
Technological Factors: Technological advancements and innovations are impacting virtually every industry. Focus on emerging technologies, automation, data security threats, and other tech-related risks or opportunities.
Legal Factors: The legal and regulatory environment will likely impact your business. Identify emerging laws, regulations, compliance requirements and legal challenges that could affect your operations.
Environmental Factors: Environmental factors and sustainability issues are affecting organizations around the world. Look at emerging environmental regulations, climate change impacts, resource scarcity and other environmental risks.
As I noted, a PESTLE analysis involves collaboration. That’s why I recommend that risk managers and internal auditors undertake the process jointly. The following approach can yield valuable insights:
- Step 1: Identify and gather key stakeholders who have perspectives/insights from a PESTLE perspective. In larger organizations, separate sessions may be needed to focus on individual PESTLE elements.
- Step 2: Gather and share external research and insights, news, industry reports and expert analysis on current and emerging PESTLE risks.
- Step 3: Facilitate a joint meeting to gather PESTLE insights from participants. Encourage interactive conversation to foster consensus.
- Step 4: Summarize the outcomes of PESTLE collaboration sessions and share results with participants.
- Step 5: Receive feedback and revise the inventory of emerging risks.
- Step 6: Include emerging risks in a continuous risk-monitoring framework.
Also, when conducting a PESTLE assessment for emerging risks, it’s essential to keep the following in mind:
- Stay informed: Continuously monitor news, industry reports and expert analysis to identify emerging trends and issues in each of these categories.
- Scenario planning: Use insights from your PESTLE assessment to develop various scenarios that outline how emerging risks could play out and their potential impacts on your organization.
- Risk mitigation: Develop strategies and action plans to mitigate the identified emerging risks. This may involve regulatory compliance, strategic adjustments, investments in new technologies or other proactive measures.
- Adaptability: Build organizational resilience by fostering a culture of adaptability and flexibility, allowing your organization to respond effectively to emerging risks and opportunities.
A well-executed PESTLE assessment can help your organization anticipate and proactively address potential challenges, positioning it to thrive in a rapidly changing business environment.
I welcome your thoughts on the PESTLE analysis approach, especially your insights or experiences using this or other methodologies. Please share them with me on LinkedIn or Twitter. Or, drop me an email at blogs@richardchambers.com.
I welcome your comments via LinkedIn or Twitter (@rfchambers).