It Shouldn’t Surprise Us That “No Surprises” Is Still an Expectation

Back in 2009, I blogged on the fact that many audit committees expected internal audit to help them avoid surprises. I concluded that whether it was fair or not, it was an expectation we needed to recognize. Since then, risks have become more dynamic and unpredictable. Given the environment in which new risks emerge from seemingly nowhere, it shouldn’t surprise us that “no surprises” is still an expectation.

Internal auditors have become increasingly effective in assessing traditional risks; however, the ability to identify and assess emerging risks presents new challenges and requires even greater proficiency. Emerging risks are the newly developing risks that cannot yet be fully assessed but that could, in the near future, affect the viability of our organizations’ strategies and business models. These risks have no track record, so despite the fact that our risk assessment techniques are becoming more sophisticated each year, new and emerging risks are still the most difficult risks for us to identify and quantify.

Too often, traditional risk assessment techniques can miss these risks completely. Even the biggest game-changing risks can be hard to spot until after they have resulted in disastrous consequences. A decade or two ago, regulations such as the U.S. Foreign Corrupt Practices Act or the more recently enacted U.K. Bribery Act were largely ignored by most audit groups. Risks involving cloud computing were not yet even being contemplated. There was no global liquidity crisis, and relatively few city governments were in severe financial distress. Organizations that were not positioned to respond rapidly to these changing conditions often were destined to pay a high price for the oversight.

It might seem that because emerging risks can have such a devastating impact, management of these risks would receive significant attention and resources from management. In reality, the opposite often is true: Emerging risks are the ones not yet on management’s radar, and there can be a natural tendency to avoid dealing with risks that have not yet materialized. When we are fully involved in addressing today’s problems, it is tempting to ignore the problems of the future: As the old saying has it, “Do not worry about tomorrow, for tomorrow never comes.” In reality, however, tomorrow really will come, and it is the ability to predict problems before they happen that audit committees most value in chief audit executives. We not only need to worry about tomorrow, but we also need to develop a keen understanding of what might happen tomorrow even in relatively unlikely scenarios.

Emerging risks can arise from any direction — internal or external to the enterprise — so “no surprises” means that internal audit must have broad peripheral vision to anticipate risks from new or unexpected sources. Identifying and assessing these risks requires us to think creatively. Merely updating last year’s risk assessment simply won’t do: We must truly look at the organization’s goals, objectives, and operations with a fresh eye, constantly asking, “What could keep us from accomplishing this as intended?”

Often internal auditors try to assess emerging risks using “risk assessment by walking around” techniques, in which we ask management what it sees as its new risks. But while the technique can be highly effective in identifying ongoing internal risks, management is all too likely to be blind-sided about risks arising outside the organization. Is a potential new competitor planning to enter our markets? Might a geo-political development or environmental disaster strike a key supplier or customer? Understanding and predicting such potentially game-changing events necessitates heightened awareness of changing conditions. We need to be able to assess the potential impacts and the interconnectedness with other risks even before the risk has fully materialized.

The job is not an easy one. We must become students of the global economic and geo-political environment and stay informed about industry trends and the regulatory landscape. We must know what drives corporate performance and understand the factors that might hinder accomplishment of goals. We must develop better risk analytics, and we must evaluate how emerging risks are incorporated into strategic plans. We must be able to look into the crystal ball of “what if” scenarios and spot potential opportunities before they have passed us by, because the only way to assure our audit committees receive no surprises is to keep them informed of potential events even before they take place.